mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-23 19:57:21 +01:00
13302 lines
608 KiB
XML
13302 lines
608 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
|
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="9" lastModified="1215308323" id="root">
|
|
<Library id="sysid99" name="Deleted Objects" ro="False">
|
|
<ICMP6Service id="idE0C27650" name="ipv6 dest unreachable" comment="No route to destination" code="0" type="1"/>
|
|
<Library id="id40E233F3" name="West Coast" color="#FFFFFF" ro="False">
|
|
<ObjectGroup id="id40E233F4" name="Objects">
|
|
<ObjectGroup id="id40E233F4_og_ats_1" name="Address Tables"/>
|
|
<ObjectGroup id="id40E233F5" name="Addresses"/>
|
|
<ObjectGroup id="id40E233F6" name="Groups">
|
|
<ObjectGroup id="id40E23403" name="West Coast Servers"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40E233F7" name="Hosts"/>
|
|
<ObjectGroup id="id40E233F8" name="Networks"/>
|
|
<ObjectGroup id="id40E233F9" name="Address Ranges"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id40E233FA" name="Services">
|
|
<ServiceGroup id="id40E233FA_og_tag_1" name="TagServices"/>
|
|
<ServiceGroup id="id40E233FB" name="Groups"/>
|
|
<ServiceGroup id="id40E233FC" name="ICMP"/>
|
|
<ServiceGroup id="id40E233FD" name="IP"/>
|
|
<ServiceGroup id="id40E233FE" name="TCP"/>
|
|
<ServiceGroup id="id40E233FF" name="UDP"/>
|
|
<ServiceGroup id="id40E23400" name="Custom"/>
|
|
<ServiceGroup id="id40E233FA_userservices" name="Users"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id40E23401" name="Firewalls"/>
|
|
<IntervalGroup id="id40E23402" name="Time"/>
|
|
</Library>
|
|
<Library id="id40D07E7A" name="LAX" color="#FFFFFF" ro="False">
|
|
<ObjectGroup id="id40D07E7B" name="Objects">
|
|
<ObjectGroup id="id40D07E7B_og_ats_1" name="Address Tables"/>
|
|
<ObjectGroup id="id40D07E7C" name="Addresses">
|
|
<IPv4 id="id40E238E6" name="laxftp1" address="10.1.10.10" netmask="255.255.255.255"/>
|
|
<IPv4 id="id40E238E7" name="laxweb1" address="10.1.10.11" netmask="255.255.255.255"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40D07E7D" name="Groups">
|
|
<ObjectGroup id="id40E23565" name="LAX Servers"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40D07E7E" name="Hosts"/>
|
|
<ObjectGroup id="id40D07E7F" name="Networks"/>
|
|
<ObjectGroup id="id40D07E80" name="Address Ranges"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id40D07E81" name="Services">
|
|
<ServiceGroup id="id40D07E81_og_tag_1" name="TagServices"/>
|
|
<ServiceGroup id="id40D07E82" name="Groups"/>
|
|
<ServiceGroup id="id40D07E83" name="ICMP"/>
|
|
<ServiceGroup id="id40D07E84" name="IP"/>
|
|
<ServiceGroup id="id40D07E85" name="TCP"/>
|
|
<ServiceGroup id="id40D07E86" name="UDP"/>
|
|
<ServiceGroup id="id40D07E87" name="Custom"/>
|
|
<ServiceGroup id="id40D07E81_userservices" name="Users"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id40D07E88" name="Firewalls"/>
|
|
<IntervalGroup id="id40D07E89" name="Time"/>
|
|
</Library>
|
|
<Library id="id40C3E07E" name="SFO" color="#FFFFFF" ro="False">
|
|
<ObjectGroup id="id40C3E07F" name="Objects">
|
|
<ObjectGroup id="id40C3E07F_og_ats_1" name="Address Tables"/>
|
|
<ObjectGroup id="id40C3E081" name="Groups">
|
|
<ObjectGroup id="id40E23562" name="SFO Servers"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id40C3E080" name="Addresses">
|
|
<IPv4 id="id40E238E9" name="sfoweb1" address="10.2.10.11" netmask="255.255.255.255"/>
|
|
<IPv4 id="id40E238E8" name="sfoftp1" address="10.2.10.10" netmask="255.255.255.255"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
</Library>
|
|
<Library id="id44EC13FB8791" name="tmp" color="#d2ffd0" ro="False">
|
|
<ObjectGroup id="id44EC13FC8791" name="Objects">
|
|
<ObjectGroup id="id44EC13FD8791" name="Addresses"/>
|
|
<ObjectGroup id="id44EC13FE8791" name="DNS Names"/>
|
|
<ObjectGroup id="id44EC13FF8791" name="Address Tables"/>
|
|
<ObjectGroup id="id44EC14008791" name="Groups"/>
|
|
<ObjectGroup id="id44EC14018791" name="Hosts"/>
|
|
<ObjectGroup id="id44EC14028791" name="Networks"/>
|
|
<ObjectGroup id="id44EC14038791" name="Address Ranges"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id44EC14048791" name="Services">
|
|
<ServiceGroup id="id44EC14058791" name="Groups"/>
|
|
<ServiceGroup id="id44EC14068791" name="ICMP"/>
|
|
<ServiceGroup id="id44EC14078791" name="IP"/>
|
|
<ServiceGroup id="id44EC14088791" name="TCP"/>
|
|
<ServiceGroup id="id44EC14098791" name="UDP"/>
|
|
<ServiceGroup id="id44EC140A8791" name="Custom"/>
|
|
<ServiceGroup id="id44EC140B8791" name="TagServices"/>
|
|
<ServiceGroup id="id44EC14048791_userservices" name="Users"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id44EC140C8791" name="Firewalls"/>
|
|
<IntervalGroup id="id44EC140D8791" name="Time"/>
|
|
</Library>
|
|
<AddressTable id="id44F7056328576" name="atbl" filename="/home/vadim/tmp/bug-1544488/addr-table-1.tbl" run_time="True"/>
|
|
<Interface id="id45DE9D012560" name="pcn1" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id45DE9D032560" name="openbsd-4.0:pcn1:ip" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4848A43B4626" name="ppp0" bridgeport="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
<ServiceRef ref="id3B58E3F1"/>
|
|
<ServiceRef ref="sysid1"/>
|
|
<ServiceRef ref="sysid1"/>
|
|
<ServiceRef ref="id3C6820443"/>
|
|
<ServiceRef ref="sysid1"/>
|
|
<ServiceRef ref="sysid1"/>
|
|
</Library>
|
|
<Library id="syslib001" name="User" comment="User defined objects" color="#d2ffd0" ro="False">
|
|
<ObjectGroup id="stdid01_1" name="Objects">
|
|
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
|
|
<AddressTable id="id4389EE9018346" name="addr-table-1" filename="addr-table-1.tbl" run_time="False"/>
|
|
<AddressTable id="id4389EE9118346" name="block these" comment="this is run-time table" filename="block-hosts.tbl" run_time="True"/>
|
|
<AddressTable id="id452762A75348" name="spammers" comment="empty file name; should generate code like this: table <spammers> persist without "file 'blah'" " filename="" run_time="True"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid16_1" name="Addresses">
|
|
<IPv4 id="id4388C37D674" name="sapmhost1" address="61.150.47.112" netmask="255.255.255.255"/>
|
|
<IPv4 id="id446FCEEA10619" name="spamhost2" address="7.7.7.7" netmask="255.255.255.255"/>
|
|
<IPv4 id="id44F7082928576" name="some address" address="1.1.1.1" netmask="255.255.255.255"/>
|
|
<IPv6 id="id48416A7216880" name="6bone.net" address="2001:5c0:0:2::24" netmask="128"/>
|
|
<IPv6 id="id48416A7116880" name="altavista" address="3ffe:1200:2001:1:8000::1" netmask="128"/>
|
|
<IPv4 id="id417B3641" name="net_address" address="192.168.1.0" netmask="255.255.255.255"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid04_1" name="Groups">
|
|
<ObjectGroup id="id3B4572AF" name="group1">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3B4572B5" name="platform">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3BBC0EFC" name="netgroup1">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3CD87A9A" name="group-range-1">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3D8FED30" name="group2">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3DE69469" name="egroup"/>
|
|
<ObjectGroup id="id3DE6946A" name="egroup2">
|
|
<ObjectRef ref="id3DE69469"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4390C25525682" name="at group" comment="this group is a combination of a regular address object and an address table in run-time mode">
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id446FB0EA10619"/>
|
|
<ObjectRef ref="id446FCEEA10619"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id446FB0EA10619" name="tbl group">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4653861721432" name="f2i1,3">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4653B74121432" name="f2i1">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4834A2238571" name="ipv6 addresses">
|
|
<ObjectRef ref="id48416A7016880"/>
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4834A2278571" name="ipv4 ipv6 addresses">
|
|
<ObjectRef ref="id417B3641"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid02_1" name="Hosts">
|
|
<Host id="id3B64FFAC" name="broadcast" comment="broadcast on internal subnet">
|
|
<Interface id="id3B64FFAC-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B64FFAC-i-ipv4" name="address" address="192.168.1.255" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-hostA" name="hostA">
|
|
<Interface id="host-hostA-i" name="hostA_eth0" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="host-hostA-i-ipv4" name="address" address="192.168.1.10" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3B3D5A3B" name="hostA-2">
|
|
<Interface id="id3B3D5A3B-i" name="interface-1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B3D5A3B-i-1-addr" name="address" address="192.168.1.10" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFADBF9" name="hostA-NAT" comment="translated address for hostA">
|
|
<Interface id="id3AFADBF9-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AFADBF9-i-ipv4" name="address" address="22.22.22.23" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-hostB" name="hostB">
|
|
<Interface id="host-hostB-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="host-hostB-i-ipv4" name="address" address="192.168.1.20" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.20">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BD6736B" name="hostB-NAT">
|
|
<Interface id="id3BD6736B-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3BD6736B-i-ipv4" name="address" address="22.22.23.24" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFC0F70" name="host-fw2" comment="this host has the same IP address as firewall1 and firewall2">
|
|
<Interface id="id3AFC0F70-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AFC0F70-i-ipv4" name="host-fw2-addr" address="22.22.22.22" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3AFC191C" name="hostF-int" comment="the same address as internal iface of firewall1">
|
|
<Interface id="id3AFC191C-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AFC191C-i-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3B19C5EB" name="outside-host" comment="some host outside our network">
|
|
<Interface id="id3B19C5EB-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B19C5EB-i-ipv4" name="address" address="200.200.200.200" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-secondary1-com" name="secondary1.com">
|
|
<Interface id="host-secondary1-com-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="host-secondary1-com-i-ipv4" name="address" address="211.11.11.11" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="211.11.11.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="host-secondary2-com" name="secondary2.com">
|
|
<Interface id="host-secondary2-com-i" name="unknown" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="host-secondary2-com-i-ipv4" name="address" address="211.22.22.22" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="211.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF1B3E1" name="host-with_mac">
|
|
<Interface id="id3BF1B3E2" name="unknown" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3BF1B3E2-ipv4" name="address" address="192.168.1.10" netmask="255.255.255.0"/>
|
|
<physAddress id="id3BF1B3E2-pa" name="unknown-pa" address="00:10:4b:de:e9:6f"/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF1B3E7" name="host-with_mac-2">
|
|
<Interface id="id3BF1B3E8" name="unknown" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3BF1B3E8-ipv4" name="host-with_mac-2:addr" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<physAddress id="id3BF1B3E8-pa" name="unknown-pa" address="00:10:4b:de:e9:6f"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3BF23930" name="z-host">
|
|
<Interface id="id3BF23931" name="unknown" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3BF23931-ipv4" name="address" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<physAddress id="id3BF23931-pa" name="unknown-pa" address="00:a0:24:53:06:8c"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A53" name="n192.168.1.11">
|
|
<Interface id="id3CD87A53-i" name="interface-1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3CD87A53-i-1-addr" name="address" address="192.168.1.11" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A5E" name="n192.168.1.12">
|
|
<Interface id="id3CD87A5E-i" name="interface-1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3CD87A5E-i-1-addr" name="address" address="192.168.1.12" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.12">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A6D" name="n192.168.1.13">
|
|
<Interface id="id3CD87A6D-i" name="interface-1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3CD87A6D-i-1-addr" name="address" address="192.168.1.13" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.13">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A7C" name="n192.168.1.14">
|
|
<Interface id="id3CD87A7C-i" name="interface-1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3CD87A7C-i-1-addr" name="address" address="192.168.1.14" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.14">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3CD87A8B" name="n192.168.1.15">
|
|
<Interface id="id3CD87A8B-i" name="interface-1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3CD87A8B-i-1-addr" name="address" address="192.168.1.15" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.15">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D58118B" name="hostC">
|
|
<Interface id="id3D58118B-i" name="interface-1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3D58118B-i-1-addr" name="address" address="192.168.1.100" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3D58118F" name="hostC-1">
|
|
<Interface id="id3D581193" name="eth0" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3D581194" name="hostC-1:eth0" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E7ABEC4" name="nat-addr1">
|
|
<Interface id="id3E7ABEC6" name="interface1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E7ABEC7" name="nat-addr1:interface1(ip)" address="22.22.22.50" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E7ABECA" name="nat-addr2">
|
|
<Interface id="id3E7ABECC" name="interface1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E7ABECD" name="nat-addr2:interface1(ip)" address="22.22.22.51" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3EE25A56" name="dyn host">
|
|
<Interface id="id3EE25A58" name="eth0" bridgeport="False" dyn="True" security_level="0" unnum="False" unprotected="False"/>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid03_1" name="Networks">
|
|
<Network id="net-Internal_net" name="Internal_net" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B022266" name="dmz_net" comment="DMZ net - using NAT" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B665641" name="external_net" address="22.22.22.0" netmask="255.255.255.0"/>
|
|
<Network id="id3B665643" name="foreign_net" address="33.33.33.0" netmask="255.255.255.0"/>
|
|
<Network id="id3FDCD983" name="foreign_net2" address="33.33.44.0" netmask="255.255.255.0"/>
|
|
<Network id="id43F7DCF631316" name="22.22.22/28" address="22.22.22.0" netmask="255.255.255.240"/>
|
|
<NetworkIPv6 id="id4834B9206131" name="net-fe80" address="fe80::" netmask="64"/>
|
|
<NetworkIPv6 id="id48416A7016880" name="DIGITAL-CA-DEC" address="3ffe:1200:2000::" netmask="36"/>
|
|
<Network id="id3CEBFDFC" name="n-192.168.1.0" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id4733FFE419714" name="n-192.168.2.0" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid15_1" name="Address Ranges">
|
|
<AddressRange id="id3CD8769F" name="test_range_1" start_address="192.168.1.11" end_address="192.168.1.15"/>
|
|
<AddressRange id="id43F7DCF831316" name="22.22.22.1-22.22.22.5" start_address="22.22.22.1" end_address="22.22.22.5"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id4386458A18448" name="DNS Names">
|
|
<DNSName id="id43869E8E18346" name="buildmaster (ct)" comment="an example of a local host" dnsrec="buildmaster" dnsrectype="A" run_time="False"/>
|
|
<DNSName id="id43869E8F18346" name="buildmaster (rt)" comment="an example of a local host" dnsrec="buildmaster" dnsrectype="A" run_time="True"/>
|
|
<DNSName id="id43869E8C18346" name="cnn (ct)" dnsrec="www.cnn.com" dnsrectype="A" run_time="False"/>
|
|
<DNSName id="id43869E8D18346" name="cnn (rt)" dnsrec="www.cnn.com" dnsrectype="A" run_time="True"/>
|
|
<DNSName id="id4387287918346" name="google (ct)" dnsrec="www.google.com" dnsrectype="A" run_time="False"/>
|
|
<DNSName id="id4387287A18346" name="google (rt)" dnsrec="www.google.com" dnsrectype="A" run_time="True"/>
|
|
<DNSName id="id44EC181D8791" name="heise" dnsrec="www.heise.de" dnsrectype="A" run_time="True"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="stdid05_1" name="Services">
|
|
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices">
|
|
<TagService id="id43EC6B892355" name="ipsec_tag" tagcode="ipsec_tag"/>
|
|
<TagService id="id43F4556A28869" name="INTNET" tagcode="INTNET"/>
|
|
<TagService id="id1391120443" name="tag2" tagcode="tag2"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid10_1" name="Groups">
|
|
<ServiceGroup id="id3B457567" name="svcgroup1">
|
|
<ServiceRef ref="id3B457561"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3C1A66C9" name="large group TCP">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
<ServiceRef ref="id3AEDBE6E"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
<ServiceRef ref="id3AECF776"/>
|
|
<ServiceRef ref="id3B4FED9F"/>
|
|
<ServiceRef ref="id3B4FF13C"/>
|
|
<ServiceRef ref="id3B4FEE21"/>
|
|
<ServiceRef ref="id3B4FEE23"/>
|
|
<ServiceRef ref="id3AECF778"/>
|
|
<ServiceRef ref="id3B4FF000"/>
|
|
<ServiceRef ref="id3B4FEEEE"/>
|
|
<ServiceRef ref="id3B4FEE7A"/>
|
|
<ServiceRef ref="id3B4FEE1D"/>
|
|
<ServiceRef ref="id3B4FF0EA"/>
|
|
<ServiceRef ref="id3AECF782"/>
|
|
<ServiceRef ref="id3B4FEF7C"/>
|
|
<ServiceRef ref="id3AECF77A"/>
|
|
<ServiceRef ref="id3AECF77C"/>
|
|
<ServiceRef ref="id3AECF77E"/>
|
|
<ServiceRef ref="id3B4FEF34"/>
|
|
<ServiceRef ref="id3B4FF04C"/>
|
|
<ServiceRef ref="id3B4FEE76"/>
|
|
<ServiceRef ref="id3AEDBE00"/>
|
|
<ServiceRef ref="id3B4FF1B8"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CD878C8" name="small group TCP">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
<ServiceRef ref="id3AECF776"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3DE6946C" name="sgroup"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07_1" name="ICMP">
|
|
<ICMPService id="id3C1A5D46" name="any ICMP" code="-1" type="-1"/>
|
|
<ICMPService id="id3D0E95E4" name="Any unreach." code="-1" type="3"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid06_1" name="IP">
|
|
<IPService id="id3B457561" name="ICMP" fragm="False" lsrr="False" protocol_num="1" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
<IPService id="id3B6659A5" name="TS" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="True"/>
|
|
<IPService id="id3C6820443" name="tos 0x20" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="0x20" ts="False"/>
|
|
<IPService id="id3C6920443" name="dscp 0x20" dscp="0x20" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False"/>
|
|
<IPService id="idC5F120443" name="tos 0x10" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="0x10" ts="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09_1" name="TCP">
|
|
<TCPService id="tcp-IRC" name="irc" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
|
|
<TCPService id="id3B20468D" name="test-TCP" comment="port range" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="10000" dst_range_end="11000"/>
|
|
<TCPService id="id3B5009F7" name="squid" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
|
|
<TCPService id="id3B58E3F1" name="xmas-tree" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="id3C1A66EF" name="gopher" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="70" dst_range_end="70"/>
|
|
<TCPService id="id3E59AD29" name="tcp-1080" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08_1" name="UDP"/>
|
|
<ServiceGroup id="stdid13_1" name="Custom">
|
|
<CustomService id="id3B64FE22" name="talk" comment="Talk support">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService id="id41F9FFBA" name="natproto">
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf">proto {tcp udp icmp gre}</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid05_1_userservices" name="Users">
|
|
<UserService id="id4849253820246" name="user2000" userid="2000"/>
|
|
<UserService id="id484A558E5896" name="user500" userid="500"/>
|
|
<UserService id="id484A6C525896" name="proxy" userid="proxy"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="stdid12_1" name="Firewalls">
|
|
<Firewall id="fw-firewall2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" host_OS="openbsd" inactive="False" lastCompiled="1157930800" lastInstalled="0" lastModified="1202682308" platform="pf" ro="False" version="">
|
|
<NAT id="nat-firewall2" name="NAT">
|
|
<NATRule id="nat-firewall2-0" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3EE25AA2" comment="illegal rule - host 'dyn host' has dynamic address" disabled="True" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3EE25A56"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="nat-firewall2-1" disabled="False" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CDB43B8" disabled="False" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="pol-firewall2" name="Policy">
|
|
<PolicyRule id="id3B09D29D" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-0" comment="Automatically generated rule blocking short fragments" action="Deny" direction="Inbound" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-1" comment="Automatically generated anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B92DFC5" action="Accept" direction="Both" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C4E4C38" comment="code should go into INPUT chain with address in destination for comparison" action="Deny" direction="Inbound" disabled="False" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE59C76" action="Deny" direction="Both" disabled="False" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
<ServiceRef ref="id3B58E3F1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix">** RULE %N</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B6659FC" action="Deny" direction="Both" disabled="False" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-RR"/>
|
|
<ServiceRef ref="ip-SRR"/>
|
|
<ServiceRef ref="id3B6659A5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3BF1B45E" action="Accept" direction="Both" disabled="True" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3BF1B44E" action="Accept" direction="Both" disabled="True" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E7"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-3" comment="this rule is limited to 4 simultaneous connections by rule options" action="Accept" direction="Both" disabled="False" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
<ObjectRef ref="host-secondary2-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-afterhours"/>
|
|
<IntervalRef ref="id3C63479C"/>
|
|
<IntervalRef ref="id3C63479E"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_rule_max_state">4</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4250E683" action="Accept" direction="Both" disabled="False" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP_data"/>
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">10</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-2" action="Accept" direction="Both" disabled="False" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">3</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">15</Option>
|
|
<Option name="pf_max_src_nodes">10</Option>
|
|
<Option name="pf_max_src_states">10</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD8770E" action="Accept" direction="Both" disabled="False" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD8769F"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_max_src_nodes">75</Option>
|
|
<Option name="pf_max_src_states">2</Option>
|
|
<Option name="pf_rule_max_state">10</Option>
|
|
<Option name="pf_source_tracking">True</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD87B1E" comment="testing rule shading - this rule is exactly the same as pervious one, but uses group instead of address range" action="Accept" direction="Both" disabled="True" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD87A9A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-4" action="Accept" direction="Both" disabled="False" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE597E3" comment="this rule and the next one can be used to test shading" action="Accept" direction="Both" disabled="True" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CE591F6" action="Accept" direction="Both" disabled="False" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B3D5A3B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3EE2579E" comment="illegal rule - object firewall8 has dynamic interface" action="Accept" direction="Both" disabled="True" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D581152"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D581152"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-5" comment="Automatically generated 'masquerading' rule" action="Accept" direction="Both" disabled="False" log="False" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="pol-firewall2-7" comment="Automatically generated 'catch all' rule" action="Deny" direction="Both" disabled="False" log="True" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="fw-firewall2-routing" name="Routing"/>
|
|
<Interface id="if-FW-firewall2-eth1" name="eth1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="if-FW-firewall2-eth1-ipv4" name="address" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="if-FW-firewall2-eth0" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="if-FW-firewall2-eth0-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3E5F1D39" name="lo" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E5F1D3B" name="firewall:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">True</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">12000</Option>
|
|
<Option name="pf_adaptive_start">6000</Option>
|
|
<Option name="pf_do_limit_frags">True</Option>
|
|
<Option name="pf_do_limit_src_nodes">True</Option>
|
|
<Option name="pf_do_limit_states">True</Option>
|
|
<Option name="pf_do_limit_table_entries">True</Option>
|
|
<Option name="pf_do_limit_tables">True</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">True</Option>
|
|
<Option name="pf_do_timeout_interval">True</Option>
|
|
<Option name="pf_icmp_error">10</Option>
|
|
<Option name="pf_icmp_first">10</Option>
|
|
<Option name="pf_limit_frags">4000</Option>
|
|
<Option name="pf_limit_src_nodes">1000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">1000000</Option>
|
|
<Option name="pf_limit_tables">1000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">10</Option>
|
|
<Option name="pf_other_multiple">10</Option>
|
|
<Option name="pf_other_single">10</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">True</Option>
|
|
<Option name="pf_set_icmp_error">True</Option>
|
|
<Option name="pf_set_icmp_first">True</Option>
|
|
<Option name="pf_set_other_first">True</Option>
|
|
<Option name="pf_set_other_multiple">True</Option>
|
|
<Option name="pf_set_other_single">True</Option>
|
|
<Option name="pf_set_tcp_closed">True</Option>
|
|
<Option name="pf_set_tcp_closing">True</Option>
|
|
<Option name="pf_set_tcp_established">True</Option>
|
|
<Option name="pf_set_tcp_finwait">True</Option>
|
|
<Option name="pf_set_tcp_first">True</Option>
|
|
<Option name="pf_set_tcp_opening">True</Option>
|
|
<Option name="pf_set_udp_first">True</Option>
|
|
<Option name="pf_set_udp_multiple">True</Option>
|
|
<Option name="pf_set_udp_single">True</Option>
|
|
<Option name="pf_tcp_closed">30</Option>
|
|
<Option name="pf_tcp_closing">60</Option>
|
|
<Option name="pf_tcp_established">86400</Option>
|
|
<Option name="pf_tcp_finwait">60</Option>
|
|
<Option name="pf_tcp_first">120</Option>
|
|
<Option name="pf_tcp_opening">120</Option>
|
|
<Option name="pf_timeout_frag">40</Option>
|
|
<Option name="pf_timeout_interval">15</Option>
|
|
<Option name="pf_udp_first">10</Option>
|
|
<Option name="pf_udp_multiple">10</Option>
|
|
<Option name="pf_udp_single">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script">echo 'This is prolog script'
|
|
</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3AF5AA0A" name="firewall1" comment="this object is used to test all kinds of negation in policy rules Also using interface policy on eth1 to test specific case with negation and rule shading depection " host_OS="openbsd" inactive="False" lastCompiled="1157930802" lastInstalled="0" lastModified="1200415171" platform="pf" ro="False" version="">
|
|
<NAT id="id3AF5AA0D" name="NAT">
|
|
<NATRule id="id3C98491C" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFADC09" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CD23959" disabled="False" position="2">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B1328FB" disabled="False" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E7ABBCD" disabled="False" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
<ObjectRef ref="id3B11F434"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E7ABFA4" comment="more examples of NAT rules with multiple objects in TSrc in firewall3" disabled="False" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E7ABEC4"/>
|
|
<ObjectRef ref="id3E7ABECA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AF5AAD3" disabled="False" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3CCA1B57" disabled="False" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B50F7CB" disabled="False" position="8">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD8D94B" disabled="False" position="9">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD8D9DD" disabled="False" position="10">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BBC0EA4" disabled="False" position="11">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BBC0F93" disabled="False" position="12">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BC6BCE5" disabled="False" position="13">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3FDCD893" disabled="False" position="14">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
<ObjectRef ref="id3FDCD983"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3AF5AA0C" name="Policy">
|
|
<PolicyRule id="id3C5987DC" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CD34BEF" action="Deny" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAB4" comment="Anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAAB" comment="Anti-spoofing rule" action="Deny" direction="Outbound" disabled="False" log="True" position="3">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D58886F" comment="testing rule shading: this rule is not shaded by rule #1" action="Accept" direction="Inbound" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CCA26E4" action="Deny" direction="Both" disabled="False" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B9AB902" action="Deny" direction="Both" disabled="True" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFC0F90" comment="hostF has the same IP address as firewal." action="Accept" direction="Both" disabled="False" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4119961C" comment="testing negation in the policy rule" action="Deny" direction="Both" disabled="False" log="True" position="8">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B021E10" comment="testing negation in the policy rule" action="Deny" direction="Both" disabled="False" log="True" position="9">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0B4A13" comment="this rule is shaded by rule above." action="Deny" direction="Both" disabled="False" log="True" position="10">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B5535B7" comment="this rule shades rule below" action="Deny" direction="Both" disabled="False" log="True" position="11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B11F63D" action="Deny" direction="Both" disabled="False" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41199643" comment="testing negation in the policy rule" action="Reject" direction="Both" disabled="False" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B021E6F" comment="testing negation in service field" action="Deny" direction="Both" disabled="True" log="True" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3CCA2CF4" comment="testing negation in service field" action="Accept" direction="Both" disabled="True" log="True" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B45739A" action="Deny" direction="Both" disabled="False" log="True" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAC8" comment="'masquerading' rule" action="Accept" direction="Both" disabled="False" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5AAE3" comment="'catch all' rule" action="Deny" direction="Both" disabled="False" log="True" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3AF5AA0A-routing" name="Routing"/>
|
|
<Interface id="id3AF5AA96" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AF5AA96-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3AF5AA99" name="eth1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AF5AA99-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3B0B4BC8" name="eth2" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B0B4BC8-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3B0B4D35" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B0B4D35-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id3B11F434" name="eth3" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B11F434-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="22.22.23.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">1000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_limits">True</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_timeouts">True</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">pf_file_top</Option>
|
|
<Option name="prolog_script"># prolog:
|
|
# some pf command at the very top of the .conf file goes here
|
|
|
|
|
|
</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3DE69291" name="firewall13" comment="testing detection of empty groups" host_OS="openbsd" inactive="False" lastCompiled="1157930804" lastInstalled="0" lastModified="1193632387" platform="pf" ro="False" version="">
|
|
<NAT id="id3DE69292" name="NAT">
|
|
<NATRule id="id3DE69752" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DE69469"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE697CD" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DE69469"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3DE69866" disabled="False" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DE6946C"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3DE692BD" name="Policy">
|
|
<PolicyRule id="id3DE6946F" action="Accept" direction="Both" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DE6946A"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DE6947B" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3DE6946C"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3DE69487" action="Deny" direction="Both" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3DE69291-routing" name="Routing"/>
|
|
<Interface id="id3DE6935E" name="eth1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3DE6935F" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3DE6937E" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3DE6937F" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3AFB66C6" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="openbsd" inactive="False" lastCompiled="1157930805" lastInstalled="0" lastModified="1210452316" platform="pf" ro="False" version="">
|
|
<NAT id="id3AFB66C7" name="NAT">
|
|
<NATRule id="id3AFB66C8" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3AFB66D6" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3CABE6DF" disabled="False" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A827" disabled="False" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A83B" disabled="False" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A850" disabled="False" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A8DE" disabled="False" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A8F2" disabled="False" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id40E9A907" disabled="False" position="8">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id431BEFED" disabled="False" position="9">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFB69BD" disabled="False" position="10">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BEEF6D2" disabled="False" position="11">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3BD67563" disabled="False" position="12">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3BD6757E" disabled="True" position="13">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B66568B" comment="NETMAP " disabled="True" position="14">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B6656EF" comment="NETMAP" disabled="True" position="15">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id431C0728" disabled="False" position="16">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id431C0714" disabled="False" position="17">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id431C0700" disabled="False" position="18">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id431C355F" disabled="False" position="19">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3AFB69F7" disabled="False" position="20">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id414BEA12" disabled="False" position="21">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id414BEC22" disabled="False" position="22">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3B7313C4" disabled="False" position="23">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E59ADF3" disabled="False" position="24">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id40ECF000" disabled="False" position="25">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E59AC6D" disabled="False" position="26">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3E59AD29"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41F9FFBB" disabled="False" position="27">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id41F9FFBA"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id41FA0A82" disabled="False" position="28">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3D703C8F"/>
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
<ServiceRef ref="tcp-All_TCP"/>
|
|
<ServiceRef ref="udp-All_UDP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3AFB66E4" name="Policy">
|
|
<PolicyRule id="id41451D62" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB6708" comment="Anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id465385F321432" comment="rules 2,3,4 test group usage in interface all three rules should yield the same config" action="Deny" direction="Inbound" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653861721432"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4653B74421432" comment="Anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653B74121432"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4653860421432" comment="Anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB6710" comment="Anti-spoofing rule" action="Deny" direction="Outbound" disabled="False" log="True" position="5">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB66E5" comment="block fragments" action="Deny" direction="Both" disabled="False" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C6FD2" comment="sends TCP RST and makes custom record in the log" action="Reject" direction="Both" disabled="False" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">IDENT</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D8FEDA9" action="Accept" direction="Both" disabled="False" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FED30"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D8FEE11" action="Accept" direction="Both" disabled="False" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FED30"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB66EF" comment="'masquerading' rule" action="Accept" direction="Both" disabled="False" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C447B8D" comment="host-fw2 has the same address as one of the firewall's interfaces" action="Accept" direction="Both" disabled="True" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C447BCB" action="Accept" direction="Both" disabled="False" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AFB66F9" comment="'catch all' rule" action="Deny" direction="Both" disabled="False" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3AFB66C6-routing" name="Routing"/>
|
|
<Interface id="id3AFB6703" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AFB6703-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3AFB6706" name="eth1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AFB6706-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3AFB68D2" name="eth3" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AFB68D2-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3B0221F1" name="eth2" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B0221F1-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3CD2449F" name="lo" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3CD2449F-ipv4" name="lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="192.168.2.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">True</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">True</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization">Aggressive</Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">32</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">True</Option>
|
|
<Option name="pf_scrub_use_minttl">True</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">True</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">True</Option>
|
|
<Option name="pf_set_tcp_opening">True</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">10</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">5</Option>
|
|
<Option name="pf_tcp_opening">5</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">pf_file_after_set</Option>
|
|
<Option name="prolog_script"># prolog
|
|
# prolog commands go after set commands
|
|
</Option>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3B0C6380" name="firewall4" comment="this object is used to test a configuration where firewall has dynamic address " host_OS="openbsd" inactive="False" lastCompiled="1157930815" lastInstalled="0" lastModified="1200415196" platform="pf" ro="False" version="">
|
|
<NAT id="id3B0C6381" name="NAT">
|
|
<NATRule id="id3B0C6382" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3B0C6390" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id3B202AFF" disabled="False" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E797EFF" comment="SDNAT rule " disabled="False" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3CD88A77"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C63DF"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3B0C639E" name="Policy">
|
|
<PolicyRule id="id3B54F071" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63E3" comment="Anti-spoofing rule" action="Deny" direction="Inbound" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63EB" comment="Anti-spoofing rule" action="Deny" direction="Outbound" disabled="False" log="True" position="2">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C639F" comment="hostF has the same IP address as firewal." action="Accept" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63B4" action="Deny" direction="Both" disabled="False" log="True" position="4">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63A9" comment="testing negation in the policy rule" action="Deny" direction="Both" disabled="False" log="True" position="5">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63BF" comment="testing negation in service field" action="Deny" direction="Both" disabled="True" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63CB" comment="'masquerading' rule" action="Accept" direction="Both" disabled="False" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3B0C63D5" comment="'catch all' rule" action="Deny" direction="Both" disabled="False" log="True" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3B0C6380-routing" name="Routing"/>
|
|
<Interface id="id3B0C63DF" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B0C63DF-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3B0C63E1" name="eth1" bridgeport="False" dyn="True" label="" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B0C63E1-ipv4" name="address" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id3B0C63F3" name="eth2" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B0C63F3-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3B0C63F5" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3B0C63F5-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id3CD88A77" name="eth3" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3CD88A77-ipv4" name="address" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="222.222.222.222">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">pf_file_after_tables</Option>
|
|
<Option name="prolog_script"># prolog commands go after table definitions
|
|
</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3E1FC43C" name="firewall5" comment="testing IP fragments and scrub" host_OS="openbsd" inactive="False" lastCompiled="1157930819" lastInstalled="0" lastModified="1200415199" platform="pf" ro="False" version="">
|
|
<NAT id="id3E1FC43D" name="NAT">
|
|
<NATRule id="id3E1FC8FC" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1FC43C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3E1FC469" name="Policy">
|
|
<PolicyRule id="id3E1FC62E" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E1FC7B6" action="Deny" direction="Both" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
<ServiceRef ref="id3B58E3F1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E1FC47F" action="Deny" direction="Both" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3E1FC43C-routing" name="Routing"/>
|
|
<Interface id="id3E1FC489" name="eth1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E1FC48A" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3E1FC48C" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E1FC48D" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3E5F1D4C" name="lo" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E5F1D4E" name="firewall5:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3C698F1D" name="firewall6" comment="testing rule with firewall in dst and negation" host_OS="openbsd" inactive="False" lastCompiled="1157930821" lastInstalled="0" lastModified="1200415203" platform="pf" ro="False" version="">
|
|
<NAT id="id3C698F1E" name="NAT"/>
|
|
<Policy id="id3C698F9D" name="Policy">
|
|
<PolicyRule id="id3C699028" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69901D"/>
|
|
</Itf>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C698FB2" action="Deny" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3C698F1D-routing" name="Routing"/>
|
|
<Interface id="id3C699013" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C699013-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3C69901D" name="eth1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C69901D-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3C699030" name="eth2" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C699030-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3C699032" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C699032-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id3C699034" name="eth3" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C699034-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="22.22.23.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3C69BD4F" name="firewall7" comment="testing rules with broadcasts" host_OS="openbsd" inactive="False" lastCompiled="1157930822" lastInstalled="0" lastModified="1200415209" platform="pf" ro="False" version="">
|
|
<NAT id="id3C69BD50" name="NAT"/>
|
|
<Policy id="id3C69BD51" name="Policy">
|
|
<PolicyRule id="id3C69BDE1" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3C69BF13" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3C69BD4F-routing" name="Routing"/>
|
|
<Interface id="id3C69BD5C" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C69BD5C-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3C69BD5E" name="eth1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C69BD5E-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3C69BD68" name="eth2" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C69BD68-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3C69BD6A" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C69BD6A-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id3C69BD6C" name="eth3" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3C69BD6C-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="22.22.23.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3D581152" name="firewall8" host_OS="openbsd" inactive="False" lastCompiled="1157930823" lastInstalled="0" lastModified="1200415211" platform="pf" ro="False" version="">
|
|
<NAT id="id3D581156" name="NAT">
|
|
<NATRule id="id3D58164E" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D581152"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D58163D" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D58115B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5812BC" disabled="False" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D58115E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D581322" disabled="False" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D581152"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D58118B"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5812AE" disabled="False" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D58118B"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5812CC" disabled="False" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D58118F"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D5812FA" disabled="False" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D581193"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3D58130E" disabled="False" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D581194"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id40ECF00B" disabled="False" position="8">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D58115B"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3D581155" name="Policy">
|
|
<PolicyRule id="id3E5F239B" action="Accounting" direction="Both" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E5F2391" action="Accounting" direction="Both" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D5811A5" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D58115E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D58119B" action="Accept" direction="Both" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D58115D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D5811FB" action="Accept" direction="Both" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D58115B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3D5811B1" action="Deny" direction="Both" disabled="False" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3D581152-routing" name="Routing"/>
|
|
<Interface id="id3D58115B" name="eth1" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3D58115D" name="firewall8:eth1:1" address="33.33.33.34" netmask="255.255.255.0"/>
|
|
<IPv4 id="id3D58115E" name="firewall8:eth1:0" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3D581188" name="eth0" bridgeport="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3D58118A" name="firewall8:eth0" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3E5F18E9" name="lo" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E5F18EB" name="firewall8:lo(ip)" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id3EE256C2" name="ppp0" bridgeport="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_path_pfctl">/usr/sbin/pfctl</Option>
|
|
<Option name="openbsd_path_sysctl">/usr/sbin/sysctl</Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id3E853CBE" name="firewall9" comment="testing rules with broadcasts" host_OS="freebsd" inactive="False" lastCompiled="1157930825" lastInstalled="0" lastModified="1200415214" platform="pf" ro="False" version="">
|
|
<NAT id="id3E853CBF" name="NAT">
|
|
<NATRule id="id3E853EF8" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E853CD8"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id3E853F16" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E853CBE"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3E853CC0" name="Policy">
|
|
<PolicyRule id="id3E853CCE" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E853CCB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E853CEF" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E853CDE"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E853D1B" action="Accept" direction="Both" disabled="True" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3E853CD8"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E853CC1" action="Accept" direction="Both" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3E853D26" action="Deny" direction="Both" disabled="False" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3E853CBE-routing" name="Routing"/>
|
|
<Interface id="id3E853CCB" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E853CCC" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3E853CD8" name="enc0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id3E853CDE" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3E853CDF" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43867C1018346" name="firewall33" comment="testing DNSName object" host_OS="freebsd" inactive="False" lastCompiled="1157930808" lastInstalled="0" lastModified="1193632397" platform="pf" ro="False" version="">
|
|
<NAT id="id43867C4818346" name="NAT">
|
|
<NATRule id="id43876E2618346" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E5218346" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E6918346" disabled="False" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43876E7B18346" disabled="False" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id43867C1618346" name="Policy">
|
|
<PolicyRule id="id43867C2418346" action="Accept" direction="Both" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869E9018346" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869E9E18346" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8E18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43869EAA18346" action="Accept" direction="Both" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8F18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386E38318346" action="Deny" direction="Both" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386E37718346" action="Deny" direction="Both" disabled="False" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43867C3018346" action="Accept" direction="Both" disabled="False" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8E18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4386C10D18346" action="Accept" direction="Both" disabled="False" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8F18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728A918346" action="Accept" direction="Both" disabled="False" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
<ObjectRef ref="id4387287918346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728BA18346" action="Accept" direction="Both" disabled="False" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id438728CD18346" action="Accept" direction="Both" disabled="False" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43867C3C18346" action="Deny" direction="Both" disabled="False" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id43867C5718346" name="Routing"/>
|
|
<Interface id="id43867C5818346" name="eth0.100" comment="VLAN interface" bridgeport="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface id="id43867C5918346" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id43867C5B18346" name="firewall33:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id43867C5C18346" name="eth1" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id43867C5E18346" name="firewall33:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4389EDAE18346" name="firewall34" comment="testing AddressTable object" host_OS="openbsd" inactive="False" lastCompiled="1210047001" lastInstalled="0" lastModified="1210046836" platform="pf" ro="False" version="">
|
|
<NAT id="id4389EE4818346" name="NAT">
|
|
<NATRule id="id4389EEB018346" disabled="False" position="0">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id446FDDE610619" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id4390C25525682"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43891B6E674" disabled="False" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id467A0FE823947" disabled="False" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id467A0FF823947" disabled="False" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id467A209B23947" disabled="False" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id467A20AD23947" disabled="False" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id4389EE8518346"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id4389EDB418346" name="Policy">
|
|
<PolicyRule id="id4389EDB518346" action="Accept" direction="Both" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388CFEA674" action="Deny" direction="Both" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4390C25825682" action="Deny" direction="Both" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4390C25525682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id446FB0ED10619" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id446FB0EA10619"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id452762A85348" action="Deny" direction="Both" disabled="False" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id452762A75348"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EDC118346" action="Deny" direction="Both" disabled="False" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388CFF8674" action="Deny" direction="Both" disabled="False" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388C36F674" action="Deny" direction="Both" disabled="False" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4388F5A9674" action="Accept" direction="Both" disabled="True" log="False" position="8">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EEA118346" action="Accept" direction="Both" disabled="False" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">5</Option>
|
|
<Option name="pf_max_src_conn_flush">True</Option>
|
|
<Option name="pf_max_src_conn_global">True</Option>
|
|
<Option name="pf_max_src_conn_overload_table">spammers</Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EDCD18346" action="Accept" direction="Both" disabled="False" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4389EE3C18346" action="Deny" direction="Both" disabled="False" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4389EE8318346" name="Routing"/>
|
|
<Interface id="id4389EE8418346" name="eth0.100" comment="VLAN interface" bridgeport="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface id="id4389EE8518346" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4389EE8718346" name="firewall34:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id4389EE8818346" name="eth1" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4389EE8A18346" name="firewall34:eth1:ip" address="192.168.1.100" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43EC5DDC2355" name="firewall38" comment="testing rules with tag service" host_OS="freebsd" inactive="False" lastCompiled="1215308323" lastInstalled="0" lastModified="1215308308" platform="pf" ro="False" version="">
|
|
<NAT id="id43EC5E1F2355" name="NAT">
|
|
<NATRule id="id43EC5E2E2355" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43EC5DDC2355"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id43EC5E6E2355" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43EC5DDC2355"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id43EC5DE22355" name="Policy">
|
|
<PolicyRule id="id43EC5DE32355" action="Tag" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43EC5E3D2355"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagobject_id">id43F4556A28869</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F447F228869" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43F447EB28869"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F4555D28869" action="Accept" direction="Outbound" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43F4556A28869"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43EC5E402355"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F462CA28869" action="Accept" direction="Outbound" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43EC5E402355"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC5DEF2355" action="Accept" direction="Both" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43EC5E412355"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC6B8B2355" action="Accept" direction="Both" disabled="False" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id1391220443" action="Accept" direction="Both" disabled="False" group="" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="id1391120443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC6BAF2355" action="Accept" direction="Both" disabled="True" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC6BC02355" action="Accept" direction="Both" disabled="False" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC6BEA2355" action="Accept" direction="Both" disabled="True" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F4407F28542" action="Classify" direction="Both" disabled="False" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">mail</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43EC5E132355" action="Deny" direction="Both" disabled="False" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id43EC5E3C2355" name="Routing"/>
|
|
<Interface id="id43EC5E3D2355" name="le0" bridgeport="False" dyn="False" label="int_if" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id43EC5E3F2355" name="firewall38:le0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id43EC5E402355" name="enc0" bridgeport="False" dyn="False" label="ext_if" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id43EC5E412355" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id43EC5E432355" name="firewall38:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id43F447EB28869" name="enc1" bridgeport="False" dyn="False" label="wifi_int" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id43F447EC28869" name="firewall38:enc1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id43F7DBEE31316" name="firewall3" comment="testing NAT rules with multiple objects in TSrc and TDst and NAT rule options" host_OS="openbsd" inactive="False" lastCompiled="1157930807" lastInstalled="0" lastModified="1200415192" platform="pf" ro="False" version="">
|
|
<NAT id="id43F7DC6531316" name="NAT">
|
|
<NATRule id="id43F7DC6631316" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DCEB31316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">True</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">False</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id43F7DCC331316" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DC7531316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="nat_bitmask">True</Option>
|
|
<Option name="nat_random">False</Option>
|
|
<Option name="nat_round_robin">False</Option>
|
|
<Option name="nat_source_hash">False</Option>
|
|
<Option name="nat_static_port">False</Option>
|
|
<Option name="pf_bitmask">True</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">False</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id43F7DCD731316" disabled="False" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DCF631316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">False</Option>
|
|
<Option name="pf_source_hash">True</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id43F7DD1431316" disabled="False" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43F7DCF831316"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">True</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">True</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule id="id43F7E942514" disabled="False" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43F7DCEB31316"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="pf_bitmask">False</Option>
|
|
<Option name="pf_pool_type_none">False</Option>
|
|
<Option name="pf_random">False</Option>
|
|
<Option name="pf_round_robin">True</Option>
|
|
<Option name="pf_source_hash">False</Option>
|
|
<Option name="pf_static_port">False</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id43F7DBF431316" name="Policy">
|
|
<PolicyRule id="id43F7DC4131316" comment="All other attempts to connect to the firewall are denied and logged" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id43F7DBEE31316"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id43F7DC4D31316" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">1000</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id43F7DC7431316" name="Routing"/>
|
|
<Interface id="id43F7DC7531316" name="le0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id43F7DCEB31316" name="firewall3:le0:ip-1" address="22.22.22.21" netmask="255.255.255.0"/>
|
|
<IPv4 id="id43F7DCEC31316" name="firewall3:le0:ip-2" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id43F7DC7631316" name="le1" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id43F7DC7831316" name="firewall3:le1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id43F7DC7931316" name="lo" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id43F7DC7B31316" name="firewall3:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">True</Option>
|
|
<Option name="pf_scrub_random_id">True</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">pf_file_after_scrub</Option>
|
|
<Option name="prolog_script"># prolog
|
|
# prolog commands go after scrub commands
|
|
</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id445DB34232739" name="firewall39" comment="testing branching rules" host_OS="freebsd" inactive="False" lastCompiled="1157930813" lastInstalled="0" lastModified="1190517710" platform="pf" ro="False" version="">
|
|
<NAT id="id445DB3CF32739" name="NAT">
|
|
<NATRule id="id445DB3D032739" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id445DB34232739"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id445DB3DE32739" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id445DB34232739"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id445DB34832739" name="Policy">
|
|
<PolicyRule id="id445DB34932739" action="Tag" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3ED32739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagobject_id">id43F4556A28869</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB35532739" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3F432739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB36132739" comment="logging is not allowed with 'anchor' compiler should not generate 'log' keyword " action="Branch" direction="Inbound" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3F032739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB36D32739" action="Branch" direction="Inbound" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3F032739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB37932739" action="Accept" direction="Both" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DB3F132739"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB38532739" action="Branch" direction="Both" disabled="False" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule5_branch</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB39132739" action="Accept" direction="Both" disabled="False" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB39D32739" action="Accept" direction="Both" disabled="False" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB3AA32739" action="Accept" direction="Both" disabled="True" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC6B892355"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB3B732739" action="Classify" direction="Both" disabled="False" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">mail</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB3C332739" action="Deny" direction="Both" disabled="False" log="True" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id445DB3FE32739" name="rule2_branch">
|
|
<PolicyRule id="id445DB40A32739" action="Accept" direction="Both" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id445DB34232739"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB42332739" action="Deny" direction="Both" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id445DB3FF32739" name="rule3_branch">
|
|
<PolicyRule id="id445DB41632739" action="Accept" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB43032739" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445DB43E32739" action="Deny" direction="Both" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id445DB40032739" name="rule5_branch"/>
|
|
<Routing id="id445DB3EC32739" name="Routing"/>
|
|
<Interface id="id445DB3ED32739" name="le0" bridgeport="False" dyn="False" label="int_if" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id445DB3EF32739" name="firewall39:le0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id445DB3F032739" name="enc0" bridgeport="False" dyn="False" label="ext_if" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id445DB3F132739" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id445DB3F332739" name="firewall39:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id445DB3F432739" name="enc1" bridgeport="False" dyn="False" label="wifi_int" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id445DB3F632739" name="firewall39:enc1:ip" address="192.168.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id44948F9F2976" name="firewall40" comment="testing Route action " host_OS="openbsd" inactive="False" lastCompiled="1157930816" lastInstalled="0" lastModified="1193632410" platform="pf" ro="False" version="">
|
|
<NAT id="id449490392976" name="NAT">
|
|
<NATRule id="id449490482976" comment="Translate source address for outgoing connections" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id449490662976"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4494A6FF3539" comment="Translate source address for outgoing connections" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4494906F2976"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id44948FA52976" name="Policy">
|
|
<PolicyRule id="id44957E2D3539" action="Accept" direction="Both" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4494906C2976"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44957E3A3539" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id449490692976"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id449490212976" action="Route" direction="Inbound" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id449490692976"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.10</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4494AF342976" action="Route" direction="Inbound" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id449490692976"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr">192.0.3.10</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44958DBE3539" action="Accept" direction="Outbound" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44948F9F2976"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4494902D2976" action="Deny" disabled="False" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id449490652976" name="Routing"/>
|
|
<Interface id="id449490662976" name="le1" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id449490682976" name="firewall40:le1:ip" comment="This is a test address, change it to your real one" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id449490692976" name="fxp0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4494906B2976" name="firewall40:fxp0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4494906C2976" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4494906E2976" name="firewall40:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id4494906F2976" name="le2" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id449490712976" name="firewall40:le2:ip" address="192.0.3.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id44EC18128791" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored " host_OS="freebsd" inactive="False" lastCompiled="1157930818" lastInstalled="0" lastModified="1193632413" platform="pf" ro="False" version="">
|
|
<NAT id="id44EC18168791" name="NAT"/>
|
|
<Policy id="id44EC18158791" name="Policy">
|
|
<PolicyRule id="id44EC181E8791" action="Accept" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44EC181D8791"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44F7056428576" action="Accept" direction="Both" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id44F707E428576" action="Accept" direction="Both" disabled="False" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id44EC18178791" name="Routing"/>
|
|
<Interface id="id44EC18188791" name="eth0" bridgeport="False" dyn="False" label="ext" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id44EC18198791" name="firewall41:eth0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id44EC181A8791" name="eth1" bridgeport="False" dyn="False" label="int" security_level="50" unnum="False" unprotected="False">
|
|
<IPv4 id="id44EC181B8791" name="firewall41:eth1:ip" address="2.2.2.2" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4699449021967" name="firewall10-1" comment="PF 3.x, testing "flags S/SA keep state"" host_OS="openbsd" inactive="False" lastCompiled="1202682006" lastInstalled="0" lastModified="1202681966" platform="pf" ro="False" version="3.x">
|
|
<NAT id="id469944D321967" name="NAT">
|
|
<NATRule id="id469944D421967" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id469944F421967"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id469944E221967" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699449021967"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id4699449621967" name="Policy">
|
|
<PolicyRule id="id4699449721967" action="Accept" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469944F121967"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469944A321967" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469944F521967"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469944AF21967" comment="via ipsec" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469944F421967"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469944C721967" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id469944F021967" name="Routing"/>
|
|
<Interface id="id469944F121967" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id469944F321967" name="firewall10-1:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id469944F421967" name="enc0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id469944F521967" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id469944F721967" name="firewall10-1:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4699570022254" name="firewall10-2" comment="PF 4.x, testing "flags S/SA keep state"" host_OS="openbsd" inactive="False" lastCompiled="1202682007" lastInstalled="0" lastModified="1202682031" platform="pf" ro="False" version="4.x">
|
|
<NAT id="id4699573822254" name="NAT">
|
|
<NATRule id="id4699573922254" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699575922254"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4699574722254" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699570022254"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id4699570622254" name="Policy">
|
|
<PolicyRule id="id4699570722254" action="Accept" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699575622254"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699571422254" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699575A22254"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699572022254" comment="via ipsec" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699575922254"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699572C22254" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4699575522254" name="Routing"/>
|
|
<Interface id="id4699575622254" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4699575822254" name="firewall10-2:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4699575922254" name="enc0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id4699575A22254" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True">
|
|
<IPv4 id="id4699575C22254" name="firewall10-2:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id469948EA22616" name="firewall10-3" comment="PF 3.x, testing "flags S/SA keep state" "Accept tcp sessions opened prior to restart" ON " host_OS="openbsd" inactive="False" lastCompiled="1202682008" lastInstalled="0" lastModified="1202681977" platform="pf" ro="False" version="3.x">
|
|
<NAT id="id4699492222616" name="NAT">
|
|
<NATRule id="id4699492322616" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699494322616"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4699493122616" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id469948EA22616"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id469948F022616" name="Policy">
|
|
<PolicyRule id="id469948F122616" action="Accept" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699494022616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id469948FE22616" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699494422616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699490A22616" comment="via ipsec" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4699494322616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699491622616" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4699493F22616" name="Routing"/>
|
|
<Interface id="id4699494022616" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4699494222616" name="firewall10-3:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4699494322616" name="enc0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id4699494422616" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4699494622616" name="firewall10-3:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4699494C22616" name="firewall10-4" comment="PF 4.x, testing "flags S/SA keep state" "Accept tcp sessions opened prior to restart" is ON " host_OS="openbsd" inactive="False" lastCompiled="1202682010" lastInstalled="0" lastModified="1202681983" platform="pf" ro="False" version="4.x">
|
|
<NAT id="id4699498422616" name="NAT">
|
|
<NATRule id="id4699498522616" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id469949A522616"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id4699499322616" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4699494C22616"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id4699495222616" name="Policy">
|
|
<PolicyRule id="id4699495322616" action="Accept" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469949A222616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699496022616" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469949A622616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699496C22616" comment="via ipsec" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id469949A522616"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4699497822616" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id469949A122616" name="Routing"/>
|
|
<Interface id="id469949A222616" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id469949A422616" name="firewall10-4:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id469949A522616" name="enc0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id469949A622616" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True">
|
|
<IPv4 id="id469949A822616" name="firewall10-4:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id46F605DE10002" name="firewall10-5" comment="PF 3.x, testing "flags S/SA keep state" "Accept tcp sessions opened prior to restart" ON Using "pass all outgoing" " host_OS="openbsd" inactive="False" lastCompiled="1202682011" lastInstalled="0" lastModified="1202681989" platform="pf" ro="False" version="3.x">
|
|
<NAT id="id46F6061610002" name="NAT">
|
|
<NATRule id="id46F6061710002" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id46F6063710002"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46F6062510002" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id46F605DE10002"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id46F605E410002" name="Policy">
|
|
<PolicyRule id="id46F6520210002" comment="This adds "pass out ... keep state" rule that compiler 2.1.14 does not add automatically for pf 3.x Note that checkbox "add 'keep state'" is on in options " action="Accept" direction="Outbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6063710002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F605E510002" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6063410002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F605F210002" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6063810002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F605FE10002" comment="via ipsec" action="Accept" direction="Both" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6063710002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F6060A10002" action="Deny" direction="Both" disabled="False" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id46F6063310002" name="Routing"/>
|
|
<Interface id="id46F6063410002" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id46F6063610002" name="firewall10-5:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id46F6063710002" name="enc0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id46F6063810002" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id46F6063A10002" name="firewall10-5:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">True</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id46F6064010002" name="firewall10-6" comment="PF 4.x, testing "flags S/SA keep state" "Accept tcp sessions opened prior to restart" is ON Using "pass all outgoing" " host_OS="openbsd" inactive="False" lastCompiled="1202682012" lastInstalled="0" lastModified="1202681995" platform="pf" ro="False" version="4.x">
|
|
<NAT id="id46F6067810002" name="NAT">
|
|
<NATRule id="id46F6067910002" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id46F6069910002"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id46F6068710002" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id46F6064010002"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id46F6064610002" name="Policy">
|
|
<PolicyRule id="id46F6064710002" action="Accept" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6069610002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F6065410002" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6069A10002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F6066010002" comment="via ipsec" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46F6069910002"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_keep_state">True</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id46F6066C10002" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id46F6069510002" name="Routing"/>
|
|
<Interface id="id46F6069610002" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id46F6069810002" name="firewall10-6:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id46F6069910002" name="enc0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False"/>
|
|
<Interface id="id46F6069A10002" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True">
|
|
<IPv4 id="id46F6069C10002" name="firewall10-6:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">True</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id476458AA9697" name="firewall40-1" comment="testing Route action with load balancing " host_OS="openbsd" inactive="False" lastCompiled="1157930816" lastInstalled="0" lastModified="1197750649" platform="pf" ro="False" version="">
|
|
<NAT id="id476458FA9697" name="NAT">
|
|
<NATRule id="id476458FB9697" comment="Translate source address for outgoing connections" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id476459189697"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id476459099697" comment="Translate source address for outgoing connections" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id476459219697"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id476458B09697" name="Policy">
|
|
<PolicyRule id="id47646C979697" action="Route" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47646C869697" action="Route" direction="Inbound" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47646C759697" action="Route" direction="Inbound" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476480059697" action="Route" direction="Inbound" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476480169697" action="Route" direction="Inbound" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476480279697" action="Route" direction="Inbound" disabled="False" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476458C99697" action="Route" direction="Inbound" disabled="False" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">random</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.0/24</Option>
|
|
<Option name="pf_route_opt_if">le1</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476458D69697" action="Route" direction="Inbound" disabled="False" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">source_hash</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.0/24</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4764592B9697" action="Route" direction="Inbound" disabled="False" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.0/255.255.255.0</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4764BABB9697" comment="this should fail because it has one address for the next hop and it is /32. Run compiler with command line argument -xt to convert errors to warnings and make it generate .conf file anyway" action="Route" direction="Inbound" disabled="False" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4764BACC9697" comment="this should fail because it has one address for the next hop and it is /32. " action="Route" direction="Inbound" disabled="False" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.2.1/32</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id476509419697" comment="this should fail because it ip address in next hop is illegal" action="Route" direction="Inbound" disabled="False" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4764591B9697"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C86E6E</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_keep_state">False</Option>
|
|
<Option name="pf_max_src_conn">0</Option>
|
|
<Option name="pf_max_src_conn_flush">False</Option>
|
|
<Option name="pf_max_src_conn_global">False</Option>
|
|
<Option name="pf_max_src_conn_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_flush">False</Option>
|
|
<Option name="pf_max_src_conn_rate_global">False</Option>
|
|
<Option name="pf_max_src_conn_rate_num">0</Option>
|
|
<Option name="pf_max_src_conn_rate_overload_table"></Option>
|
|
<Option name="pf_max_src_conn_rate_seconds">0</Option>
|
|
<Option name="pf_max_src_nodes">0</Option>
|
|
<Option name="pf_max_src_states">0</Option>
|
|
<Option name="pf_route_load_option">round_robin</Option>
|
|
<Option name="pf_route_opt_addr">192.0.300.1/32</Option>
|
|
<Option name="pf_route_opt_if">le2</Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="pf_rule_max_state">0</Option>
|
|
<Option name="pf_source_tracking">False</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id476459179697" name="Routing"/>
|
|
<Interface id="id476459189697" name="le1" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id4764591A9697" name="firewall40-1:le1:ip" comment="This is a test address, change it to your real one" address="192.0.2.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4764591B9697" name="fxp0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4764591D9697" name="firewall40-1:fxp0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4764591E9697" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id476459209697" name="firewall40-1:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id476459219697" name="le2" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id476459239697" name="firewall40-1:le2:ip" address="192.0.3.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4833F62B6131" name="firewall-ipv6-1" host_OS="freebsd" inactive="False" lastCompiled="1212115999" lastInstalled="0" lastModified="1212272477" platform="pf" ro="False" version="">
|
|
<NAT id="id4833F62F6131" name="NAT"/>
|
|
<Policy id="id483F5B7623190" name="Policy_ipv4"/>
|
|
<Policy id="id4833F62E6131" name="Policy">
|
|
<PolicyRule id="id4841FADE30813" action="Accept" direction="Both" disabled="False" group="" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4841FADB30813"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4837BFE628819" comment="this rule shadows the next. Note that we add command line flag -xt to the compiler" action="Accept" direction="Both" disabled="False" group="" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834578B6131" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7216880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834577C6131" action="Accept" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id48416A7116880"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834D3038571" action="Accept" direction="Both" disabled="False" group="" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834D3108571" action="Accept" direction="Both" disabled="False" group="" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4835040E8571" action="Accept" direction="Both" disabled="False" group="" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4835041F8571" action="Accept" direction="Both" disabled="False" group="" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834576F6131" action="Accept" direction="Inbound" disabled="False" log="True" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4833F62B6131"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4834B9216131" action="Accept" direction="Both" disabled="False" log="True" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834B9206131"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id483566468571" action="Accept" direction="Both" disabled="False" log="True" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2238571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id483566548571" action="Accept" direction="Both" disabled="False" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4834A2278571"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4833F6306131" name="Routing"/>
|
|
<Interface id="id4833F6316131" name="eth0" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False">
|
|
<IPv4 id="id4833F6326131" name="firewall-ipv6-1:eth0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
|
|
<IPv6 id="id4833F6346131" name="firewall-ipv6-1:eth0:ipv6" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
|
|
</Interface>
|
|
<Interface id="id4841FADB30813" name="lo" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4841FADC30813" name="firewall-ipv6-1:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv6 id="id4841FADD30813" name="firewall-ipv6-1:lo:ipv6" address="::1" netmask="128"/>
|
|
</Interface>
|
|
<Management address="1.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">True</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">0</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4848A4294626" name="firewall-base-rulesets" comment="this firewall is used to test a rule in the global policy of object "firewall" " host_OS="openbsd" inactive="False" lastCompiled="1188097225" lastInstalled="1142003872" lastModified="1212696462" platform="pf" ro="False" version="">
|
|
<NAT id="id4848A4304626" name="NAT"/>
|
|
<Policy id="id4848A42F4626" name="Policy"/>
|
|
<Policy id="id4848A4414626" name="web_server_inbound" comment="Basic rules for web servers. ">
|
|
<PolicyRule id="id4848A4424626" action="Accept" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848A44F4626" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id48493B6E4626" name="mail_server_inbound" comment="Basic rules for mail servers">
|
|
<PolicyRule id="id48493B6F4626" action="Accept" direction="Inbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id48493B7B4626" action="Accept" direction="Inbound" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id484B0A134626" name="mail_server_outbound" comment="Basic rules for mail servers">
|
|
<PolicyRule id="id484B0A2D4626" action="Accept" direction="Outbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B0A3A4626" action="Accept" direction="Outbound" disabled="False" group="" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id484B3D324626" name="web_server_outbound" comment="Basic rules for web servers. ">
|
|
<PolicyRule id="id484B3D3F4626" action="Accept" direction="Outbound" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B3D4C4626" action="Accept" direction="Outbound" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3F530CC8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4848A4314626" name="Routing"/>
|
|
<Interface id="id4848A4324626" name="en0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id4848A4344626" name="firewall-base-rulesets:en0:ip" address="33.33.33.33" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4848A4354626" name="en1" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4848A4374626" name="firewall-base-rulesets:en1:ip" address="172.16.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4848A4384626" name="en2" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4848A43A4626" name="firewall-base-rulesets:en2:ip" address="192.168.100.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id484A05C44626" name="firewall51" comment="testing branching rules that point at rule sets defined in object firewall-base-rulesets" host_OS="openbsd" inactive="False" lastCompiled="1188097218" lastInstalled="1142003872" lastModified="1212696679" platform="pf" ro="False" version="">
|
|
<NAT id="id484A06174626" name="NAT"/>
|
|
<Policy id="id484A05CA4626" name="Policy">
|
|
<PolicyRule id="id484A05CB4626" action="Branch" direction="Both" disabled="False" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id48493B6E4626</Option>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B704C4626" action="Branch" direction="Both" disabled="False" group="" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id484B0A134626</Option>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A05D84626" action="Branch" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id4848A4414626</Option>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484B705F4626" action="Branch" direction="Both" disabled="False" group="" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_id">id484B3D324626</Option>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_reply_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_reply_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A05E44626" action="Branch" direction="Both" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id484A06094626" name="rule2_branch">
|
|
<PolicyRule id="id484A060A4626" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id484A06184626" name="Routing"/>
|
|
<Interface id="id484A06194626" name="en0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id484A061B4626" name="firewall51:en0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id484A061C4626" name="en1" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id484A061E4626" name="firewall51:en1:ip" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id484A061F4626" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id484A06224626" name="firewall51:lo:ip1" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
<IPv4 id="id484A06234626" name="firewall51:lo:ip2" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id4848F19020246" name="firewall62" comment="testing rules using UserService object Note that iptables does not allow entering iptables command that tries to match using module 'owner' in any chain other than OUTPUT. This includes user defined chains too (it checks how control passes to user defined chain and blocks command if it appears that user defined chain gets control not from OUTPUT) " host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1212808094" platform="pf" ro="False" version="4.x">
|
|
<NAT id="id4848F1D320246" name="NAT"/>
|
|
<Policy id="id4848F19620246" name="Policy">
|
|
<PolicyRule id="id484A6C465896" comment="rule from FR 1948872 should generate pass in quick on en0 user proxy " action="Accept" direction="Inbound" disabled="False" group="" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id484A6C525896"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4848F1D520246"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F19720246" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="id484A558E5896"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A55A15896" action="Accept" direction="Both" disabled="False" group="" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A8D2620246" action="Accept" direction="Outbound" disabled="False" group="" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A599620246" action="Accept" direction="Both" disabled="False" group="" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A8D3820246" action="Accept" direction="Outbound" disabled="False" group="" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1A320246" action="Accept" direction="Both" disabled="False" group="" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4848F1D520246"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1AF20246" action="Accept" direction="Both" disabled="False" group="" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1BB20246" action="Accept" direction="Both" disabled="False" group="" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A558F5896" action="Accept" direction="Both" disabled="False" group="" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
<ServiceRef ref="id484A558E5896"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484AF47A20246" action="Accept" direction="Inbound" disabled="False" group="" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A261420246" action="Accept" direction="Both" disabled="False" group="" log="False" position="11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id484A260320246" action="Accept" direction="Both" disabled="False" group="" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id4848F19020246"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4849253820246"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id4848F1C720246" action="Deny" direction="Both" disabled="False" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4848F1D420246" name="Routing"/>
|
|
<Interface id="id4848F1D520246" name="en0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id4848F1D720246" name="firewall62:en0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id4848F1D820246" name="en1" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id4848F1DA20246" name="firewall62:en1:ip" address="222.222.222.222" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="add_check_state_rule">true</Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="iosacl_add_clear_statements">true</Option>
|
|
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
|
<Option name="iosacl_include_comments">true</Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id530B20443" name="firewall63" comment="testing tos matching" host_OS="openbsd" inactive="False" lastCompiled="1215308098" lastInstalled="0" lastModified="1215308090" platform="pf" ro="False" version="">
|
|
<NAT id="id533820443" name="NAT">
|
|
<NATRule id="id533920443" disabled="True" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id530B20443"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id531120443" name="Policy">
|
|
<PolicyRule id="id531220443" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C6820443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idDCDE20443" action="Deny" direction="Both" disabled="False" group="" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idC5F120443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="idF3EB20443" action="Deny" direction="Both" disabled="False" group="" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="idC5F120443"/>
|
|
<ServiceRef ref="id3C6820443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id531F20443" comment="DSCP matching is not supported by pf" action="Deny" direction="Both" disabled="True" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C6920443"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id532C20443" action="Deny" direction="Both" disabled="False" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id534720443" name="Routing"/>
|
|
<Interface id="id534820443" name="eth1" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id534A20443" name="firewall63:eth1:ip" address="22.22.22.22" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id534B20443" name="eth0" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id534D20443" name="firewall63:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id534E20443" name="lo" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id535020443" name="firewall63:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="enable_ipv6">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="ipv4_6_order">ipv4_first</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="modulate_state">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast">0</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect">0</Option>
|
|
<Option name="openbsd_ip_sourceroute">0</Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">False</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="stdid11_1" name="Time"/>
|
|
<ObjectRef ref="id483F5B7623190"/>
|
|
<ObjectRef ref="id4833F6316131"/>
|
|
<ObjectRef ref="id4833F62E6131"/>
|
|
<ObjectRef ref="id4833F62F6131"/>
|
|
<ObjectRef ref="id4833F6306131"/>
|
|
<ObjectRef ref="id4848A42F4626"/>
|
|
<ObjectRef ref="id4848A4414626"/>
|
|
<ObjectRef ref="id48493B6E4626"/>
|
|
<ObjectRef ref="id4848A4304626"/>
|
|
<ObjectRef ref="id4848A4314626"/>
|
|
<ObjectRef ref="id484B0A134626"/>
|
|
<ObjectRef ref="id484B3D324626"/>
|
|
<ObjectRef ref="id484A05CA4626"/>
|
|
<ObjectRef ref="id484A06094626"/>
|
|
<ObjectRef ref="id484A06174626"/>
|
|
<ObjectRef ref="id484A06184626"/>
|
|
<ObjectRef ref="id4848F1D520246"/>
|
|
<ObjectRef ref="id4848F19620246"/>
|
|
<ObjectRef ref="id4848F1D320246"/>
|
|
<ObjectRef ref="id4848F1D420246"/>
|
|
</Library>
|
|
<Library id="id415276C8" name="lab" color="#FFFFFF" ro="False">
|
|
<ObjectGroup id="id415276C9" name="Objects">
|
|
<ObjectGroup id="id415276C9_og_ats_1" name="Address Tables"/>
|
|
<ObjectGroup id="id415276CA" name="Addresses">
|
|
<IPv4 id="id4144D59F" name="hst1" address="10.3.14.10" netmask="255.255.255.255"/>
|
|
<IPv4 id="id4144D5A0" name="hst2" address="10.3.14.40" netmask="255.255.255.255"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id415276CB" name="Groups"/>
|
|
<ObjectGroup id="id415276CC" name="Hosts"/>
|
|
<ObjectGroup id="id415276CD" name="Networks">
|
|
<Network id="id414C5C51" name="n-10.3.14" address="10.3.14.0" netmask="255.255.255.0"/>
|
|
<Network id="id414C70BE" name="labnet" address="10.1.1.0" netmask="255.255.255.0"/>
|
|
<Network id="id414C7BA7" name="n-10.1.2" address="10.1.2.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id415276CE" name="Address Ranges"/>
|
|
<ObjectGroup id="id4386458B18448" name="DNS Names"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id415276CF" name="Services">
|
|
<ServiceGroup id="id415276CF_og_tag_1" name="TagServices">
|
|
<TagService id="id4847247323126" name="INTNET" tagcode="INTNET"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id415276D0" name="Groups"/>
|
|
<ServiceGroup id="id415276D1" name="ICMP"/>
|
|
<ServiceGroup id="id415276D2" name="IP"/>
|
|
<ServiceGroup id="id415276D3" name="TCP"/>
|
|
<ServiceGroup id="id415276D4" name="UDP"/>
|
|
<ServiceGroup id="id415276D5" name="Custom"/>
|
|
<ServiceGroup id="id415276CF_userservices" name="Users"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id415276D6" name="Firewalls">
|
|
<Firewall id="id3AF5A2BA" name="labfw-openbsd" comment="firewall protects host it is running on Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case " host_OS="openbsd" inactive="False" lastCompiled="1172032243" lastInstalled="1172032344" lastModified="1212609898" platform="pf" ro="False" version="">
|
|
<NAT id="id3AF5A2BD" name="NAT">
|
|
<NATRule id="id414E693E" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule id="id414E7DF6" disabled="False" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
<ObjectRef ref="id414C5C51"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id414C5C51"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3AF5A2BC" name="Policy">
|
|
<PolicyRule id="id48472A0C23126" action="Tag" direction="Both" disabled="False" group="" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_load_option">none</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="tagobject_id">id4847247323126</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id414C70C1" action="Deny" direction="Inbound" disabled="False" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
<ObjectRef ref="id414C7BA7"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id414C47E4" action="Deny" direction="Outbound" disabled="False" log="True" position="2">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id41441D4F" action="Accept" direction="Both" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB7090"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445E76C726850" action="Branch" direction="Inbound" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id414E7E0E" action="Accept" direction="Both" disabled="False" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id414C5C51"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
<ObjectRef ref="id414C5C51"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5A757" comment="allow all outgoing connections" action="Accept" direction="Both" disabled="False" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id3AF5A762" comment="'catch all' rule" action="Deny" direction="Both" disabled="False" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id445E76D326850" name="rule3_branch">
|
|
<PolicyRule id="id445E77D326850" comment="block fragments" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id445E77BB26850" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4144D59F"/>
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3AF5A2BA-routing" name="Routing"/>
|
|
<Interface id="id3AF5A2CB" name="pcn0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AF5A2CB-ipv4" name="labfw-openbsd:pcn0:ip" address="10.3.14.120" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id3AFB7090" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id3AFB7090-ipv4" name="labfw-openbsd:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id414C70BB" name="pcn1" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id414C70BD" name="labfw-openbsd:pcn1:ip" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="10.3.14.120">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress">labfw</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.40</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id42B5D8FC" name="labfw-fbsd" host_OS="freebsd" inactive="True" lastCompiled="1157930826" lastInstalled="0" lastModified="1147032998" platform="pf" ro="False" version="">
|
|
<NAT id="id42B5D93E" name="NAT">
|
|
<NATRule id="id42B5D93F" disabled="False" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id42B5D95D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id42B5D901" name="Policy">
|
|
<PolicyRule id="id42B5D977" action="Deny" direction="Inbound" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
<ObjectRef ref="id42B5D8FC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42B5D95D"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D982" action="Deny" direction="Outbound" disabled="False" log="True" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id42B5D8FC"/>
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42B5D95D"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D99C" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id42B5D98E"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D902" comment="block fragments" action="Deny" direction="Both" disabled="False" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id42B5D8FC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D929" comment="need this because PF consults policy rules after nat as well" action="Accept" direction="Both" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id42B5D8FC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B612DC" comment="allow all outgoing connections" action="Accept" direction="Both" disabled="False" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id414C70BE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id42B5D934" comment="'catch all' rule" action="Deny" direction="Both" disabled="False" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id42B5D8FC-routing" name="Routing"/>
|
|
<Interface id="id42B5D95D" name="lnc0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id42B5D98D" name="labfw-fbsd:lnc0:ip" address="10.3.14.121" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id42B5D98E" name="lo0" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id42B5D9A6" name="labfw-fbsd:lo0:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface id="id42B5D9A7" name="lnc1" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id42B5D9AB" name="labfw-fbsd:lnc1:ip" address="10.1.1.1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="10.3.14.121">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress">10.3.14.121</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="freebsd_ip_redirect"></Option>
|
|
<Option name="freebsd_ip_sourceroute"></Option>
|
|
<Option name="freebsd_path_ipf"></Option>
|
|
<Option name="freebsd_path_ipfw"></Option>
|
|
<Option name="freebsd_path_ipnat"></Option>
|
|
<Option name="freebsd_path_sysctl"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.40</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id45DE9C5B2560" name="openbsd-4.0" comment="firewall protects host it is running on Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case " host_OS="openbsd" inactive="False" lastCompiled="1202683169" lastInstalled="1202683190" lastModified="1202683163" platform="pf" ro="False" version="ge_3.7">
|
|
<NAT id="id45DE9CDB2560" name="NAT"/>
|
|
<Policy id="id45DE9C612560" name="Policy">
|
|
<PolicyRule id="id47B0069F19082" action="Accept" direction="Both" disabled="True" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9C6F2560" action="Deny" direction="Outbound" disabled="False" log="True" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45DE9CFB2560"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9C7C2560" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45DE9CFE2560"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9C882560" action="Branch" direction="Inbound" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45DE9CFB2560"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9CC22560" comment="allow all outgoing connections" action="Accept" direction="Both" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9CCF2560" comment="'catch all' rule" action="Deny" direction="Both" disabled="False" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id45DE9C942560" name="rule3_branch">
|
|
<PolicyRule id="id45DE9C952560" comment="block fragments" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id45DE9CA12560" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4144D59F"/>
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45DE9C5B2560"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id45DE9CFA2560" name="Routing"/>
|
|
<Interface id="id45DE9CFB2560" name="pcn0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id45DE9CFD2560" name="openbsd-4.0:pcn0:ip" address="10.3.14.54" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id45DE9CFE2560" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id45DE9D002560" name="openbsd-4.0:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="10.3.14.54">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.40</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall id="id47B07CD419082" name="openbsd-4.2" comment="firewall protects host it is running on Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case " host_OS="openbsd" inactive="False" lastCompiled="1202686003" lastInstalled="1202686020" lastModified="1202685992" platform="pf" ro="False" version="4.x">
|
|
<NAT id="id47B07D4319082" name="NAT"/>
|
|
<Policy id="id47B07CDA19082" name="Policy">
|
|
<PolicyRule id="id47B07CDB19082" action="Accept" direction="Both" disabled="True" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07CE719082" action="Deny" direction="Outbound" disabled="False" log="True" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id47B07D4519082"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07CF319082" action="Accept" direction="Both" disabled="False" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id47B07D4819082"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07CFF19082" action="Branch" direction="Inbound" disabled="False" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id47B07D4519082"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07D2B19082" comment="allow all outgoing connections" action="Accept" direction="Both" disabled="False" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07D3719082" comment="'catch all' rule" action="Deny" direction="Both" disabled="False" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Policy id="id47B07D0B19082" name="rule3_branch">
|
|
<PolicyRule id="id47B07D0C19082" comment="block fragments" action="Deny" direction="Both" disabled="False" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule id="id47B07D1819082" action="Accept" direction="Both" disabled="False" log="False" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4144D59F"/>
|
|
<ObjectRef ref="id4144D5A0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id47B07CD419082"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id47B07D4419082" name="Routing"/>
|
|
<Interface id="id47B07D4519082" name="pcn0" bridgeport="False" dyn="False" label="" mgmt="True" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 id="id47B07D4719082" name="openbsd-4.2:pcn0:ip" address="10.3.14.50" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface id="id47B07D4819082" name="lo" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 id="id47B07D4A19082" name="openbsd-4.2:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="10.3.14.50">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser">root</Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="fallback_log">False</Option>
|
|
<Option name="firewall_dir">/etc/fw</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr">10.3.14.42</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="modulate_state">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="openbsd_ip_directed_broadcast"></Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="openbsd_ip_redirect"></Option>
|
|
<Option name="openbsd_ip_sourceroute"></Option>
|
|
<Option name="openbsd_path_pfctl"></Option>
|
|
<Option name="openbsd_path_sysctl"></Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">False</Option>
|
|
<Option name="pf_adaptive_end">0</Option>
|
|
<Option name="pf_adaptive_start">0</Option>
|
|
<Option name="pf_do_limit_frags">False</Option>
|
|
<Option name="pf_do_limit_src_nodes">False</Option>
|
|
<Option name="pf_do_limit_states">False</Option>
|
|
<Option name="pf_do_limit_table_entries">False</Option>
|
|
<Option name="pf_do_limit_tables">False</Option>
|
|
<Option name="pf_do_scrub">True</Option>
|
|
<Option name="pf_do_timeout_frag">False</Option>
|
|
<Option name="pf_do_timeout_interval">False</Option>
|
|
<Option name="pf_icmp_error">0</Option>
|
|
<Option name="pf_icmp_first">0</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_src_nodes">0</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_limit_table_entries">0</Option>
|
|
<Option name="pf_limit_tables">0</Option>
|
|
<Option name="pf_optimization"></Option>
|
|
<Option name="pf_other_first">0</Option>
|
|
<Option name="pf_other_multiple">0</Option>
|
|
<Option name="pf_other_single">0</Option>
|
|
<Option name="pf_scrub_fragm_crop">False</Option>
|
|
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_scrub_minttl">1</Option>
|
|
<Option name="pf_scrub_no_df">False</Option>
|
|
<Option name="pf_scrub_random_id">False</Option>
|
|
<Option name="pf_scrub_reassemble">True</Option>
|
|
<Option name="pf_scrub_use_maxmss">False</Option>
|
|
<Option name="pf_scrub_use_minttl">False</Option>
|
|
<Option name="pf_set_adaptive">False</Option>
|
|
<Option name="pf_set_icmp_error">False</Option>
|
|
<Option name="pf_set_icmp_first">False</Option>
|
|
<Option name="pf_set_other_first">False</Option>
|
|
<Option name="pf_set_other_multiple">False</Option>
|
|
<Option name="pf_set_other_single">False</Option>
|
|
<Option name="pf_set_tcp_closed">False</Option>
|
|
<Option name="pf_set_tcp_closing">False</Option>
|
|
<Option name="pf_set_tcp_established">False</Option>
|
|
<Option name="pf_set_tcp_finwait">False</Option>
|
|
<Option name="pf_set_tcp_first">False</Option>
|
|
<Option name="pf_set_tcp_opening">False</Option>
|
|
<Option name="pf_set_udp_first">False</Option>
|
|
<Option name="pf_set_udp_multiple">False</Option>
|
|
<Option name="pf_set_udp_single">False</Option>
|
|
<Option name="pf_tcp_closed">0</Option>
|
|
<Option name="pf_tcp_closing">0</Option>
|
|
<Option name="pf_tcp_established">0</Option>
|
|
<Option name="pf_tcp_finwait">0</Option>
|
|
<Option name="pf_tcp_first">0</Option>
|
|
<Option name="pf_tcp_opening">0</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pf_udp_first">0</Option>
|
|
<Option name="pf_udp_multiple">0</Option>
|
|
<Option name="pf_udp_single">0</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">fw_file</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="use_tables">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="id415276D7" name="Time"/>
|
|
</Library>
|
|
<Library id="id4387B43718346" name="transfer" color="#FFFFFF" ro="False">
|
|
<ObjectGroup id="id4387B43818346" name="Objects">
|
|
<ObjectGroup id="id4387B43918346" name="Addresses"/>
|
|
<ObjectGroup id="id4387B43A18346" name="DNS Names"/>
|
|
<ObjectGroup id="id4387B43B18346" name="Address Tables"/>
|
|
<ObjectGroup id="id4387B43C18346" name="Groups"/>
|
|
<ObjectGroup id="id4387B43D18346" name="Hosts"/>
|
|
<ObjectGroup id="id4387B43E18346" name="Networks"/>
|
|
<ObjectGroup id="id4387B43F18346" name="Address Ranges"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id4387B44018346" name="Services">
|
|
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices"/>
|
|
<ServiceGroup id="id4387B44118346" name="Groups"/>
|
|
<ServiceGroup id="id4387B44218346" name="ICMP"/>
|
|
<ServiceGroup id="id4387B44318346" name="IP"/>
|
|
<ServiceGroup id="id4387B44418346" name="TCP"/>
|
|
<ServiceGroup id="id4387B44518346" name="UDP"/>
|
|
<ServiceGroup id="id4387B44618346" name="Custom"/>
|
|
<ServiceGroup id="id4387B44018346_userservices" name="Users"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id4387B44718346" name="Firewalls"/>
|
|
<IntervalGroup id="id4387B44818346" name="Time"/>
|
|
</Library>
|
|
<Library id="syslib000" name="Standard" comment="Standard objects" color="#d4f8ff" ro="True">
|
|
<ServiceGroup id="stdid05" name="Services">
|
|
<ServiceGroup id="stdid06" name="IP">
|
|
<IPService id="ip-IP_Fragments" name="ip_fragments" comment="'Short' fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
|
|
<IPService id="ip-IPSEC" name="ESP" comment="IPSEC Encapsulating Security Payload Protocol" fragm="False" lsrr="False" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
<IPService id="ip-RR" name="RR" comment="Route recording packets" fragm="False" lsrr="False" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
|
|
<IPService id="ip-SRR" name="SRR" comment="All sorts of Source Routing Packets" fragm="False" lsrr="True" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
|
|
<IPService id="id3D703C8F" name="GRE" comment="Generic Routing Encapsulation " fragm="False" lsrr="False" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
<IPService id="id3CB12797" name="AH" comment="IPSEC Authentication Header Protocol" fragm="False" lsrr="False" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09" name="TCP">
|
|
<TCPService id="tcp-Auth" name="auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
|
|
<TCPService id="tcp-DNS_zone_transf" name="dns-tcp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<TCPService id="tcp-FTP" name="ftp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
|
|
<TCPService id="tcp-HTTP" name="http" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
|
|
<TCPService id="tcp-NNTP" name="nntp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
|
|
<TCPService id="tcp-SMTP" name="smtp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
|
|
<TCPService id="tcp-SSH" name="ssh" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
|
|
<TCPService id="tcp-Telnet" name="telnet" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
|
|
<TCPService id="tcp-uucp" name="uucp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
|
|
<TCPService id="id3AEDBE6E" name="daytime" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
|
|
<TCPService id="id3B4FEDA3" name="eklogin" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
|
|
<TCPService id="id3B4FED69" name="https" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="443" dst_range_end="443"/>
|
|
<TCPService id="id3AECF776" name="imap" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="143" dst_range_end="143"/>
|
|
<TCPService id="id3B4FED9F" name="imaps" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="993" dst_range_end="993"/>
|
|
<TCPService id="id3B4FF13C" name="irc" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
|
|
<TCPService id="id3B4FEE21" name="klogin" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="543" dst_range_end="543"/>
|
|
<TCPService id="id3B4FEE23" name="ksh" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="544" dst_range_end="544"/>
|
|
<TCPService id="id3AECF778" name="ldap" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="389" dst_range_end="389"/>
|
|
<TCPService id="id3B4FF000" name="linuxconf" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="98" dst_range_end="98"/>
|
|
<TCPService id="id3B4FEEEE" name="mysql" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="3306" dst_range_end="3306"/>
|
|
<TCPService id="id3B4FEE7A" name="nfs" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
|
|
<TCPService id="id3B4FEE1D" name="pop3" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="110" dst_range_end="110"/>
|
|
<TCPService id="id3B4FF0EA" name="postgres" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="5432" dst_range_end="5432"/>
|
|
<TCPService id="id3AECF782" name="printer" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
|
|
<TCPService id="id3B4FEF7C" name="quake" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
|
|
<TCPService id="id3AECF77A" name="rexec" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="512" dst_range_end="512"/>
|
|
<TCPService id="id3AECF77C" name="rlogin" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
|
|
<TCPService id="id3AECF77E" name="rshell" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
|
|
<TCPService id="id3B4FEF34" name="rwhois" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="4321" dst_range_end="4321"/>
|
|
<TCPService id="id3B4FF04C" name="smtps" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="465" dst_range_end="465"/>
|
|
<TCPService id="id3B4FEE76" name="socks" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
|
|
<TCPService id="id3AEDBE00" name="sunrpc" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
|
|
<TCPService id="id3B4FF1B8" name="xfs" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="7100" dst_range_end="7100"/>
|
|
<TCPService id="tcp-TCP-SYN" name="tcp-syn" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="tcp-FTP_data" name="ftp data" comment="FTP data channel. Note: FTP protocol does not really require server to use source port 20 for the data channel, but many ftp server implementations do so." ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="20" src_range_end="20" dst_range_start="1024" dst_range_end="65535"/>
|
|
<TCPService id="id3B4FF09A" name="squid" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
|
|
<TCPService id="tcp-All_TCP" name="All TCP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<TCPService id="tcp-DNS" name="domain" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08" name="UDP">
|
|
<UDPService id="udp-DNS" name="domain" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
|
|
<UDPService id="udp-All_UDP" name="All UDP" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
|
|
<UDPService id="udp-bootpc" name="bootpc" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid10" name="Groups">
|
|
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP">
|
|
<ServiceRef ref="icmp-Time_exceeded"/>
|
|
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
|
<ServiceRef ref="icmp-ping_reply"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CB1279B" name="IPSEC">
|
|
<ServiceRef ref="id3CB12797"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3F530CC8" name="DNS">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="tcp-DNS"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07" name="ICMP">
|
|
<ICMPService id="icmp-ping_request" name="ping request" code="0" type="8"/>
|
|
<ICMPService id="icmp-Unreachables" name="all ICMP unreachables" code="-1" type="3"/>
|
|
<ICMPService id="id3C20EEB5" name="any ICMP" code="-1" type="-1"/>
|
|
<ICMPService id="icmp-Time_exceeded" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" code="0" type="11"/>
|
|
<ICMPService id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" code="1" type="11"/>
|
|
<ICMPService id="icmp-ping_reply" name="ping reply" code="0" type="0"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<AnyIPService id="sysid1" name="Any" comment="Any IP Service" protocol_num="0"/>
|
|
<AnyNetwork id="sysid0" name="Any" comment="Any Network" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<AnyInterval id="sysid2" name="Any" comment="Any Interval" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
|
|
<IntervalGroup id="stdid11" name="Time">
|
|
<Interval id="int-afterhours" name="afterhours" comment="any day 6:00pm - 12:00am" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1"/>
|
|
<Interval id="id3C63479C" name="Sat" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1"/>
|
|
<Interval id="id3C63479E" name="Sun" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
|
|
</IntervalGroup>
|
|
<ObjectGroup id="stdid01" name="Objects">
|
|
<ObjectGroup id="stdid03" name="Networks">
|
|
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks. " address="192.168.1.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
</Library>
|
|
</FWObjectDatabase>
|