mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 18:27:16 +01:00
24907 lines
1.1 MiB
24907 lines
1.1 MiB
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
|
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.1.15" lastModified="1196093903" id="root">
|
|
<Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User">
|
|
<ObjectGroup id="stdid01_1" name="Objects">
|
|
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
|
|
<AddressTable comment="" filename="/home/vadim/Projects/fwb2.1/fwb2/fwbuilder2/test/ipt/addr-table-1.tbl" id="id4385C1081434" name="addrtbl 1" run_time="False"/>
|
|
<AddressTable comment="" filename="addr-table-1.tbl" id="id4389EE9018346" name="addr-table-1" run_time="False"/>
|
|
<AddressTable comment="this is run-time table" filename="block-hosts.tbl" id="id4389EE9118346" name="block these" run_time="True"/>
|
|
<AddressTable comment="the name contains character that is special to shell" filename="/home/vadim/tmp/bug-1544488/addr-table-1.tbl" id="id44F7056328576" name="atbl.1" run_time="True"/>
|
|
<AddressTable comment="" filename="/home/vadim/Projects/fwb2.1/fwb2/fwbuilder2/test/ipt/emtpy-table.tbl" id="id459673BE7794" name="empty table" run_time="False"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid01_1_og_dnsn_1" name="DNS Names">
|
|
<DNSName comment="" dnsrec="www.cnn.com" id="id43869E8C18346" name="cnn (ct)" run_time="False"/>
|
|
<DNSName comment="" dnsrec="www.cnn.com" id="id43869E8D18346" name="cnn (rt)" run_time="True"/>
|
|
<DNSName comment="an example of a local host" dnsrec="buildmaster" id="id43869E8E18346" name="buildmaster (ct)" run_time="False"/>
|
|
<DNSName comment="an example of a local host" dnsrec="buildmaster" id="id43869E8F18346" name="buildmaster (rt)" run_time="True"/>
|
|
<DNSName comment="" dnsrec="www.google.com" id="id4387287918346" name="google (ct)" run_time="False"/>
|
|
<DNSName comment="" dnsrec="www.google.com" id="id4387287A18346" name="google (rt)" run_time="True"/>
|
|
<DNSName comment="" dnsrec="www.heise.de" id="id44EC181D8791" name="heise" run_time="True"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid16_1" name="Addresses">
|
|
<IPv4 address="192.168.1.0" comment="" id="id417B3641" name="net_address" netmask="255.255.255.255"/>
|
|
<IPv4 address="61.150.47.112" comment="" id="id4388C37D674" name="sapmhost1" netmask="255.255.255.255"/>
|
|
<IPv4 address="0.0.0.0" comment="" id="id44C0695713221" name="this_host" netmask="255.255.255.255"/>
|
|
<IPv4 address="1.1.1.1" comment="" id="id44F7082928576" name="some address" netmask="255.255.255.255"/>
|
|
<IPv4 address="224.0.0.18" comment="" id="id45D61A0923626" name="VRRP" netmask="255.255.255.255"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid04_1" name="Groups">
|
|
<ObjectGroup id="id3B4572AF" name="group1">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3B4572B5" name="platform">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3BBC0EFC" name="netgroup1">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3CD87A9A" name="group-range-1">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3D41A435" name="fw-group">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3D71A1BA" name="tst1">
|
|
<ObjectRef ref="id3CD8769F"/>
|
|
<ObjectRef ref="id3D41A435"/>
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth0-ipv4"/>
|
|
<ObjectRef ref="id3D151947-i-1-addr"/>
|
|
<ObjectRef ref="id3DECF62C"/>
|
|
<ObjectRef ref="id3DECF4EC"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3D8FC56A" name="group2">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3DB0B356" name="hosts with mac">
|
|
<ObjectRef ref="id3BF1B3E1"/>
|
|
<ObjectRef ref="id3BF1B3E7"/>
|
|
<ObjectRef ref="id3DB0B350"/>
|
|
<ObjectRef ref="id3E0BD747"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3DE689FE" name="empty Ogroup"/>
|
|
<ObjectGroup id="id3DE68A00" name="empty Ogroup2">
|
|
<ObjectRef ref="id3DE689FE"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3EC69DA8" name="broadcasts">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="id3F1B9C18" name="recursive group">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3F1B9C18"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup comment="" id="id40F57E7C" name="netgroup2">
|
|
<ObjectRef ref="id3CEBFCAE"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup comment="this group is a combination of a regular address object and an address table in run-time mode" id="id4390C25525682" name="at group">
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup comment="" id="id445F52ED31658" name="external hosts 1">
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
<ObjectRef ref="id445F59D831658"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup comment="" id="id45969FEC7794" name="combined group">
|
|
<ObjectRef ref="id459673BE7794"/>
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup comment="" id="id4653B4A820440" name="fw2i1,3">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid02_1" name="Hosts">
|
|
<Host comment="multicast address which is _not_ local link multicast " id="id3A84EECE" name="DHCP-Servers (multicast)">
|
|
<Interface bridgeport="False" dyn="False" id="id3D84EED2" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="224.0.1.141" id="id3D84EEDA" name="DHCP-Servers (multicast)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="224.0.1.141">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3CFBE20C" name="broadcast">
|
|
<Interface bridgeport="False" dyn="False" id="id3CFBE20C-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="255.255.255.255" comment="" id="id3CFBE20C-i-1-addr" name="broadcast:address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="255.255.255.255">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3D151943" name="dmzhost1">
|
|
<Interface bridgeport="False" dyn="False" id="id3D151943-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.10" id="id3D151943-i-1-addr" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.2.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3D151947" name="dmzhost2">
|
|
<Interface bridgeport="False" dyn="False" id="id3D151947-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.11" id="id3D151947-i-1-addr" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.2.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host is used in firewall14" id="id3DE7223E" name="h-fw14-eth1-1">
|
|
<Interface bridgeport="False" dyn="False" id="id3DE72244" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" comment="" id="id3DE72245" name="h-fw14-eth1-1" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="22.22.23.160">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host is used in firewall14" id="id3DE72236" name="h-fw14-eth1-2">
|
|
<Interface bridgeport="False" dyn="False" id="id3DE7223A" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.160" comment="" id="id3DE7223B" name="h-fw14-eth1-2" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="22.22.23.160">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host is used in firewall14" id="id3DE722F1" name="h-fw14-eth1-N">
|
|
<Interface bridgeport="False" dyn="False" id="id3DE722F7" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.40" comment="" id="id3DE722F8" name="h-fw14-eth1-1" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="22.22.23.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host has the same IP address as firewall1 and firewall2" id="id3AFC0F70" name="host-fw2">
|
|
<Interface bridgeport="False" dyn="False" id="id3AFC0F70-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3AFC0F70-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3BF1B3E1" name="host-with-mac-1">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3BF1B3E2" label="" mgmt="False" name="host-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.10" comment="" id="id3BF1B3E2-ipv4" name="host-with-mac-1/addr" netmask="255.255.255.0"/>
|
|
<physAddress address="00:10:4b:de:e9:6f" id="id3BF1B3E2-pa" name="host-with-mac-1:1-pa"/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3BF1B3E7" name="host-with-mac-2">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3BF1B3E8" label="" mgmt="False" name="host-with-mac-2:1" security_level="100" unnum="False" unprotected="False">
|
|
<physAddress address="00:10:4b:de:e9:70" id="id3BF1B3E8-pa" name="host-with-mac-2:1-pa"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3DB0B350" name="host-with-mac-3">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DB0B351" label="" mgmt="False" name="host-with-mac-3:1" security_level="100" unnum="False" unprotected="False">
|
|
<physAddress address="00:10:4b:de:e9:71" id="id3DB0B351-pa" name="host-with-mac-3:1-pa"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host has an interface with both IP address and MAC address chld objects, but both are empty. This helps us find possible problems caused by such objects." id="id3E0BD747" name="host-with-mac-4">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3E0BD748" label="" mgmt="False" name="host-with-mac-4:1" security_level="100" unnum="False" unprotected="False">
|
|
<physAddress address="" comment="" id="id3E0BD74A" name="host-with-mac-4:1-pa"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host has an interface with both IP address and MAC address chld objects, but option "turn on MAC address matching" is NOT activated" id="id3E0F3FC8" name="host-with-mac-5">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3E0F3FC9" label="" mgmt="False" name="host-with-mac-5:1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.15" comment="" id="id3E0F3FCA" name="host-with-mac-5/addr" netmask="255.255.255.0"/>
|
|
<physAddress address="aa:bb:cc:dd:ee:ff" comment="" id="id3E0F3FCB" name="host-with-mac-5:1-pa"/>
|
|
</Interface>
|
|
<Management address="192.168.1.15">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="host-hostA" name="hostA">
|
|
<Interface bridgeport="False" dyn="False" id="host-hostA-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.10" id="host-hostA-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="translated address for hostA" id="id3AFADBF9" name="hostA-NAT">
|
|
<Interface bridgeport="False" dyn="False" id="id3AFADBF9-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.23" id="id3AFADBF9-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="host-hostB" name="hostB">
|
|
<Interface bridgeport="False" dyn="False" id="host-hostB-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.20" id="host-hostB-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.20">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3BD6736B" name="hostB-NAT">
|
|
<Interface bridgeport="False" dyn="False" id="id3BD6736B-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.24" id="id3BD6736B-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="the same address as internal iface of firewall1" id="id3AFC191C" name="hostF-int">
|
|
<Interface bridgeport="False" dyn="False" id="id3AFC191C-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3AFC191C-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host has multiple interfaces" id="id3DECF4EB" name="hostM-outside">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DECF4EC" label="" mgmt="False" name="hostM-iface" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="222.222.222.40" comment="" id="id3DECF4ED" name="address" netmask="255.255.255.0"/>
|
|
<IPv4 address="222.222.222.41" comment="" id="id3DECF62C" name="hostM-outside" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="22.22.22.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host has multiple interfaces" id="id3DECF622" name="hostN-outside">
|
|
<Interface bridgeport="False" dyn="False" id="id3DECF623" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="222.222.222.40" comment="" id="id3DECF624" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3DECF62A" name="unknown" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="222.222.222.41" comment="" id="id3DECF62B" name="hostM-outside" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="222.222.222.41">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="host on subnet 22.22.22.0 with several addresses" id="id3DE47B6C" name="hostZ-outside">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE47B6D" label="" mgmt="False" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.23" comment="" id="id3DE47B6E" name="hZ-eth0" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE47B76" label="" mgmt="False" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.24" comment="" id="id3DE47B77" name="hZ-eth1" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE47B78" label="" mgmt="False" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.25" comment="" id="id3DE47B79" name="hZ-eth2" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="22.22.22.23">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="broadcast on internal subnet" id="id3B64FFAC" name="local-bcast">
|
|
<Interface bridgeport="False" dyn="False" id="id3B64FFAC-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.255" comment="" id="id3B64FFAC-i-ipv4" name="local-bcast:addess" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.255">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3CD87A53" name="h192.168.1.11">
|
|
<Interface bridgeport="False" dyn="False" id="id3CD87A53-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.11" id="id3CD87A53-i-1-addr" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3CD87A5E" name="h192.168.1.12">
|
|
<Interface bridgeport="False" dyn="False" id="id3CD87A5E-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.12" id="id3CD87A5E-i-1-addr" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.12">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3CD87A6D" name="h192.168.1.13">
|
|
<Interface bridgeport="False" dyn="False" id="id3CD87A6D-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.13" id="id3CD87A6D-i-1-addr" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.13">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3CD87A7C" name="h192.168.1.14">
|
|
<Interface bridgeport="False" dyn="False" id="id3CD87A7C-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.14" id="id3CD87A7C-i-1-addr" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.14">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3CD87A8B" name="h192.168.1.15">
|
|
<Interface bridgeport="False" dyn="False" id="id3CD87A8B-i" name="interface-1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.15" id="id3CD87A8B-i-1-addr" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.15">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">False</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="local link multicast address" id="id3D84EEC8" name="ospf routers (multicast)">
|
|
<Interface bridgeport="False" dyn="False" id="id3D84EECC" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="224.0.0.5" id="id3D84EECD" name="ospf routers (multicast)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="224.0.0.5">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="some host outside our network" id="id3B19C5EB" name="outside-host">
|
|
<Interface bridgeport="False" dyn="False" id="id3B19C5EB-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="200.200.200.200" id="id3B19C5EB-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="host-secondary1-com" name="secondary1.com">
|
|
<Interface bridgeport="False" dyn="False" id="host-secondary1-com-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="211.11.11.11" id="host-secondary1-com-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="211.11.11.11">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="host-secondary2-com" name="secondary2.com">
|
|
<Interface bridgeport="False" dyn="False" id="host-secondary2-com-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="211.22.22.22" id="host-secondary2-com-i-ipv4" name="address" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="211.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3BF23930" name="z-host">
|
|
<Interface bridgeport="False" dyn="False" id="id3BF23931" name="unknown" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="0.0.0.0" id="id3BF23931-ipv4" name="address" netmask=""/>
|
|
<physAddress address="00:a0:24:53:06:8c" id="id3BF23931-pa" name="unknown-pa"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="" id="id3D84F6D7" name="zero address">
|
|
<Interface bridgeport="False" dyn="False" id="id3D84F6DB" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="0.0.0.0" comment="" id="id3D84F6DC" name="zero addr(ip)" netmask="0.0.0.0"/>
|
|
<physAddress address="00:00:00:00:00:00" comment="" id="id3E192A36" name="zero addr(MAC)"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E9870D1" name="like fw5">
|
|
<Interface bridgeport="False" dyn="False" id="id3E9870D7" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3E9870D8" name="like fw5:eth0(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3E9870D9" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id3E9870DA" name="like fw5:eth1(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3E9BC536" name="squid-box">
|
|
<Interface bridgeport="False" dyn="False" id="id3E9BC538" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.100" id="id3E9BC539" name="squid-box:interface1(ip)" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id3EE4CC6E" name="like fw18(eth1)">
|
|
<Interface bridgeport="False" dyn="False" id="id3EE4CC70" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="66.66.66.130" id="id3EE4CC71" name="like fw18(eth1):interface1(ip)" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host has the same IP address as firewall 'firewall', plus it has MAC address. Testing for a combination of "--mac --source-mac" in the OUTPUT chain. " id="id3F14DFB8" name="fw-with-mac-1">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3F14DFB9" label="" mgmt="False" name="host-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id3F14DFBA" name="host-with-mac-1/addr" netmask="255.255.255.0"/>
|
|
<physAddress address="00:10:4b:de:e9:6f" id="id3F14DFBB" name="host-with-mac-1:1-pa"/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="this host has the same IP address as firewall 'firewall', plus it has MAC address. Testing for a combination of "--mac --source-mac" in the OUTPUT chain. " id="id3F14E244" name="fw-with-mac-2">
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3F14E245" label="" mgmt="False" name="host-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id3F14E246" name="host-with-mac-1/addr" netmask="255.255.255.0"/>
|
|
<physAddress address="00:10:4b:de:e9:6f" id="id3F14E247" name="host-with-mac-1:1-pa"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">True</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="usef in fw7 " id="id40236C4D" name="dhcpserver">
|
|
<Interface bridgeport="False" dyn="False" id="id40236C4F" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.10" id="id40236C50" name="dhcpserver:interface1(ip)" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.2.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr">false</Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id40236C9A" name="unknown">
|
|
<Interface bridgeport="False" dyn="False" id="id40236C9C" name="interface1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="0.0.0.0" id="id40236C9D" name="unknown:interface1(ip)" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr">false</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host id="id40F195D2" name="hostC">
|
|
<Interface bridgeport="False" dyn="False" id="id40F195D4" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.50" id="id40F195D6" name="hostC:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions/>
|
|
</Host>
|
|
<Host comment="" id="id43913DCB25682" name="hostAt">
|
|
<Interface bridgeport="False" dyn="False" id="id43913DCD25682" label="" name="hostA_eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.10" id="id43913DCE25682" name="hostAt:hostA_eth0:ip" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Management address="192.168.1.10">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
<Host comment="This object represents a PC with a single network interface" id="id445F59D831658" name="exthost223">
|
|
<Interface bridgeport="False" dyn="False" id="id445F59DA31658" label="" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="223.223.223.223" comment="" id="id445F59DB31658" name="exthost223:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<HostOptions>
|
|
<Option name="use_mac_addr_filter">False</Option>
|
|
</HostOptions>
|
|
</Host>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid03_1" name="Networks">
|
|
<Network comment="" id="net-Internal_net" name="Internal_net" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network comment="DMZ net - using NAT " id="id3B022266" name="dmz_net" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
<Network comment="" id="id3B665641" name="external_net" address="22.22.22.0" netmask="255.255.255.0"/>
|
|
<Network comment="" id="id3B665643" name="foreign_net" address="33.33.33.0" netmask="255.255.255.0"/>
|
|
<Network comment="" id="id3CEBFCAE" name="n-222.222.222.0" address="222.222.222.0" netmask="255.255.255.0"/>
|
|
<Network comment="" id="id3CEBFDFC" name="n-192.168.1.0" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network comment="" id="id3DE71E90" name="fw14-dmz" address="22.22.23.128" netmask="255.255.255.128"/>
|
|
<Network comment="" id="id3EFBCCBA" name="ppp-net" address="10.1.1.0" netmask="255.255.255.0"/>
|
|
<Network comment="" id="id43913DEA25682" name="Internal_net_t" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network comment="" id="id4733FFE419714" name="n-192.168.2.0" address="192.168.2.0" netmask="255.255.255.0"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid15_1" name="Address Ranges">
|
|
<AddressRange comment="" id="id3CD8769F" name="test_range_1" start_address="192.168.1.11" end_address="192.168.1.15"/>
|
|
<AddressRange comment="" id="id3CEBFF26" name="r-192.168.1.0" start_address="192.168.1.10" end_address="192.168.1.100"/>
|
|
<AddressRange comment="" id="id3CEBFF28" name="r-222.222.222.0" start_address="222.222.222.10" end_address="222.222.222.100"/>
|
|
<AddressRange comment="c" id="id3EF40DD0" name="range 255" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
|
<AddressRange comment="" id="id3F6D17F4" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
|
<AddressRange comment="" id="id40D153ED" name="old broadcast" start_address="0.0.0.0" end_address="0.0.0.0"/>
|
|
<AddressRange comment="" id="id4368AD8615884" name="ext_range" start_address="22.22.22.100" end_address="22.22.22.110"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="stdid05_1" name="Services">
|
|
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices">
|
|
<TagService comment="" id="id43EC877332486" name="tag16" tagcode="16"/>
|
|
<TagService comment="" id="id449328D824380" name="Tag1" tagcode="1"/>
|
|
<TagService comment="" id="id449328D924380" name="Tag2" tagcode="2"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid10_1" name="Groups">
|
|
<ServiceGroup id="id3B457567" name="svcgroup1">
|
|
<ServiceRef ref="id3B457561"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3C1A66C9" name="large group TCP">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
<ServiceRef ref="id3AEDBE6E"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
<ServiceRef ref="id3AECF776"/>
|
|
<ServiceRef ref="id3B4FED9F"/>
|
|
<ServiceRef ref="id3B4FF13C"/>
|
|
<ServiceRef ref="id3B4FEE21"/>
|
|
<ServiceRef ref="id3B4FEE23"/>
|
|
<ServiceRef ref="id3AECF778"/>
|
|
<ServiceRef ref="id3B4FF000"/>
|
|
<ServiceRef ref="id3B4FEEEE"/>
|
|
<ServiceRef ref="id3B4FEE7A"/>
|
|
<ServiceRef ref="id3B4FEE1D"/>
|
|
<ServiceRef ref="id3B4FF0EA"/>
|
|
<ServiceRef ref="id3AECF782"/>
|
|
<ServiceRef ref="id3B4FEF7C"/>
|
|
<ServiceRef ref="id3AECF77A"/>
|
|
<ServiceRef ref="id3AECF77C"/>
|
|
<ServiceRef ref="id3AECF77E"/>
|
|
<ServiceRef ref="id3B4FEF34"/>
|
|
<ServiceRef ref="id3B4FF04C"/>
|
|
<ServiceRef ref="id3B4FEE76"/>
|
|
<ServiceRef ref="id3AEDBE00"/>
|
|
<ServiceRef ref="id3B4FF1B8"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CD878C8" name="small group TCP">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
<ServiceRef ref="id3AECF776"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3D34B32B" name="grp-custom-1">
|
|
<ServiceRef ref="id3D34B329"/>
|
|
<ServiceRef ref="id3D34B32A"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3D4DE626" name="combined_srv">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="udp-DNS"/>
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3DE689FF" name="empty Sgroup"/>
|
|
<ServiceGroup id="id3E1FDDBB" name="special combined srv">
|
|
<ServiceRef ref="udp-All_UDP"/>
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup comment="" id="id4067B2CD" name="simpleGroup">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup comment="" id="id41D0F023" name="group of 16 TCP services">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="tcp-uucp"/>
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
<ServiceRef ref="id3AEDBE6E"/>
|
|
<ServiceRef ref="id3B4FEDA3"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07_1" name="ICMP">
|
|
<ICMPService code="-1" comment="" id="id3C1A5D46" name="any ICMP" type="-1"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid06_1" name="IP">
|
|
<IPService comment="" fragm="False" id="id3B457561" lsrr="False" name="ICMP" protocol_num="1" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
<IPService comment="" fragm="False" id="id3B6659A5" lsrr="False" name="TS" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="True"/>
|
|
<IPService comment="" fragm="False" id="id3F3E9EFC" lsrr="False" name="EIGRP" protocol_num="88" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
<IPService comment="" fragm="False" id="id419D6869" lsrr="False" name="any protocol" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09_1" name="TCP">
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="70" dst_range_start="70" fin_flag="False" fin_flag_mask="False" id="id3C1A66EF" name="gopher" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="tcp-IRC" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B5009F7" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" fin_flag_mask="False" id="id3CE71594" name="tcp-big-src-range" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="65535" src_range_start="1024" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="4010" dst_range_start="4000" fin_flag="False" fin_flag_mask="False" id="id3CE719F3" name="tcp-dst-range" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5010" dst_range_start="5000" fin_flag="False" fin_flag_mask="False" id="id3D330B17" name="tcp-dst-range-2" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="5000" src_range_start="5000" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="id3CE717A0" name="tcp-src-53" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="53" src_range_start="53" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="id3CE719F5" name="tcp-src-range" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="1010" src_range_start="1000" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="port range" dst_range_end="11000" dst_range_start="10000" fin_flag="False" fin_flag_mask="False" id="id3B20468D" name="test-TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="id3D330B16" name="test-TCP-2" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="9000" src_range_start="9000" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="True" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id3B58E3F1" name="xmas-tree" psh_flag="False" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="8080" dst_range_start="8080" fin_flag="False" fin_flag_mask="False" id="id3DDDE4E4" name="tcp-8080" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="id3E3747AF" name="TCP no flags" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="True" comment="TCP packet with dest. port 5190 (AIM) and SYN flag set This is the opening of the new AIM session" dst_range_end="5190" dst_range_start="5190" fin_flag="False" fin_flag_mask="True" id="id40038E79" name="new AIM connection" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
|
|
<TCPService ack_flag="True" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="id459E36F110170" name="ack" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08_1" name="UDP">
|
|
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="id3ED59BF0" name="udp-src-6767" src_range_end="6767" src_range_start="6767"/>
|
|
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="id3ED59BF1" name="udp-src-67" src_range_end="67" src_range_start="67"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid13_1" name="Custom">
|
|
<CustomService comment="Talk support" id="id3B64FE22" name="talk">
|
|
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService comment="" id="id3D34B329" name="test-custom-1">
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-p tcp -m state --state ESTABLISHED --tcp-flags SYN,ACK,RST,URG ACK</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService comment="" id="id3D34B32A" name="test-custom-2">
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-p tcp -m state --state ESTABLISHED --tcp-flags SYN,FIN,RST,URG,PSH RST</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService comment="" id="id3FADE3CC" name="string">
|
|
<CustomServiceCommand platform="ipf">-m string --string test_pattern</CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
<CustomService comment="" id="id4003B1AC" name="old AIM session">
|
|
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="iptables">-p tcp ! --syn -dport 5190 -m state --state NEW</CustomServiceCommand>
|
|
<CustomServiceCommand platform="pf"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="pix"></CustomServiceCommand>
|
|
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
|
|
</CustomService>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="stdid12_1" name="Firewalls">
|
|
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" host_OS="linux24" id="fw-firewall2" inactive="False" lastCompiled="1188096924" lastInstalled="1142003872" lastModified="1184809081" name="firewall" platform="iptables" ro="False" version="">
|
|
<NAT id="nat-firewall2">
|
|
<NATRule comment="" disabled="False" id="nat-firewall2-0" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3CEBFE6E" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3CEBFCAE"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3CEBFFA8" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3CEBFF28"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="True" id="id3CECB632" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3CECB708" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3D20E9DB" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="nat-firewall2-1" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3F3BCA90" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3F3BCAD1" position="8">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3CE71A93" position="9">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3CE71B09" position="10">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F5"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E0AAAF2" position="11">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3BF1B3E2"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E0AADCD" position="12">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3BF1B3E8-pa"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E69B092" position="13">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E0F3FC8"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id445F52DE31658" position="14">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id445F52ED31658"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3CE7198B" position="15">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE71594"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE71594"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3CE719A3" position="16">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE717A0"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE717A0"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3CE71AF1" position="17">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3CE71B86" position="18">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3EA8DC47" position="19">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3EA8DB2C" position="20">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="should use multiport and account for no more than 15 ports per rule" disabled="False" id="id3EF41DD4" position="21">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="should use multiport and account for no more than 15 ports per rule" disabled="False" id="id3EF4288E" position="22">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="pol-firewall2">
|
|
<PolicyRule action="Deny" comment="Automatically generated rule blocking short fragments" direction="Inbound" disabled="False" id="pol-firewall2-0" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3B09D29D" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Automatically generated anti-spoofing rule" direction="Inbound" disabled="False" id="pol-firewall2-1" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3B92DFC5" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="code should go into INPUT chain with address in destination for comparison" direction="Inbound" disabled="False" id="id3C4E4C38" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3E021435" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="reject using connlimit" direction="Inbound" disabled="False" id="id433BF95F26912" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="connlimit_masklen">24</Option>
|
|
<Option name="connlimit_value">2</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="reject using connlimit" direction="Inbound" disabled="False" id="id446828293610" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="connlimit_masklen">24</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">5</Option>
|
|
<Option name="hashlimit_dstlimit">True</Option>
|
|
<Option name="hashlimit_mode">destip</Option>
|
|
<Option name="hashlimit_suffix">/second</Option>
|
|
<Option name="hashlimit_value">2</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id44670E149065" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="if-FW-firewall2-eth0"/>
|
|
<ObjectRef ref="if-FW-firewall2-eth1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="OUTPUT" direction="Outbound" disabled="False" id="id469F1D0830391" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="INTPUT" direction="Inbound" disabled="False" id="id469F1CF730391" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="OUTPUT + FORWARD" direction="Outbound" disabled="False" id="id469F1CE630391" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="INPUT + FORWARD" direction="Inbound" disabled="False" id="id469F1CD530391" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="OUTPUT + FORWARD" direction="Both" disabled="False" id="id469F1CC430391" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="INPUT + FORWARD" direction="Both" disabled="False" id="id469F1CB330391" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B58E39D" log="True" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
<ServiceRef ref="id3B58E3F1"/>
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
<ServiceRef ref="id3E3747AF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B6659FC" log="True" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-RR"/>
|
|
<ServiceRef ref="ip-SRR"/>
|
|
<ServiceRef ref="id3B6659A5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3D34B4D8" log="True" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D34B32B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="both src and dst have multiple interfaces. this rule is illegal because firewall8 has dynamic interface" direction="Both" disabled="True" id="id3D0C176B" log="False" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D0C1E6E"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D0C1E6E"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="both src and dst have multiple interfaces" direction="Both" disabled="False" id="id3EE24E9C" log="False" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D0C1E77"/>
|
|
<ObjectRef ref="id3D0C1E7A"/>
|
|
<ObjectRef ref="id3D0C1E7D"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3D0C1E77"/>
|
|
<ObjectRef ref="id3D0C1E7A"/>
|
|
<ObjectRef ref="id3D0C1E7D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3BF1B45E" log="False" position="20">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E0AA611" log="False" position="21">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3BF1B44E" log="False" position="22">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E7"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E0AA504" log="False" position="23">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E8-pa"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E0AA635" log="False" position="24">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E8-pa"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E0F40D5" log="False" position="25">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3E0F3FC8"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E0F452C" log="False" position="26">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3E0F3FCB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DB0B422" log="False" position="27">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3DB0B628" log="False" position="28">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3DE474B7" log="False" position="29">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CE717A0"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-2" log="False" position="30">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id445FAA6D31658" log="False" position="31">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DB0B356"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3F14E0F4" log="False" position="32">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3F14DFB8"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-3" log="True" position="33">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
<ObjectRef ref="host-secondary2-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-afterhours"/>
|
|
<IntervalRef ref="id3C63479C"/>
|
|
<IntervalRef ref="id3C63479E"/>
|
|
<IntervalRef ref="id3D6864D0"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3FB8455E" log="False" position="34">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
<ObjectRef ref="host-secondary2-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A66C9"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3CE71635" log="False" position="35">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CE71594"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="Rule #20 test: from Rock " direction="Both" disabled="False" id="id3CE716F8" log="False" position="36">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CE71594"/>
|
|
<ServiceRef ref="tcp-DNS_zone_transf"/>
|
|
<ServiceRef ref="id3CE717A0"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="pol-firewall2-4" log="False" position="37">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="id3B64FE22"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3CD8770E" log="False" position="38">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD8769F"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B64FE22"/>
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3CD87B1E" log="False" position="39">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD87A9A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B64FE22"/>
|
|
<ServiceRef ref="id3CD878C8"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="group "special combined srv" has couple of UDP services, plus "ALL UDP" service, which has empty ports specs. This is special case for multiport." direction="Both" disabled="False" id="id3E1FD93A" log="False" position="40">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3E1FDDBB"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="another test case for multiport: this rule has 16 TCP services and should be split onto two rules. If both rules use "-m multiport", then rule with a single service should use "--dports". It may be acceptable to not use multiport in the rule with a single service at all." direction="Both" disabled="False" id="id41D0F052" log="True" position="41">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CD8769F"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3B58E180" log="True" position="42">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D41A4F4" log="False" position="43">
|
|
<Src neg="False">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D41A435"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="Automatically generated 'masquerading' rule" direction="Both" disabled="False" id="pol-firewall2-5" log="False" position="44">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="similar to a standard 'masquerading' rule, but not so permissive as it does not allow access to the firewall" direction="Both" disabled="False" id="id3CE894DA" log="False" position="45">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id40F1CFA3" log="False" position="46">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="fw-firewall2"/>
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id413D6500" log="False" position="47">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" direction="Both" disabled="False" id="pol-firewall2-7" log="True" position="48">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="fw-firewall2-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="if-FW-firewall2-eth1" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="222.222.222.222" id="if-FW-firewall2-eth1-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="if-FW-firewall2-eth0" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="if-FW-firewall2-eth0-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="/usr/bin/fwb_install" enabled="True"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline">-v</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip">/usr/local/sbin/ip</Option>
|
|
<Option name="linux24_path_iptables">/usr/local/sbin/iptables</Option>
|
|
<Option name="linux24_path_logger">/bin/logger</Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe">/usr/local/sbin/modprobe</Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">CUSTOM LOGGING</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.100</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">True</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this object is used to test all kinds of negation in policy and NAT rules" host_OS="linux24" id="id3AF5AA0A" inactive="False" lastCompiled="1188096933" lastInstalled="1142003872" lastModified="1158818477" name="firewall1" platform="iptables" ro="False" version="">
|
|
<NAT id="id3AF5AA0D">
|
|
<NATRule disabled="False" id="id3C98491C" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3AFADC09" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3CD23959" position="2">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3D6E78AD" position="3">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3B1328FB" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E7ABEEA" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
<ObjectRef ref="id3B11F434"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3AF5AAD3" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3D6E7B3D" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3CCA1B57" position="8">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3EB38983" position="9">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3B50F7CB" position="10">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3BD8D94B" position="11">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3BD8D9DD" position="12">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3BBC0EA4" position="13">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3BBC0F93" position="14">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BBC0EFC"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3BC6BCE5" position="15">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3D331552" position="16">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3D330B17"/>
|
|
<ServiceRef ref="id3D330B16"/>
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3EB38BC6" position="17">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3EB38A91" position="18">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3AF5AA0C">
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3C5987DC" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3CD34BEF" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3AF5AAB4" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3AF5AAAB" log="True" position="3">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id40DBCD36" log="True" position="4">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D16D55D" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id435D572226912" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id435EA46C26912" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B665643"/>
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
<ObjectRef ref="id3B11F434"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D16D51D" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0B4D35"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id433D045026912" log="True" position="9">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id434D389E26912" log="False" position="10">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B665643"/>
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5AA99"/>
|
|
<ObjectRef ref="id3B11F434"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accounting" direction="Both" disabled="False" id="id3E728AD9" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3CCA26E4" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B9AB902" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." direction="Both" disabled="False" id="id3AFC0F90" log="True" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id434B03D526912" log="False" position="15">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id3B021E10" log="True" position="16">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accounting" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id40C0D096" log="True" position="17">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id40C0D10A" log="True" position="18">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3B0B4A13" log="True" position="19">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B5535B7" log="True" position="20">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id40F1D905" log="True" position="21">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3E74DF71" log="True" position="22">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
<ObjectRef ref="id3DECF622"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B11F63D" log="True" position="23">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="testing negation in service field" direction="Both" disabled="False" id="id3B021E6F" log="True" position="24">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="False" id="id3CCA2CF4" log="True" position="25">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="False" id="id3EA925F1" log="True" position="26">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="False" id="id3EA9225C" log="True" position="27">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="False" id="id4144E299" log="False" position="28">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="False" id="id41449248" log="False" position="29">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="False" id="id414532F3" log="False" position="30">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing negation in service field" direction="Both" disabled="False" id="id41449257" log="False" position="31">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4368F08A15884" log="False" position="32">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E74D8BB" log="False" position="33">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3AF5AA0A"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B45739A" log="True" position="34">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572B5"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="double negation rule" direction="Both" disabled="False" id="id4067B2C2" log="True" position="35">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id4067B2CD"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id41A88DF6" log="False" position="36">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id41B5176E" log="False" position="37">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3AF5AA96"/>
|
|
<ObjectRef ref="id3B0B4BC8"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id4143BD3F" log="False" position="38">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
<IntervalRef ref="id3C63479E"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4143BD1A" log="False" position="39">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3AF5AAC8" log="False" position="40">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="testing combination of limit and logging" direction="Both" disabled="False" id="id42AB87C6" log="True" position="41">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3AF5AA0A-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3AF5AA96" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3AF5AA96-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3AF5AA99" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3AF5AA99-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B0B4BC8" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id3B0B4BC8-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B0B4D35" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3B0B4D35-ipv4" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B11F434" name="eth3" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.23" id="id3B11F434-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_interfaces</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="linux24" id="id3AFB66C6" inactive="False" lastCompiled="1188315148" lastInstalled="1142003872" lastModified="1188315856" name="firewall2" platform="iptables" ro="False" version="">
|
|
<NAT id="id3AFB66C7">
|
|
<NATRule disabled="False" id="id3AFB66C8" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3F3E9BB6" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3F3E9D62" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3D8F5820" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3D8F5A56" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D5DEADC"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3AFB66D6" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE47CAD" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3CABE6DF" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3D1519E8" position="8">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3D151BA0" position="9">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3D151943"/>
|
|
<ObjectRef ref="id3D151947"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3AFB69BD" position="10">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
<ServiceRef ref="id3F3E9EFC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E76DDFF" position="11">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E76DE15" position="12">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E76DF9A" position="13">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="True" id="id3DEA75AF" position="14">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE47C72" position="15">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE47B6C"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3BEEF6D2" position="16">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-NNTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3BD67563" position="17">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3BD6757E" position="18">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id4368AD8715884" position="19">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4368AD8615884"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="NETMAP " disabled="False" id="id3B66568B" position="20">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="NETMAP" disabled="False" id="id3B6656EF" position="21">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B665641"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3AFB69F7" position="22">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B20468D"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id446BA34525148" position="23">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3B7313C4" position="24">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E04C979" position="25">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="id3B4FED69"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E74F756" position="26">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CEBFF26"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E74F620" position="27">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
<ObjectRef ref="id3CD87A6D"/>
|
|
<ObjectRef ref="id3CD87A8B"/>
|
|
<ObjectRef ref="id3CD87A7C"/>
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="transparent proxy rule" disabled="False" id="id3FB3526D" position="28">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="True" id="id402335CD" position="29">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3FC6531F" position="30">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id40F2F9C1" position="31">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id407EDDBD" position="32">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id407EDE37" position="33">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id40F195C3" position="34">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id40F1C52F" position="35">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="True">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id407EDCD5" position="36">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="this is the "exception" rule used in support req. originally" disabled="False" id="id46D6DA2024736" position="37">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id46D6DA3124736" position="38">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB6703-ipv4"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C08B5A</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment=""exception" rule in the pair from a support req." disabled="False" id="id46D49F4824736" position="39">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="testing transparent proxy roules for a support req." disabled="False" id="id46D67A4324736" position="40">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB6703-ipv4"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="testing transparent proxy roules for a support req." disabled="False" id="id46D67A5924736" position="41">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB6703"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="testing transparent proxy roules for a support req." disabled="False" id="id46D49F3624736" position="42">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment=""exception" rule in the pair from a support req." disabled="False" id="id46D6AA1B24736" position="43">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFB6706-ipv4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule comment="testing transparent proxy roules for a support req." disabled="False" id="id46D6AA2F24736" position="44">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id40F195D2"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="color">#C0BA44</Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3AFB66E4">
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3AFB6708" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3AFB6710" log="True" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">Iface: %I RULE %N -- %A **</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="testing group in "interface" this rule should be identical to rule 3 " direction="Inbound" disabled="False" id="id44C0660013221" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4653B4A820440"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id4653E36120440" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing choice of chains in case when several interfaces are used and rule matches 'any' or broadcast " direction="Both" disabled="False" id="id44C0691E13221" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id44C0694513221" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" id="id44C092DD13221" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB6706"/>
|
|
<ObjectRef ref="id3AFB68D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3D6748D9" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="False" id="id3AFB66E5" log="True" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="sends TCP RST and makes custom record in the log" direction="Both" disabled="False" id="id3B0C6FD2" log="True" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-Auth"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix">IDENT</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" direction="Both" disabled="False" id="id3D293D84" log="True" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-SNMP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DD1E1E0" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0221F1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C1A5D46"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D8FC846" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3D8FC984" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-secondary1-com"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
<ObjectRef ref="id3D8FC56A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" direction="Both" disabled="False" id="id3DCBFEA0" log="False" position="14">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DCBFEAD" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3DD4C015" log="True" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="host-fw2 has the same address as one of the firewall's interfaces" direction="Both" disabled="False" id="id3C447B8D" log="True" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC0F70"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">10</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3C447BCB" log="True" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFB66C6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3AFB66F9" log="True" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3AFB66C6-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3AFB6703" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id3AFB6703-ipv4" name="fw2:eth0:ip - internal" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3AFB6706" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" comment="" id="id3AFB6706-ipv4" name="fw2:eth1:ip - external" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3AFB68D2" label="" mgmt="False" name="eth3" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.23" comment="" id="id3AFB68D2-ipv4" name="fw2:eth3:0" netmask="255.255.255.0"/>
|
|
<IPv4 address="22.22.25.50" comment="" id="id3D5DEADC" name="fw2:eth3:1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B0221F1" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="" id="id3B0221F1-ipv4" name="fw2:eth2:1" netmask="255.255.255.0"/>
|
|
<IPv4 address="192.168.2.40" comment="" id="id3DD1E161" name="fw2:eth2:2" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3CD2449F" label="" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3CD2449F-ipv4" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">5</Option>
|
|
<Option name="linux24_accept_redirects">0</Option>
|
|
<Option name="linux24_accept_source_route">0</Option>
|
|
<Option name="linux24_icmp_echo_ignore_all">1</Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians">1</Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter">1</Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">True</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N - %A **</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">after_flush</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">True</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="useULOG">False</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this object is used to test negation in policy rules with "Assume firewall is part of 'Any'" turned OFF" host_OS="linux24" id="id3B0226B6" inactive="False" lastCompiled="1196093755" lastInstalled="1142003872" lastModified="1196093903" name="firewall3" platform="iptables" ro="False" version="">
|
|
<NAT id="id3B0226B7">
|
|
<NATRule disabled="False" id="id3B0226B8" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3B0226C6" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3B0226D4">
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id44C3826813221" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id465D5AF12072"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3B02270E" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id44C2868B13221" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id44C1B5A613221" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing choice of chains in case when several interfaces are used and rule matches on any or broadcast " direction="Both" disabled="False" id="id44C286B713221" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing choice of chains in case when several interfaces are used and rule matches on any or broadcast " direction="Both" disabled="False" id="id44C1B5B813221" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id44C286E313221" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id44C1B5CA13221" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44C0695713221"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" id="id44C2870F13221" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" id="id44C1B5DC13221" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D115C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3B022715" log="True" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3B02271D" log="True" position="11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." direction="Both" disabled="False" id="id3B0226D5" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3B022A81" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id3B0226DF" log="True" position="14">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id40F57E67" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id40F57E72" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id40F57E7C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id41A8EF1D" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="testing negation in service field" direction="Both" disabled="False" id="id3B0226EA" log="True" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3B0226F6" log="False" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3B022700" log="True" position="20">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id440D600617760" log="False" position="21">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id440D880417760" log="False" position="22">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B0226B6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="this rule should go only to the FORWARD chain but should have "-i eth" clause " direction="Inbound" disabled="False" id="id474B57834682" log="False" position="23">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B02270C"/>
|
|
<ObjectRef ref="id3B02270A"/>
|
|
<ObjectRef ref="id3B0B57D2"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3B0226B6-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3B02270A" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3B02270A-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B02270C" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3B02270C-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B0B57D2" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id3B0B57D2-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id465D5AF12072" label="" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" comment="" id="id465D89B62072" name="firewall3:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this object is used to test a configuration where firewall has dynamic address " host_OS="linux24" id="id3B0C6380" inactive="False" lastCompiled="1188097179" lastInstalled="1142003872" lastModified="1184801731" name="firewall4" platform="iptables" ro="False" version="">
|
|
<NAT id="id3B0C6381">
|
|
<NATRule disabled="False" id="id3B0C6382" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3DECF530" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DECF6DA" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DECF622"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3B0C6390" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions>
|
|
<Option name="id"></Option>
|
|
</NATRuleOptions>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3DCA1BE7" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3B202AFF" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E2529F3" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3B0C639E">
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Inbound" disabled="False" id="id3B0C63E3" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Anti-spoofing rule" direction="Outbound" disabled="False" id="id3B0C63EB" log="True" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B54F071" log="True" position="2">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3E49FEF2" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3B54C977" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B0C63E1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="OUTPUT" direction="Outbound" disabled="False" id="id469EDB0514508" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="INTPUT" direction="Inbound" disabled="False" id="id469F02B014773" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="OUTPUT + FORWARD" direction="Outbound" disabled="False" id="id469FBE8914773" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="INPUT + FORWARD" direction="Inbound" disabled="False" id="id469FBE9A14773" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="OUTPUT + FORWARD" direction="Both" disabled="False" id="id469F609414773" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="INPUT + FORWARD" direction="Both" disabled="False" id="id46A04BD114773" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_expire">0</Option>
|
|
<Option name="hashlimit_gcinterval">0</Option>
|
|
<Option name="hashlimit_max">0</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_name"></Option>
|
|
<Option name="hashlimit_size">0</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id3B0C63B4" log="True" position="11">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="testing negation in the policy rule" direction="Both" disabled="False" id="id3B0C63A9" log="True" position="12">
|
|
<Src neg="True">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="testing negation in service field" direction="Both" disabled="False" id="id3B0C63BF" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3D6864D0"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id45F8C4E113056" log="True" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id45F8C4E013056"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="should permit access to all addresses that belong to the firewall, but not to those that are used in NAT rules and are added as virtual addresses" direction="Both" disabled="False" id="id3E4DD6AD" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="True" id="id445880A67646" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="'masquerading' rule" direction="Both" disabled="False" id="id3B0C63CB" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E20A8E1" log="False" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3B0C6380"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3B0C63D5" log="True" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3B0C6380-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3B0C63DF" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3B0C63DF-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="True" id="id3B0C63E1" label="" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="0.0.0.0" id="id3B0C63E1-ipv4" name="address" netmask="0.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B0C63F3" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id3B0C63F3-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B0C63F5" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3B0C63F5-ipv4" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3CD88A77" label="" name="eth3" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="222.222.222.222" id="id3CD88A77-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">True</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">64</Option>
|
|
<Option name="ulog_nlgroup">7</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">True</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing firewall_is_part_of_any_and_networks also testing SNAT and DNAT rules when external interface has dynamic address dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. " host_OS="linux24" id="id3B19BEE6" lastCompiled="1188097203" lastInstalled="1142003872" lastModified="1142003913" name="firewall5" platform="iptables" ro="False">
|
|
<NAT id="id3B19BEE7">
|
|
<NATRule disabled="False" id="id3CFD9EE2" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3B19BEE6"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E8F5A17" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3CF5B9DB" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B19BEE6"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3B19BF04">
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3E4A05B9" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3E8F5B72" log="True" position="1">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E8F5B6F"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." direction="Both" disabled="False" id="id3E4A0446" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E4A0454" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BEE6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E4A0473" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF3A"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E4A054C" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E986FF8" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E987157" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E9871F4" log="True" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains" direction="Both" disabled="False" id="id3B19C71F" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains" direction="Both" disabled="False" id="id3B19C72A" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains" direction="Both" disabled="False" id="id3E20A4AB" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3B19C5CA" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" direction="Both" disabled="False" id="id3B19BF30" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="id"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3B19BEE6-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3B19BF3A" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id3EF959F7" name="firewall5:ppp0(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3B19BF58" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3B19BF58-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3B19C51D" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id3B19C51D-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3E8F5B6F" label="" mgmt="False" name="ppp1" security_level="0" unnum="False" unprotected="False"/>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="firewall protects host it is running on" host_OS="linux24" id="id3AF5A2BA" lastCompiled="1188097239" lastInstalled="1142003872" lastModified="0" name="host" platform="iptables" ro="False" version="">
|
|
<NAT id="id3AF5A2BD"/>
|
|
<Policy id="id3AF5A2BC">
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3BD8ECD0" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AF5A2CB"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="allow everything on loopback" direction="Inbound" disabled="False" id="id3AFB70C7" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB7090"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="allow everything on loopback" direction="Outbound" disabled="False" id="id3AFB70CF" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB7090"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3BD8ECC6" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3AFB7090"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="block fragments" direction="Both" disabled="True" id="id3AF5A74B" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="ip-IP_Fragments"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="True" id="id3AF5A73A" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="allow all outgoing connections" direction="Both" disabled="True" id="id3AF5A757" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3FBDC5E7" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3AF5A2BA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="'catch all' rule" direction="Both" disabled="False" id="id3AF5A762" log="True" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">50</Option>
|
|
<Option name="limit_suffix">/minute</Option>
|
|
<Option name="limit_value">10</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix">CATCH ALL RULE</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3AF5A2BA-routing"/>
|
|
<Interface bridgeport="False" dyn="False" id="id3AF5A2CB" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3AF5A2CB-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3AFB7090" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3AFB7090-ipv4" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="127.0.0.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward">0</Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing rule with firewall in dst and negation also testing "Destination NAT Onto the Same Network" per Turorial chapter 3.5 testing a rule with src=dst=firewall6 in the global policy (should use all interfaces including loopback)" host_OS="linux24" id="id3C698F1D" lastCompiled="1188097212" lastInstalled="1142003872" lastModified="1142003913" name="firewall6" platform="iptables" ro="False">
|
|
<NAT id="id3C698F1E">
|
|
<NATRule disabled="False" id="id3D5C25BE" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3D5C25B0" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="this is SDNAT rule, it translates both source and destination this rule should be equivalent to two rules above" disabled="False" id="id3E7949B6" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3BD6736B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E7951E3" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3C69901D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E7952DB" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3C69901D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E795311" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
<ObjectRef ref="id3CD87A5E"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E9BC4A7" position="6">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id3E9BC536"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3E9BC536"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3F9F8382" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3DECF4EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C699013"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3E9BC536"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E79538A" position="8">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E79539A" position="9">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3C698F9D">
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id3C699028" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69901D"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3C698FB2" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E9C86DD" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3C698F1D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="True" id="id3D84F6EA" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84F6D7"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3C698F1D-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3C699013" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3C699013-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3C69901D" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3C69901D-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3C699030" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="" id="id3C699030-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3C699032" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3C699032-ipv4" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3C699034" name="eth3" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.23" id="id3C699034-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A %I</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing rules with broadcasts and multicasts and action-on-reject "TCP reset" testing rules used for DHCP relay running on the firewall between interfaces eth0 and eth2" host_OS="linux24" id="id3C69BD4F" lastCompiled="1188097218" lastInstalled="1142003872" lastModified="1171611268" name="firewall7" platform="iptables" ro="False" version="">
|
|
<NAT id="id3C69BD50">
|
|
<NATRule comment="this is incorrect rule which should be refused by compiler" disabled="True" id="id3D6BE398" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3C69BD4F"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3C69BD51">
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3C69BDE1" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id3CFBE282" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id3D84EFA8" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id40236CDD" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40236C9A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id40236B7B" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" id="id40236C30" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3C69BD68"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id40236C4D"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD68"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id40236C6E" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40236C4D"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3C69BD5C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3C69BD68"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3EC69DD5" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EC69DA8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="compiler should place rule in INPUT chain because this is broadcast destination" direction="Both" disabled="False" id="id3CFBE24A" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="compiler should place rule in INPUT chain because this is broadcast destination" direction="Both" disabled="False" id="id3C69BF13" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="compiler should place rule in INPUT chain because this is broadcast destination" direction="Both" disabled="False" id="id3F6D183C" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D84EF2B" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D84EF36" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id418E8918" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id45D61A0A23626" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45D61A0923626"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id418E48F8" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3DC75CEC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3C69BD4F-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3C69BD5C" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3C69BD5C-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3C69BD5E" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3C69BD5E-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3C69BD68" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id3C69BD68-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3C69BD6A" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3C69BD6A-ipv4" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3C69BD6C" name="eth3" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.23" id="id3C69BD6C-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this firewall is used to test a rule in the global policy of object "firewall" " host_OS="linux24" id="id3D0C1E6E" lastCompiled="1188097225" lastInstalled="1142003872" lastModified="0" name="firewall8" platform="iptables" ro="False">
|
|
<NAT id="id3D0C1E72"/>
|
|
<Policy id="id3D0C1E71"/>
|
|
<Routing id="id3D0C1E6E-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3D0C1E77" label="fw8:eth0" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="33.33.33.33" id="id3D0C1E77-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3D0C1E7A" label="fw8:eth1" mgmt="False" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="172.16.1.1" id="id3D0C1E7A-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3D0C1E7D" label="fw8:eth2" mgmt="True" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.100.1" id="id3D0C1E7D-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3EE24D62" label="fw8:ppp0" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
|
|
<Management address="192.168.100.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing rules with action-on-reject "TCP reset" " host_OS="linux24" id="id3D4DF34B" lastCompiled="1188097232" lastInstalled="1142003872" lastModified="1142003913" name="firewall9" platform="iptables" ro="False">
|
|
<NAT id="id3D4DF34C"/>
|
|
<Policy id="id3D4DF34D">
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4DF362" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4DF36C" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" direction="Both" disabled="False" id="id3D4DF376" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4DF380" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4DF38A" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4DF394" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4DF39E" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4DF3A8" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4DF34B"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" direction="Both" disabled="False" id="id4144FF90" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id4144FFAE" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id41456B50" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id41456B75" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="tcp-FTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3D4DF34B-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3D4DF3B2" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3D4DF3B2-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3D4DF3C8" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3D4DF3C8-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3D4DF3CC" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3D4DF3CC-ipv4" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A %I</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path">/bin:/usr/bin:/sbin:/usr/sbin</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing rules with action-on-reject "TCP reset" in this firewall, unlike in firewall9, this option is set globally instead of setting it in the rule options " host_OS="linux24" id="id3D4F0A55" inactive="False" lastCompiled="1188096940" lastInstalled="1142003872" lastModified="1169006607" name="firewall10" platform="iptables" ro="False" version="1.2.9">
|
|
<NAT id="id3D4F0A56"/>
|
|
<Policy id="id3D4F0A57">
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4F0A58" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">ICMP admin prohibited</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4F0A62" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-DNS"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" direction="Both" disabled="False" id="id3D4F0A6C" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B457567"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4F0A76" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4F0A80" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4F0A8A" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4F0A94" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" direction="Both" disabled="False" id="id3D4F0A9E" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D4F0A55"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3D4F0A55-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3D4F0AA8" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3D4F0AA8-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3D4F0AAA" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3D4F0AAA-ipv4" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3D4F0AAC" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3D4F0AAC-ipv4" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path">/bin:/usr/bin:/sbin:/usr/sbin</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. This is BRIDGING FIREWALL Firewall is part of any is OFF Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " host_OS="linux24" id="id3D94D4F8" inactive="False" lastCompiled="1188096947" lastInstalled="1142003872" lastModified="1171611400" name="firewall11" platform="iptables" ro="False" version="">
|
|
<NAT id="id3D94D4F9">
|
|
<NATRule disabled="True" id="id3E854D22" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E854D14" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3D94D4F8"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3D94D508">
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3D94D534" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id3D94D53E" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id3D94D548" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3E21FEC7" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id3E21FEE5" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3D94D531"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id41FCD477" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E21FC66"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3D94D509" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3D94D513" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id417B3655" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D94D51D" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3D94D527" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id45D6A3D223626" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45D61A0923626"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3E21FE50" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3E21FE32" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="this rule should generate commands in both INPUT and FORWARD chains because this is a bridging firewall see bug #811860" direction="Both" disabled="False" id="id3DD4BBC7" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D94D4F8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3F28B8DF" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D94D4F8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3F28B8EA" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F28B886"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing processor checkForUnnumbered" direction="Both" disabled="True" id="id3E854C89" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3D94D552"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id41FC8F4F" log="True" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id41FCB1DE" log="True" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3D94D4F8-routing"/>
|
|
<Interface bridgeport="False" comment="this interface is part of the bridge" dyn="False" id="id3D94D531" label="" mgmt="False" name="eth0" security_level="100" unnum="True" unprotected="False"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3D94D552" label="" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id3D94D558" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3D94D559" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3E21FC66" label="" mgmt="False" name="br0" security_level="100" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" comment="this interface has netmask 255.255.255.255, which is an error but compiler should handle it properly anyway. One typical mistake is to put rules that have fw or its interface in DST into FORWARD chain (shouldbe INPUT chain) This is the management interface of the bridging fw. This interface is connected to the protected subnet. There may be another interface connected to the same subnet, but that interface would be a bridging interface and have no address. " dyn="False" id="id3F28B886" label="" mgmt="True" name="eth3" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="10.1.1.1" comment="" id="id3F28B88A" name="firewall11:eth3(ip)" netmask="255.255.255.255"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="this interface is also a part of the bridge" dyn="False" id="id3F77AFD4" label="" mgmt="False" name="eth1" security_level="100" unnum="True" unprotected="False"/>
|
|
<Management address="10.1.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">True</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="This firewall does not do NAT for addresses, but translates port for a server " host_OS="linux24" id="id3DDDE6C3" lastCompiled="1188096954" lastInstalled="1142003872" lastModified="0" name="firewall12" platform="iptables" ro="False">
|
|
<NAT id="id3DDDE6C7">
|
|
<NATRule disabled="False" id="id3DDDE6D6" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE472C4" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6D3"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE47209" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6D1"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3DE3B872" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE3B9B2" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE66C32" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3DDDE6CE"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3ED59A8C" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3ED59B00" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3ED59BF0"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3ED59BF1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3ED59E9D" position="8">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3ED59BF0"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3ED59BF1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3ED59D48" position="9">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3DDDE6C3"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3DDDE6C6">
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DDDE701" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3DDDE6F7" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3DDDE6C3-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DDDE6CE" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3DDDE6D0" name="firewall12" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DDDE6D1" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" id="id3DDDE6D3" name="firewall12" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="Testing empty groups thing " host_OS="linux24" id="id3DE68A18" lastCompiled="1188096961" lastInstalled="1142003872" lastModified="0" name="firewall13" platform="iptables" ro="False">
|
|
<NAT id="id3DE68A19">
|
|
<NATRule disabled="False" id="id3DE68AFA" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DE689FE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE68A18"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE68B5B" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DE68A00"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE68A18"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3C1A66EF"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3DE68A6E">
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DE68A6F" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DE68A00"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3DE68BA4" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3DE689FF"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3DE68A79" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3DE68A18-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE68A83" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3DE68A84" name="firewall12" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE68A86" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" id="id3DE68A87" name="firewall12" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="special configuration with overlapping subnets on external and dmz interfaces testing NAT rules (especially choice of interfaces for -o )" host_OS="linux24" id="id3DE71215" lastCompiled="1188096967" lastInstalled="1142003872" lastModified="0" name="firewall14" platform="iptables" ro="False">
|
|
<NAT id="id3DE71216">
|
|
<NATRule disabled="False" id="id3DE71217" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE71282"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE71225" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE71282"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3DE7203A" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE7127F"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE720E6" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE7127D"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="I guess this rule does not make much sense" disabled="False" id="id3DE72150" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE71255"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE721CA" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE7223E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3DE7236A" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3DE71E90"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3DE722F1"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3DE71233"/>
|
|
<Routing id="id3DE71215-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE71252" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.22" comment="" id="id3DE71253" name="fe14:eth0" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE71255" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" comment="" id="id3DE71256" name="fw14:eth1:1" netmask="255.255.255.0"/>
|
|
<IPv4 address="22.22.23.160" comment="this address belongs to subnets of both interfaces - eth1 and eth2" id="id3DE71282" name="fw14:eth1:2" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE7127D" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.132" comment="this interface is on the subnet that overlaps with eth1" id="id3DE7127F" name="fw14:eth2" netmask="255.255.255.128"/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="Testing "Accept TCP sessions opened prior to firewall restart flag" in combination with "Assume firewall is part of any" - both flags are OFF here" host_OS="linux24" id="id3DE9128A" lastCompiled="1188096974" lastInstalled="1142003872" lastModified="0" name="firewall15" platform="iptables" ro="False">
|
|
<NAT id="id3DE9128B"/>
|
|
<Policy id="id3DE912E0">
|
|
<PolicyRule action="Accept" comment="option 'assume firewall is part of any' is off, but this rule should go into INPUT/OUTPUT chains anyway" direction="Both" disabled="False" id="id3E587D17" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E587D10"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3DE912EB" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3DE9128A-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE912F5" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3DE912F6" name="firewall12" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3DE912F8" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" id="id3DE912F9" name="firewall12" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3E587D10" label="" mgmt="False" name="lo" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" comment="" id="id3E587D14" name="firewall15:lo(ip)" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing translation from outside to the web server on DMZ, need to see what happens if clients on internal net connect to the NATted address of this server. This is a kind of "NAT back to the same subnet" with a twist. This firewall also has option "local NAT" enabled. NAT rules 0,2-7 should generate code in the OUTPUT and POSTROUTING chains. " host_OS="linux24" id="id3E189481" lastCompiled="1188096980" lastInstalled="1142003872" lastModified="0" name="firewall16" platform="iptables" ro="False" version="">
|
|
<NAT id="id3E189482">
|
|
<NATRule comment="should generate code in both PREROUTING and OUTPUT chain because option "local NAT" is enabled" disabled="False" id="id3E189483" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3E189491" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3E6988D3" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id418A3247" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id4188B45D" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894ED"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id4188B514" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894EE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3DDDE4E4"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="id3B5009F7"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id4188D4D7" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1894E9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id418A524D" position="7">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1894E9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id41860063" position="8">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894ED"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1894E9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id41873ACE" position="9">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894EE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1894EA"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id418933C7" position="10">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id418A527D" position="11">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E189481"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id418933E4" position="12">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894ED"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id418933D6" position="13">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3E1894EE"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3E1894E5">
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E1896E1" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3E1896D7" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3E189481-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3E1894E6" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.22" comment="" id="id3E1894E7" name="firewall16:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3E1894E9" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" comment="" id="id3E1894EA" name="firewall16:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3E1894ED" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id3E1894EE" name="firewall16:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="doing SNAT with virtual addresses of two external interface " host_OS="linux24" id="id3E1C6B9C" lastCompiled="1188096987" lastInstalled="1142003872" lastModified="0" name="firewall17" platform="iptables" ro="False">
|
|
<NAT id="id3E1C6B9D">
|
|
<NATRule comment="compiler should add "-o eth2"" disabled="False" id="id3E1C6B9E" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1C6BFB"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="compiler should add "-o eth2"" disabled="False" id="id3E1C6D1F" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3E1C6BFC"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3E1C6BC8">
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id3E1C6BE3" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3E1C6B9C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3E1C6BE0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accounting" direction="Both" disabled="False" id="id3E5F1263" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting">rule0acct</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accounting" direction="Both" disabled="False" id="id3E5F126D" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting">rule1acct</Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accounting" comment="" direction="Both" disabled="False" id="id41FE52C8" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accounting" direction="Both" disabled="False" id="id41FA23E1" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CD87A53"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="id3CE719F3"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3E1C6BC9" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3E1C6B9C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3E1C6C13" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3E1C6B9C-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3E1C6BDD" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3E1C6BDE" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3E1C6BE0" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id3E1C6BE1" name="address" netmask="255.255.255.0"/>
|
|
<IPv4 address="33.33.33.33" comment="" id="id3E1C6BFB" name="firewall17:eth1(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3E1C6BEB" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="" id="id3E1C6BEC" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3E1C6BEE" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3E1C6BEF" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3E1C6BF1" name="eth3" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.23" id="id3E1C6BF2" name="address" netmask="255.255.255.0"/>
|
|
<IPv4 address="44.44.44.44" comment="" id="id3E1C6BFC" name="firewall17:eth3(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this firewall translates outgoing connections using address of the particular interface (not external one). Also testing different cmbinations of objects in the policy rules on loopback interface. Finally, testing for a situation when dynamic interface "shades" a rule with old broadcast" host_OS="linux24" id="id3EE4CB81" lastCompiled="1188096994" lastInstalled="1142003872" lastModified="1142003885" name="firewall18" platform="iptables" ro="False" version="">
|
|
<NAT id="id3EE4CB85">
|
|
<NATRule disabled="False" id="id3EE4CB98" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB8E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3EE4CBC6" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB90"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3EE4CBF2" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB8E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3EE4CC1D" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB90"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3EE4CCB5" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CC6E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3EE4CCDF" position="5">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CC6E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3EE4CEA6" position="6">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3EE4CB88"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EE4CC6E"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3EE4CB84">
|
|
<PolicyRule action="Deny" comment="using address range object 255.255.255.255-255.255.255.255 " direction="Both" disabled="False" id="id3EF40DDB" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF40DD0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EE4CB8B"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EF7F73E" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EE4CB91"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="anti-spoofing rule" direction="Inbound" disabled="False" id="id40D15498" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EE4CD4C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="but old broadcast is permitted" direction="Inbound" disabled="False" id="id40D154A6" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40D153ED"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EE4CB81"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EE4CD4C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id40D153D9" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3EE4CB81-routing"/>
|
|
<Interface bridgeport="False" dyn="False" id="id3EE4CB88" label="" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="66.66.66.1" comment="" id="id3EE4CB8A" name="firewall18:eth2(ip)" netmask="255.255.255.128"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3EE4CB8B" label="" name="eth0" security_level="33" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3EE4CB8D" name="firewall18:eth0(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3EE4CB8E" label="" name="eth1" security_level="66" unnum="False" unprotected="False">
|
|
<IPv4 address="66.66.66.130" comment="" id="id3EE4CB90" name="firewall18:eth1(ip)" netmask="255.255.255.128"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3EE4CB91" label="" name="lo" security_level="99" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3EE4CB93" name="firewall18:lo(ip)" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3EE4CD4C" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing different cmbinations of objects in the policy rules on loopback interface" host_OS="linux24" id="id3EF7F809" lastCompiled="1188097001" lastInstalled="1142003872" lastModified="0" name="firewall19" platform="iptables" ro="False">
|
|
<NAT id="id3EF7F80A"/>
|
|
<Policy id="id3EF7F86D">
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EF7F884" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF7F809"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EF7F9E2" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF7F86E"/>
|
|
<ObjectRef ref="id3EF7F871"/>
|
|
<ObjectRef ref="id3EF7F87E"/>
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
<ObjectRef ref="id3EF7F8B0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EF7F89C" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF7F871"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EF7F8A6" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id3EFB9E41" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix">/second</Option>
|
|
<Option name="limit_value">2</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" disabled="False" id="id3EFB9E5F" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id3EFBA6FE" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="tcp-TCP-SYN"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id40038F90" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id40038E79"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" comment="" disabled="False" id="id40038F1E" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id40038E79"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" disabled="False" id="id40038EB9" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id40038E79"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Reject" disabled="False" id="id4003B20A" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id4003B1AC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject">TCP RST</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id3F1A2791" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EF7F881"/>
|
|
<ObjectRef ref="id3EF7F87E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" disabled="False" id="id3EFB9E6D" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" disabled="True" id="id3F1B9CCE" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3F1B9C18"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3EF7F809-routing"/>
|
|
<Interface bridgeport="False" dyn="False" id="id3EF7F86E" label="" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="66.66.66.1" comment="" id="id3EF7F86F" name="firewall18:eth2(ip)" netmask="255.255.255.128"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3EF7F871" label="" name="eth0" security_level="33" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3EF7F872" name="firewall18:eth0(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3EF7F87E" label="" name="eth1" security_level="66" unnum="False" unprotected="False">
|
|
<IPv4 address="66.66.66.130" comment="" id="id3EF7F87F" name="firewall18:eth1(ip)" netmask="255.255.255.128"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3EF7F881" label="" name="lo" security_level="99" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3EF7F882" name="firewall18:lo(ip)" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3EF7F8B0" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing firewall_is_part_of_any_and_networks also testing SNAT and DNAT rules when external interface has dynamic address dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. " host_OS="linux24" id="id3EFBC648" lastCompiled="1188097016" lastInstalled="1142003872" lastModified="1142003913" name="firewall20" platform="iptables" ro="False" version="">
|
|
<NAT id="id3EFBC649">
|
|
<NATRule disabled="False" id="id3EFBC64A" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EFBC648"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3EFBC658" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id3EFBC666" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3EFBC648"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3FADADE5" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3EFBC702"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3EFBC674">
|
|
<PolicyRule action="Deny" comment="ppp clients get addresses on 10.1.1.0" direction="Inbound" disabled="False" id="id3EFBC6F4" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to the firewall" direction="Inbound" disabled="False" id="id3EFBCAFF" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id3EFBCBA3" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EFBC648"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="ppp clients can only connect to the mail server and web proxy on DMZ" direction="Inbound" disabled="False" id="id3EFBCB1F" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to anything else on DMZ and internal net" direction="Inbound" disabled="False" id="id3EFBCB6C" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id433C890013970" log="False" position="5">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B665643"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id3EFBCACB" log="True" position="6">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3EFBC702"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." direction="Both" disabled="False" id="id3EFBC675" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3EFBC67F" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EFBC648"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EFBC689" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3EFBC6F1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EFBC693" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3EFBC69D" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EFBC6A8" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EFBC6B3" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains" direction="Both" disabled="False" id="id3EFBC6BE" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains" direction="Both" disabled="False" id="id3EFBC6C8" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains" direction="Both" disabled="False" id="id3EFBC6D2" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3EFBC6DC" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" direction="Both" disabled="False" id="id3EFBC6E7" log="True" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="id"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3EFBC648-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3EFBC6F1" label="" mgmt="False" name="ppp*" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id3EFBC6F2" name="firewall5:ppp0(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3EFBC6FF" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3EFBC700" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id3EFBC702" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id3EFBC703" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="two dynamic interfaces in the same policy or NAT rule " host_OS="linux24" id="id3F29FAAD" lastCompiled="1188097023" lastInstalled="1142003872" lastModified="0" name="firewall21" platform="iptables" ro="False">
|
|
<NAT id="id3F29FAAE">
|
|
<NATRule disabled="False" id="id3F2A008C" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
<ObjectRef ref="id3F29FAF7"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3F29FACB">
|
|
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id414F492F" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id3F29FAEA" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
<ObjectRef ref="id3F29FAF7"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id3FFA5833" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
<ObjectRef ref="id3F29FAF4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" disabled="False" id="id3F29FAE0" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3F29FAAD-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3F29FAF4" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id3F29FAF7" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id3F29FB06" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3F29FB07" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3F29FB90" label="" mgmt="True" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.100" comment="" id="id3F29FB92" name="firewall21:eth2(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing NAT rules using custom services " host_OS="linux24" id="id3FADB89A" lastCompiled="1188097029" lastInstalled="1142003872" lastModified="1142003913" name="firewall22" platform="iptables" ro="False" version="1.2.9">
|
|
<NAT id="id3FADB89B">
|
|
<NATRule disabled="False" id="id3FADBAA3" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3FADE3CC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3FADB89A"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3FADBAC2" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id3FADB98B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3FADE3CC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id3FADBAD4" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id3FADE3CC"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3FADB98B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id3FADB8D4">
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id3FADB98E" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FADB98B"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" disabled="False" id="id3FADB947" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="id"></Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level">error</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="ulog_nlgroup">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3FADB89A-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3FADB988" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id3FADB989" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id3FADB98B" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id3FADB98C" name="address" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">False</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment=" This is BRIDGING FIREWALL " host_OS="linux24" id="id3FB32E8E" lastCompiled="1188097036" lastInstalled="1142003872" lastModified="1142003859" name="firewall23" platform="iptables" ro="False">
|
|
<NAT id="id3FB32E8F"/>
|
|
<Policy id="id3FB32EAC">
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3FB33184" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3FB32E8E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id402A6DCC" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3FB32F15" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id3FB32F1F" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id3FB32F29" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3FB32F33" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id3FB32F3D" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3FB32EAD" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3FB32EB7" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3FB32EC2" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3FB32ECD" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id3FB32ED7" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id3FB32EE1" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="this rule should generate commands in both INPUT and FORWARD chains because this is a bridging firewall see bug #811860" direction="Both" disabled="False" id="id3FB32EEB" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3FB32E8E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id3FB32EF5" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3FB32E8E"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="interface of another firewall (firewall11) Why do we need to test for this? " direction="Both" disabled="False" id="id3FB32EFF" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F28B886"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing processor checkForUnnumbered" direction="Both" disabled="True" id="id3FB32F09" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3FB32F13"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id3FB32E8E-routing"/>
|
|
<Interface bridgeport="False" comment="this interface is part of the bridge" dyn="False" id="id3FB32F13" label="" mgmt="False" name="eth*" security_level="100" unnum="True" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id3FB32F49" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id3FB32F4A" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="c" dyn="False" id="id3FB32F4C" label="" mgmt="False" name="br0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id3FB331CD" name="firewall23:br0(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">True</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing rules on unnumbered interface tun* " host_OS="linux24" id="id402B23A8" lastCompiled="1188097050" lastInstalled="1142003872" lastModified="0" name="firewall24" platform="iptables" ro="False">
|
|
<NAT id="id402B23A9"/>
|
|
<Policy id="id402B23AA">
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id402B2413" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id402B23A8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id402B241D" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" id="id402B268E" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id402B269C" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id403B9475" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id402B2427" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id402B2431" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id402B243B" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id402B2445" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id402B244F" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id402B23AB" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id402B23B5" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id417C304A" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417B3641"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id402B23C0" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id402B23CB" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id402B23D5" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" disabled="False" id="id402B23DF" log="True" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id402B23E9" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id402B23A8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id402B23F3" log="False" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id402B23A8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id402B23FD" log="False" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id402B245C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing processor checkForUnnumbered" disabled="True" id="id402B2407" log="False" position="20">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id402B2411"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id402B23A8-routing"/>
|
|
<Interface bridgeport="False" comment="this interface is part of the bridge" dyn="False" id="id402B2411" label="" mgmt="False" name="tun*" security_level="100" unnum="True" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id402B2459" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id402B245A" name="address" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id402B245C" label="" mgmt="False" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id402B245D" name="firewall23:eth0(ip)" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address." host_OS="linux24" id="id41528C2C" lastCompiled="1188097246" lastInstalled="1142003872" lastModified="0" name="rh90" platform="iptables" ro="False" version="">
|
|
<NAT id="id41528C52"/>
|
|
<Policy id="id41528C31">
|
|
<PolicyRule action="Deny" comment="anti spoofing rule" direction="Inbound" disabled="False" id="id41528C60" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id41528C2C"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41528C53"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id41528C78" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41528C6A"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="SSH Access to the host; useful ICMP types; ping request" direction="Both" disabled="False" id="id41528C32" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id41528C2C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="sg-Useful_ICMP"/>
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id41528C3E" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id41528C2C"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id41528C48" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id41528C2C-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id41528C53" label="outside" mgmt="True" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="10.3.14.58" comment="" id="id41528C88" name="rh90:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id41528C6A" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" comment="" id="id41528C82" name="rh90:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="activation">
|
|
|
|
|
|
echo '%FWBPROMPT%';
|
|
cat > %FWDIR%/%FWSCRIPT%;
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
|
|
|
|
|
|
echo '%FWBPROMPT%'; chmod +x %FWDIR%/%FWSCRIPT%; sudo -S %FWDIR%/%FWSCRIPT%; sudo -S ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
|
|
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%'; chmod +x /tmp/%FWSCRIPT%; sudo -S /sbin/shutdown -r +%RBTIMEOUT%; sudo -S /tmp/%FWSCRIPT%
|
|
|
|
|
|
echo '%FWBPROMPT%'; chmod +x /tmp/%FWSCRIPT%; sudo -S /tmp/%FWSCRIPT%
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%';
|
|
cat > %FWDIR%/%FWSCRIPT%;
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
|
|
|
|
|
|
echo '%FWBPROMPT%'; sh %FWDIR%/%FWSCRIPT%; ps ax|awk '/shutdown/ {printf "kill %d\n",$1;}'|sh
|
|
|
|
|
|
|
|
|
|
|
|
echo '%FWBPROMPT%'; /sbin/shutdown -r +%RBTIMEOUT%; sh /tmp/%FWSCRIPT%
|
|
|
|
|
|
echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
|
|
|
|
|
|
|
|
|
</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="fwdir">/etc/fw</Option>
|
|
<Option name="fwdir_test">/tmp</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="timeout_units">sec</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore " host_OS="linux24" id="id417C680B" lastCompiled="1188097057" lastInstalled="1142003872" lastModified="1142003913" name="firewall25" platform="iptables" ro="False" version="">
|
|
<NAT id="id417C688D">
|
|
<NATRule disabled="False" id="id417C688E" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id417C680B"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id417C689C" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id417C68AA" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id417C680B"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id417C68B8" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id417C6938"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id417C6810">
|
|
<PolicyRule action="Deny" comment="ppp clients get addresses on 10.1.1.0" direction="Inbound" disabled="False" id="id417C68FE" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to the firewall" direction="Inbound" disabled="False" id="id417C6908" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id417C6912" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417C680B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="ppp clients can only connect to the mail server and web proxy on DMZ" direction="Inbound" disabled="False" id="id417C691C" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to anything else on DMZ and internal net" direction="Inbound" disabled="False" id="id417C6927" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id417C6946" log="True" position="5">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id417C6938"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." disabled="False" id="id417C6811" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id417C681B" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417C680B"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id417C6825" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id417C68C6"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id417C682F" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id417C6839" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id417C6844" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id417C684F" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains" disabled="False" id="id417C685A" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains" disabled="False" id="id417C6864" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains" disabled="False" id="id417C686E" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id417C6878" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" disabled="False" id="id417C6883" log="True" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="id"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id417C680B-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id417C68C6" label="" mgmt="False" name="ppp*" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id417C6932" name="firewall25:ppp*:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id417C6933" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id417C6937" name="firewall25:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id417C6938" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id417C6950" name="firewall25:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.1</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this firewall uses iptables-restore format One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore" host_OS="linux24" id="id418C4609" lastCompiled="1188097064" lastInstalled="1142003872" lastModified="1142003913" name="firewall26" platform="iptables" ro="False" version="">
|
|
<NAT id="id418C468B">
|
|
<NATRule disabled="False" id="id418C468C" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id418C4609"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id418C469A" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id418C46A8" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id418C4609"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id418C46B6" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id418C4736"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id418C460E">
|
|
<PolicyRule action="Deny" comment="ppp clients get addresses on 10.1.1.0" direction="Inbound" disabled="False" id="id418C46FC" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to the firewall" direction="Inbound" disabled="False" id="id418C4706" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id418C4710" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id418C4609"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="ppp clients can only connect to the mail server and web proxy on DMZ" direction="Inbound" disabled="False" id="id418C471A" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to anything else on DMZ and internal net" direction="Inbound" disabled="False" id="id418C4725" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id418C4744" log="True" position="5">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id418C4736"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." disabled="False" id="id418C460F" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id418C4619" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id418C4609"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id418C4623" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id418C46C4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id418C462D" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id418C4637" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id418C4642" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id418C464D" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains" disabled="False" id="id418C4658" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains" disabled="False" id="id418C4662" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains" disabled="False" id="id418C466C" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id418C4676" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" disabled="False" id="id418C4681" log="True" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="id"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id418C4609-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id418C46C4" label="" mgmt="False" name="ppp" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id418C4731" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id418C4735" name="firewall26:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id418C4736" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id418C474E" name="firewall26:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.1</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="this firewall uses iptables-restore format all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" host_OS="linux24" id="id4183D041" lastCompiled="1188097071" lastInstalled="1142003872" lastModified="1142003913" name="firewall27" platform="iptables" ro="False" version="">
|
|
<NAT id="id4183D0C3">
|
|
<NATRule disabled="False" id="id4183D0C4" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4183D041"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id4183D0D2" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id4183D0E0" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4183D041"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id4183D0EE" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4183D16C"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id4183D046">
|
|
<PolicyRule action="Deny" comment="ppp clients get addresses on 10.1.1.0" direction="Inbound" disabled="False" id="id4183D133" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to the firewall" direction="Inbound" disabled="False" id="id4183D13D" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id4183D147" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4183D041"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="ppp clients can only connect to the mail server and web proxy on DMZ" direction="Inbound" disabled="False" id="id4183D151" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to anything else on DMZ and internal net" direction="Inbound" disabled="False" id="id4183D15C" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id4183D17A" log="True" position="5">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4183D16C"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." disabled="False" id="id4183D047" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id4183D051" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4183D041"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id4183D05B" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4183D0FC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id4183D065" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id4183D06F" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id4183D07A" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id4183D085" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains" disabled="False" id="id4183D090" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains" disabled="False" id="id4183D09A" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains" disabled="False" id="id4183D0A4" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id4183D0AE" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" disabled="False" id="id4183D0B9" log="True" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="id"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4183D041-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id4183D0FC" label="" mgmt="False" name="ppp" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.0.2.1" comment="" id="id4183D18A" name="firewall27:ppp:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id4183D167" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id4183D16B" name="firewall27:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id4183D16C" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id4183D184" name="firewall27:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">False</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">True</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr">192.168.1.1</Option>
|
|
<Option name="mgmt_ssh">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment=" " host_OS="linux24" id="id419DC88E" lastCompiled="1142003872" lastInstalled="1142003872" lastModified="0" name="firewall28" platform="iptables" ro="False" version="">
|
|
<NAT id="id419DC8B2">
|
|
<NATRule comment="" disabled="False" id="id419DC8C1" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id419DC8D4"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id419DC893">
|
|
<PolicyRule action="Accept" comment="this rule should shadow rule #1 because it uses IPService object with protocol 0" disabled="False" id="id419DC894" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id419D6869"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" disabled="False" id="id419E8B1F" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id419DC89E" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" disabled="False" id="id419DC8A8" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id419DC88E-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id419DC8CF" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.0" comment="" id="id419DC8D3" name="firewall28:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id419DC8D4" label="" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" id="id419DC8D8" name="firewall28:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="22.22.22.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names " host_OS="linux24" id="id41D2945B" lastCompiled="1188097084" lastInstalled="1142003872" lastModified="0" name="firewall29" platform="iptables" ro="False" version="">
|
|
<NAT id="id41D29482">
|
|
<NATRule disabled="False" id="id41D29483" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id41D29492"/>
|
|
<ObjectRef ref="id41D294A9"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id41D29460">
|
|
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id41D2949F" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id41D29492"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29492"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id41D29461" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id41D29492"/>
|
|
<ObjectRef ref="id41D294A9"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id41D2946D" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
<ObjectRef ref="id41D29492"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" disabled="False" id="id41D29478" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id41D2945B-routing"/>
|
|
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id41D29492" label="" mgmt="False" name="eth0.200" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id41D294A9" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id41D294AC" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id41D294B0" name="firewall29:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id41D294B1" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.100" comment="" id="id41D294B5" name="firewall29:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on interface %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing shading of rules using MAC addresses" host_OS="linux24" id="id41F62B80" lastCompiled="1188097099" lastInstalled="1142003872" lastModified="0" name="firewall30" platform="iptables" ro="False" version="">
|
|
<NAT id="id41F62BA4"/>
|
|
<Policy id="id41F62B85">
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id41F62B86" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E2-pa"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id41F62B90" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3BF1B3E8-pa"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id41F62B9A" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id41F62B80-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id41F62C34" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id41F62C38" name="firewall30:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id41F62C39" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id41F62C51" name="firewall30:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id41F62C57" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id41F62C5B" name="firewall30:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A %I</Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="used to test time matching rules" host_OS="linux24" id="id429910D5" lastCompiled="1188097105" lastInstalled="1142003872" lastModified="0" name="firewall31" platform="iptables" ro="False" version="">
|
|
<NAT id="id429910DB"/>
|
|
<Policy id="id429910DA">
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4299E22F" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4299E223" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-afterhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id429910F3" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-weekends"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4299E253" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="int-workhours"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4299E23B" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="int-weekends"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4299E247" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="True">
|
|
<IntervalRef ref="id3C63479C"/>
|
|
<IntervalRef ref="id3C63479E"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id429910FD" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id429910D5-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id429910DC" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="33.33.33.33" id="id429910E0" name="firewall31:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id429910E1" label="" mgmt="False" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id429910E5" name="firewall31:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id429910EB" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing AddressTable" host_OS="linux24" id="id43868A331434" lastCompiled="1188097112" lastInstalled="1142003872" lastModified="0" name="firewall32" platform="iptables" ro="False" version="">
|
|
<NAT id="id43868A6D1434">
|
|
<NATRule disabled="False" id="id43868A6E1434" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43868A7F1434"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id43868A391434">
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id43868A461434" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id43868A7F1434"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43868A7F1434"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4386CE421434" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4385C1081434"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43868A541434" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F6D17F4"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sg-DHCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43868A611434" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id43868A7D1434"/>
|
|
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id43868A7F1434" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id43868A801434" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id43868A821434" name="firewall32:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43868A831434" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.100" comment="" id="id43868A851434" name="firewall32:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing DNSName object" host_OS="linux24" id="id43867C1018346" lastCompiled="1188097121" lastInstalled="1142003872" lastModified="0" name="firewall33" platform="iptables" ro="False" version="">
|
|
<NAT id="id43867C4818346">
|
|
<NATRule disabled="False" id="id43867C4918346" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id43876E2618346" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id43876E5218346" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id43876E6918346" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id43876E7B18346" position="4">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id43867C1618346">
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id43867C1718346" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43867C5818346"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43867C2418346" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869E9018346" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869E9E18346" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8E18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43869EAA18346" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43869E8F18346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4386E38318346" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4386E37718346" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43867C3018346" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8E18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4386C10D18346" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8F18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728A918346" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
<ObjectRef ref="id4387287918346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728BA18346" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8D18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id438728CD18346" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id43869E8C18346"/>
|
|
<ObjectRef ref="id4387287A18346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43867C3C18346" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id43867C5718346"/>
|
|
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id43867C5818346" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id43867C5918346" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id43867C5B18346" name="firewall33:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43867C5C18346" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.100" comment="" id="id43867C5E18346" name="firewall33:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing AddressTable object" host_OS="linux24" id="id4389EDAE18346" inactive="False" lastCompiled="1188097128" lastInstalled="1142003872" lastModified="1167289689" name="firewall34" platform="iptables" ro="False" version="">
|
|
<NAT id="id4389EE4818346">
|
|
<NATRule disabled="False" id="id4389EEB018346" position="0">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id43913DCB25682"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id43891B6E674" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id4389EDB418346">
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4389EDB518346" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4388CFEA674" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4390C25825682" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4390C25525682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4389EDC118346" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id43920D5025682" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4388CFF8674" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4388C36F674" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id4388F5A9674" log="False" position="7">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id4392312525682" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE8418346"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4389EEA118346" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id43913DCB25682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4389EDCD18346" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4389EE3C18346" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="using address table object with no addresses" direction="Both" disabled="False" id="id459673BF7794" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id459673BE7794"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="using address table object with no addresses" direction="Both" disabled="False" id="id45969FDB7794" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id45969FEC7794"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="using connlimit option. Connlimit is only valid in combination with "-p tcp -m tcp"" direction="Both" disabled="False" id="id45948F957794" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">2</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4389EE8318346"/>
|
|
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id4389EE8418346" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id4389EE8518346" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id4389EE8718346" name="firewall34:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id4389EE8818346" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.100" comment="" id="id4389EE8A18346" name="firewall34:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing AddressTable object like firewall34, but uses different script format" host_OS="linux24" id="id439254F225682" lastCompiled="1188097135" lastInstalled="1142003872" lastModified="0" name="firewall35" platform="iptables" ro="False" version="">
|
|
<NAT id="id4392558E25682">
|
|
<NATRule disabled="False" id="id4392558F25682" position="0">
|
|
<OSrc neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="id439255AC25682"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id43913DCB25682"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id4392559D25682" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id439255AC25682"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id439254F825682">
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id439254F925682" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9018346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4392550525682" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4392551125682" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4390C25525682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4392551D25682" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id4392552A25682" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id439255AC25682"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4392553725682" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4392554325682" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id4392555025682" log="False" position="7">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id4392555D25682" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id439255AC25682"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id4389EE9118346"/>
|
|
<ObjectRef ref="id4388C37D674"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4392556A25682" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id43913DCB25682"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4392557625682" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43913DEA25682"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4392558225682" log="True" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id439255AB25682"/>
|
|
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id439255AC25682" label="" mgmt="False" name="eth0.100" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id439255AD25682" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id439255AF25682" name="firewall35:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id439255B025682" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.100" comment="" id="id439255B225682" name="firewall35:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.100">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix">RULE %N -- %A on %I </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment=" testing routing rules - both actually routing and ROUTE target " host_OS="linux24" id="id43A2BF7416451" inactive="False" lastCompiled="1188097142" lastInstalled="1142003872" lastModified="1150347820" name="firewall36" platform="iptables" ro="False" version="">
|
|
<NAT id="id43A2C00E16451">
|
|
<NATRule comment="Translate source address for outgoing connections" disabled="False" id="id43A2C01D16451" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43A2C03B16451"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id43A2BF7A16451">
|
|
<PolicyRule action="Accept" comment="This permits access from internal net to the Internet and DMZ" direction="Both" disabled="False" id="id43A2BFF616451" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Route" direction="Both" disabled="False" id="id44925B5F24380" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth1</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Route" direction="Both" disabled="False" id="id44925B6C24380" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth1</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Route" direction="Both" disabled="False" id="id44925B7924380" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw">1.2.3.4</Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Route" direction="Both" disabled="False" id="id4492843F24380" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3C20EEB5"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif">eth1</Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Route" direction="Both" disabled="False" id="id4492844C24380" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3AEDBE6E"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw">1.2.3.4</Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">True</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43A4EC5216451" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id43A2C03A16451">
|
|
<RoutingRule disabled="False" id="id43A3790B16451" metric="0" position="0">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id43A2C03B16451"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
<RoutingRule disabled="False" id="id43A3791416451" metric="0" position="1">
|
|
<RDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RDst>
|
|
<RGtw neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</RGtw>
|
|
<RItf neg="False">
|
|
<ObjectRef ref="id43A2C04416451"/>
|
|
</RItf>
|
|
<RoutingRuleOptions/>
|
|
</RoutingRule>
|
|
</Routing>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43A2C03B16451" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.0.2.1" comment="This is a test address, change it to your real one" id="id43A2C03D16451" name="firewall36:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43A2C03E16451" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id43A2C04016451" name="firewall36:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43A2C04116451" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" comment="" id="id43A2C04316451" name="firewall36:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43A2C04416451" label="" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.0.100.1" comment="" id="id43A2C04616451" name="firewall36:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing TAG and CLASSIFY rules normal script mode (not using iptables-restore)" host_OS="linux24" id="id43BB80919745" inactive="False" lastCompiled="1188097149" lastInstalled="1142003872" lastModified="1181059092" name="firewall37" platform="iptables" ro="False" version="">
|
|
<NAT id="id43BB80B09745">
|
|
<NATRule comment="" disabled="False" id="id43BB814D9745" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id43BB80919745"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id43BB80979745">
|
|
<PolicyRule action="Tag" direction="Both" disabled="False" id="id43BBA6A09745" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Both" disabled="False" id="id43BBA6C49745" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Both" disabled="False" id="id43BBCC139745" log="True" position="2">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Both" disabled="False" id="id4665E24F7765" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Inbound" disabled="False" id="id43BBCC3D9745" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Outbound" disabled="False" id="id459E471C10946" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="using CONNMARK" direction="Both" disabled="False" id="id4483A4BD1810" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="using CONNMARK" direction="Both" disabled="False" id="id4483A4CE1810" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="using CONNMARK" direction="Both" disabled="False" id="id4483A4DF1810" log="True" position="8">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="using CONNMARK" direction="Inbound" disabled="False" id="id4483A4F01810" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="using CONNMARK" direction="Outbound" disabled="False" id="id459E472D10946" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C08B5A</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Pipe" direction="Both" disabled="False" id="id43BB80989745" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" direction="Both" disabled="False" id="id43BB81879745" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id451E2B486383" log="True" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id451E56936383" log="False" position="14">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id451E56A46383" log="True" position="15">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id451EAD596383" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id451EAD6A6383" log="True" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id451ED8E76383" log="False" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Both" disabled="False" id="id451ED8F86383" log="True" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="True">
|
|
<ObjectRef ref="id43BB817C9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381 classify action is non-terminating in this firewall object" direction="Both" disabled="False" id="id4599A9DC19324" log="False" position="20">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="second rule for bug #1618381" direction="Both" disabled="False" id="id4599A9E919324" log="False" position="21">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB81799745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381" direction="Both" disabled="False" id="id459A026219324" log="False" position="22">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381" direction="Both" disabled="False" id="id459A5AFB19324" log="False" position="23">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="bug #1618381 this rule uses multiport and has to be split because of that" direction="Both" disabled="False" id="id459A875F19324" log="False" position="24">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BB81799745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Custom" comment="" direction="Both" disabled="False" id="id43F46B8A28368" log="False" position="25">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43BB80A49745" log="True" position="26">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id43BB81789745"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43BB81799745" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.22" comment="" id="id43BB817B9745" name="firewall37:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43BB817C9745" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" comment="" id="id43BB817E9745" name="firewall37:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43BB817F9745" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id43BB81819745" name="firewall37:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing TAG rules using iptables-restore " host_OS="linux24" id="id43BBF18E9745" lastCompiled="1188097164" lastInstalled="1142003872" lastModified="1177392195" name="firewall38" platform="iptables" ro="False" version="">
|
|
<NAT id="id43BBF1E99745">
|
|
<NATRule comment="" disabled="False" id="id43BBF1EA9745" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id43BBF18E9745"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id43EC8B962279" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id43BBF1949745">
|
|
<PolicyRule action="Tag" direction="Both" disabled="False" id="id43BBF1959745" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Both" disabled="False" id="id43BBF1A19745" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Both" disabled="False" id="id43BBF1AD9745" log="True" position="2">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Inbound" disabled="False" id="id43BBF1B99745" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" direction="Both" disabled="False" id="id462DEFE630547" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BBF18E9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">2</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" direction="Both" disabled="False" id="id462E1E0230547" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">2</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Outbound" disabled="False" id="id462E4C2A30547" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">2</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Inbound" disabled="False" id="id462E4C3B30547" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">2</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="" direction="Outbound" disabled="False" id="id462EA8B230547" log="False" position="8">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id43BBF1FD9745"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">2</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43EC876732486" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id43EC878C32486" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id43EC879D32486" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id43EC87C832486" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="True">
|
|
<ServiceRef ref="id43EC877332486"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Pipe" direction="Both" disabled="False" id="id43BBF1C59745" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id43BBF1D19745" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id43BBF1DD9745" log="True" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id43BBF1F99745"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43BBF1FA9745" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.22" comment="" id="id43BBF1FC9745" name="firewall38:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43BBF1FD9745" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" comment="" id="id43BBF1FF9745" name="firewall38:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id43BBF2009745" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id43BBF2029745" name="firewall38:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">True</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment=" This is BRIDGING FIREWALL Testing module physdev " host_OS="linux24" id="id440C055614846" lastCompiled="1188097043" lastInstalled="1142003872" lastModified="1163136879" name="firewall23-1" platform="iptables" ro="False" version="1.3.0">
|
|
<NAT id="id440C062B14846"/>
|
|
<Policy id="id440C055C14846">
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id440C055D14846" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id440C055614846"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id440C056914846" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id45546A9B30629" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing for bug 1593221" direction="Inbound" disabled="False" id="id45546AAE30629" log="True" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B4572AF"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id440C057514846" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id440C058114846" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id440C058D14846" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id440C059914846" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" id="id440C065A14846" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id440C05A514846" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Outbound" disabled="False" id="id440C2D7814846" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Outbound" disabled="False" id="id440C2DA414846" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C063914846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">2:12</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="" direction="Outbound" disabled="False" id="id451CBF6532306" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:12</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id440C05B114846" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id440C05BD14846" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id440C05CA14846" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
<ObjectRef ref="host-hostB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id440C05D714846" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D84EEC8"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id440C05E314846" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id440C05EF14846" log="True" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="this rule should generate commands in both INPUT and FORWARD chains because this is a bridging firewall see bug #811860" direction="Both" disabled="False" id="id440C05FB14846" log="False" position="19">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id440C055614846"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id440C060714846" log="False" position="20">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id440C055614846"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="interface of another firewall (firewall11) Why do we need to test for this? " direction="Both" disabled="False" id="id440C061314846" log="False" position="21">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3F28B886"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="testing processor checkForUnnumbered" direction="Both" disabled="True" id="id440C061F14846" log="False" position="22">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id440C062D14846"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id440C062C14846"/>
|
|
<Interface bridgeport="True" comment="this interface is part of the bridge" dyn="False" id="id440C062D14846" label="" mgmt="False" name="eth2" security_level="100" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id440C062E14846" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id440C063014846" name="firewall23-1:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id440C063114846" label="" mgmt="False" name="br0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id440C063314846" name="firewall23-1:br0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="True" comment="" dyn="False" id="id440C063914846" label="" mgmt="False" name="eth3" security_level="100" unnum="False" unprotected="False"/>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="bridging_fw">True</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing branching rules normal script mode (not using iptables-restore)" host_OS="linux24" id="id445DA2F330753" inactive="False" lastCompiled="1188097172" lastInstalled="1146967632" lastModified="1179372131" name="firewall39" platform="iptables" ro="False" version="">
|
|
<NAT id="id445DA35A30753">
|
|
<NATRule comment="" disabled="False" id="id445DA35B30753" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id445DA2F330753"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id445DA2F930753">
|
|
<PolicyRule action="Branch" direction="Both" disabled="False" id="id445DA2FA30753" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id445DCB2A30753">
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id445DCB3030753" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Both" disabled="False" id="id445DA30630753" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id445DCB2B30753">
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id445DCB3C30753" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id445DCB5230753" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Both" disabled="False" id="id445DA31230753" log="True" position="2">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id445DCB2C30753">
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id445DF33930753" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="True">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id445E431430753" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFCAE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id445E432F30753" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Inbound" disabled="False" id="id445DA31E30753" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id445DCB2D30753">
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id445E6B3A30753" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id445DA2F330753"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id445E6B4730753" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Outbound" disabled="False" id="id464C589B3999" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id464C58AC3999"/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" direction="Both" disabled="False" id="id445DA32A30753" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule4_branch</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id445DCB2E30753">
|
|
<PolicyRule action="Branch" direction="Inbound" disabled="False" id="id45514D0211228" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule_4_0_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id45514D0E11228">
|
|
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id45514D0F11228" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA37130753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id45545B9C22651" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" direction="Inbound" disabled="False" id="id4554875522651" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36B30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule_4_1_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">False</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id4554876222651">
|
|
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" id="id4554877422651" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA37130753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id4554876322651" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" direction="Both" disabled="False" id="id445DA33630753" log="False" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule5_branch</Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id445DCB2F30753">
|
|
<PolicyRule action="Deny" direction="Both" disabled="True" id="id459651137309" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="green rules branch also in mangle table" direction="Both" disabled="False" id="id464C29973999" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule0_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id464C29A83999"/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Both" disabled="False" id="id464C29A93999" log="True" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule1_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id464C29BA3999"/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Both" disabled="False" id="id464C29BB3999" log="True" position="9">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id464C29CC3999"/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Inbound" disabled="False" id="id464C29CD3999" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id464C29DE3999"/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Outbound" disabled="False" id="id464C58AD3999" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id445DA36E30753"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule3_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id464C58BE3999"/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Both" disabled="False" id="id464C29DF3999" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule4_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id464C29F03999"/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="" direction="Both" disabled="False" id="id464C29F13999" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule5_branch</Option>
|
|
<Option name="classify_str">1:2</Option>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id464C2A023999"/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Custom" comment="" direction="Both" disabled="False" id="id445DA34230753" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Custom" direction="Both" disabled="False" id="id451DA7EF4163" log="True" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFCAE"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str">-j TARPIT</Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id445DA34E30753" log="True" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id445DA36A30753"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id445DA36B30753" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.22" comment="" id="id445DA36D30753" name="firewall39:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id445DA36E30753" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" comment="" id="id445DA37030753" name="firewall39:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id445DA37130753" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id445DA37330753" name="firewall39:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment=" more complex and realistic combination of Tag and Route rules " host_OS="linux24" id="id4492FED324380" inactive="False" lastCompiled="1188097187" lastInstalled="1142003872" lastModified="1150347460" name="firewall40" platform="iptables" ro="False" version="">
|
|
<NAT id="id4492FF2E24380">
|
|
<NATRule comment="Translate source address for outgoing connections" disabled="False" id="id4492FF2F24380" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id4492FF4E24380"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id4492FED924380">
|
|
<PolicyRule action="Tag" direction="Inbound" disabled="False" id="id449328B224380" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4492FF4E24380"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" direction="Inbound" disabled="False" id="id449328BF24380" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4492FF5724380"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tagvalue">2</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="This permits access from internal net to the Internet and DMZ" direction="Both" disabled="False" id="id4492FEDA24380" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE7-1"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Route" direction="Both" disabled="False" id="id449328CC24380" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D824380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth0</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Route" direction="Both" disabled="False" id="id449328DB24380" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id449328D924380"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_anchor_name"></Option>
|
|
<Option name="branch_chain_name"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">Route through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">True</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_oif">eth2</Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">Route through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4492FF2224380" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4492FF3D24380"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id4492FF4E24380" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.0.2.1" comment="This is a test address, change it to your real one" id="id4492FF5024380" name="firewall40:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id4492FF5424380" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" comment="" id="id4492FF5624380" name="firewall40:lo:ip" netmask="255.0.0.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id4492FF5724380" label="" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.0.100.1" comment="" id="id4492FF5924380" name="firewall40:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id4492FF6024380" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id4492FF6124380" name="firewall40:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing rule shadowing with run-time objects, rules with such objects should be ignored " host_OS="linux24" id="id44EC18128791" inactive="False" lastCompiled="1188097194" lastInstalled="0" lastModified="1168820241" name="firewall41" platform="iptables" ro="False" version="">
|
|
<NAT id="id44EC18168791"/>
|
|
<Policy id="id44EC18158791">
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id44EC181E8791" log="True" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44EC181D8791"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id44F7056428576" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7056328576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id44F707E428576" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id44EC18128791"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id44F7082928576"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id44EC18178791"/>
|
|
<Interface bridgeport="False" dyn="False" id="id44EC18188791" label="ext" name="eth0" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="1.1.1.1" id="id44EC18198791" name="firewall41:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id44EC181A8791" label="int" name="eth1" security_level="50" unnum="False" unprotected="False">
|
|
<IPv4 address="2.2.2.2" id="id44EC181B8791" name="firewall41:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">true</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
|
<Option name="check_shading">true</Option>
|
|
<Option name="configure_interfaces">true</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">true</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">true</Option>
|
|
<Option name="local_nat">false</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">true</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="verify_interfaces">true</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing shadowing detection compiler runs with -xt flag firewall is assumed to be part of any" host_OS="linux24" id="id4513DEA62143" inactive="False" lastCompiled="1188097253" lastInstalled="0" lastModified="1158818614" name="test-shadowing-1" platform="iptables" ro="False" version="">
|
|
<NAT id="id4513DEAA2143"/>
|
|
<Policy id="id4513DEA92143">
|
|
<PolicyRule action="Accept" comment="shades rule below" direction="Outbound" disabled="False" id="id4513DECC2143" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4513DEAC2143"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Outbound" disabled="False" id="id4513DEC02143" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id4513DEAC2143"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of any for this rule" direction="Both" disabled="False" id="id4514B3F72143" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id4514B3E62143" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id451488C42143"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="this rule should shadow rule below it because it uses IPService object with protocol 0" disabled="False" id="id451509E52143" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id419D6869"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" disabled="False" id="id451509D42143" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id451488B82143" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4513DEB42143" log="True" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4513DEDA2143" log="True" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id4513DEAB2143"/>
|
|
<Interface bridgeport="False" dyn="False" id="id4513DEAC2143" label="" name="eth0" security_level="50" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id4513DEAD2143" name="test-shadowing-1:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id4513DEAE2143" label="" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id4513DEAF2143" name="test-shadowing-1:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id4513DEB02143" label="" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id4513DEB12143" name="test-shadowing-1:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.2.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing shadowing detection compiler runs with -xt flag firewall is NOT assumed to be part of any" host_OS="linux24" id="id451488C42143" inactive="False" lastCompiled="1188097259" lastInstalled="0" lastModified="1158818614" name="test-shadowing-2" platform="iptables" ro="False" version="">
|
|
<NAT id="id451489072143"/>
|
|
<Policy id="id451488CA2143">
|
|
<PolicyRule action="Accept" comment="shades rule below" direction="Outbound" disabled="False" id="id451488CB2143" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id451489092143"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Outbound" disabled="False" id="id451488D72143" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id451489092143"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of any for this rule" direction="Both" disabled="False" id="id451488E32143" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="connlimit_masklen">0</Option>
|
|
<Option name="connlimit_value">0</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="hashlimit_burst">0</Option>
|
|
<Option name="hashlimit_dstlimit">False</Option>
|
|
<Option name="hashlimit_mode">dstip</Option>
|
|
<Option name="hashlimit_suffix"></Option>
|
|
<Option name="hashlimit_value">0</Option>
|
|
<Option name="limit_burst">0</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">False</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id451488EF2143" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id451488C42143"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="this rule should shadow rule below it because it uses IPService object with protocol 0" disabled="False" id="id45150A072143" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id419D6869"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" disabled="False" id="id451509F62143" log="True" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-IRC"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id451488FB2143" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id451489082143"/>
|
|
<Interface bridgeport="False" dyn="False" id="id451489092143" label="" name="eth0" security_level="50" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id4514890B2143" name="test-shadowing-2:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id4514890C2143" label="" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id4514890E2143" name="test-shadowing-2:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id4514890F2143" label="" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id451489112143" name="test-shadowing-2:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.2.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="False" identity="" port="-1"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">True</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline">-xt</Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="eliminate_duplicates">true</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir">/etc</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">False</Option>
|
|
<Option name="freebsd_ip_forward">1</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="in_out_code">true</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_ip_forward">1</Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="loopback_interface">lo0</Option>
|
|
<Option name="macosx_ip_forward">1</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="openbsd_ip_forward">1</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="pass_all_out">false</Option>
|
|
<Option name="pf_limit_frags">5000</Option>
|
|
<Option name="pf_limit_states">10000</Option>
|
|
<Option name="pf_scrub_maxmss">1460</Option>
|
|
<Option name="pf_timeout_frag">30</Option>
|
|
<Option name="pf_timeout_interval">10</Option>
|
|
<Option name="pix_add_clear_statements">true</Option>
|
|
<Option name="pix_assume_fw_part_of_any">true</Option>
|
|
<Option name="pix_default_logint">300</Option>
|
|
<Option name="pix_emblem_log_format">false</Option>
|
|
<Option name="pix_emulate_out_acl">true</Option>
|
|
<Option name="pix_floodguard">true</Option>
|
|
<Option name="pix_include_comments">true</Option>
|
|
<Option name="pix_route_dnat_supported">true</Option>
|
|
<Option name="pix_rule_syslog_settings">false</Option>
|
|
<Option name="pix_security_fragguard_supported">true</Option>
|
|
<Option name="pix_syslog_device_id_supported">false</Option>
|
|
<Option name="pix_use_acl_remarks">true</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="prompt1">$ </Option>
|
|
<Option name="prompt2"> # </Option>
|
|
<Option name="solaris_ip_forward">1</Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing TAG and CLASSIFY rules same as firewall37 except rules are made to be terminating" host_OS="linux24" id="id45AB5A2C25451" inactive="False" lastCompiled="1188097157" lastInstalled="1142003872" lastModified="1178579501" name="firewall37-1" platform="iptables" ro="False" version="">
|
|
<NAT id="id45AB5C5225451">
|
|
<NATRule comment="" disabled="False" id="id45AB5C5325451" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="id45AB5A2C25451"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id45AB5A3225451">
|
|
<PolicyRule action="Tag" comment="terminating target" direction="Both" disabled="False" id="id45AB5AAD25451" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="terminating target" direction="Both" disabled="False" id="id45AB5AB925451" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="terminating target" direction="Both" disabled="False" id="id45AB5AC525451" log="True" position="2">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="terminating target" direction="Inbound" disabled="False" id="id45AB5AD225451" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6625451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="temrinating target" direction="Outbound" disabled="False" id="id45AB5ADE25451" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6625451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">16</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="terminating and CONNMARK" direction="Both" disabled="False" id="id45AB5AEA25451" log="False" position="5">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="terminating and CONNMARK" direction="Both" disabled="False" id="id45AB5AF625451" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="terminating and CONNMARK" direction="Both" disabled="False" id="id45AB5B0225451" log="True" position="7">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="terminating and CONNMARK" direction="Inbound" disabled="False" id="id45AB5B0F25451" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6625451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Tag" comment="terminating and CONNMARK" direction="Outbound" disabled="False" id="id45AB5B1B25451" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id3CB1279B"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6625451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="classify_terminating_target">False</Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">True</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="tag_terminating_target">True</Option>
|
|
<Option name="tagvalue">10</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Pipe" direction="Both" disabled="False" id="id45AB5B2725451" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381 this rule, and the next one, should place CLASSIFY rule in a separate chain and pass control to it using -g" direction="Both" disabled="False" id="id45AB5B9525451" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="second rule for bug #1618381" direction="Both" disabled="False" id="id45AB5BA125451" log="False" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381" direction="Both" disabled="False" id="id45AB5BAD25451" log="False" position="13">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381" direction="Both" disabled="False" id="id45AB5BBA25451" log="False" position="14">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="bug #1618381 this rule uses multiport and has to be split because of that" direction="Both" disabled="False" id="id45AB5BC825451" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#C0BA44</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381 this rule, and the next one, should place CLASSIFY rule in a separate chain and pass control to it using -g" direction="Both" disabled="False" id="id45AB5BD525451" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="second rule for bug #1618381" direction="Both" disabled="False" id="id45AB5BE125451" log="False" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" direction="Outbound" disabled="False" id="id45AB5BED25451" log="True" position="18">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tag_terminating_target">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381" direction="Both" disabled="False" id="id45AB5BF925451" log="False" position="19">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="testing for bug #1618381" direction="Both" disabled="False" id="id45AB5C0625451" log="False" position="20">
|
|
<Src neg="True">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:10</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Classify" comment="bug #1618381 this rule uses multiport and has to be split because of that" direction="Both" disabled="False" id="id45AB5C1425451" log="False" position="21">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id41D0F023"/>
|
|
<ServiceRef ref="id3D4DE626"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id45AB5C6325451"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:11</Option>
|
|
<Option name="classify_terminating_target">True</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" comment="bug #1618381 should generate branching code in both filter and mangle tables " direction="Both" disabled="False" id="id45AB5C2125451" log="False" position="22">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-All_TCP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="branch_name">rule27_branch</Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_branch_in_mangle">True</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id45AB5C2D25451">
|
|
<PolicyRule action="Classify" direction="Both" disabled="False" id="id45AB5C2E25451" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="id459E36F110170"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str">1:16</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="custom_str"></Option>
|
|
<Option name="ipf_route_opt_addr"></Option>
|
|
<Option name="ipf_route_opt_if"></Option>
|
|
<Option name="ipf_route_option">route_through</Option>
|
|
<Option name="ipfw_classify_method">2</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="ipfw_pipe_queue_num">0</Option>
|
|
<Option name="ipt_continue">False</Option>
|
|
<Option name="ipt_gw"></Option>
|
|
<Option name="ipt_iif"></Option>
|
|
<Option name="ipt_mark_connections">False</Option>
|
|
<Option name="ipt_mark_prerouting">False</Option>
|
|
<Option name="ipt_oif"></Option>
|
|
<Option name="ipt_tee">False</Option>
|
|
<Option name="pf_fastroute">False</Option>
|
|
<Option name="pf_route_opt_addr"></Option>
|
|
<Option name="pf_route_opt_if"></Option>
|
|
<Option name="pf_route_option">route_through</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Both" disabled="False" id="id4640109629860" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-HTTP"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">False</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Custom" comment="" direction="Both" disabled="False" id="id45AB5C3A25451" log="False" position="23">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="classify_str"></Option>
|
|
<Option name="color">#C0C0C0</Option>
|
|
<Option name="custom_str">-j TCPMSS --set-mss 1400</Option>
|
|
<Option name="ipfw_pipe_method">0</Option>
|
|
<Option name="ipfw_pipe_port_num">0</Option>
|
|
<Option name="rule_name_accounting"></Option>
|
|
<Option name="stateless">True</Option>
|
|
<Option name="tagvalue"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id45AB5C4625451" log="True" position="24">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id45AB5C6225451"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id45AB5C6325451" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.22" comment="" id="id45AB5C6525451" name="firewall37-1:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id45AB5C6625451" label="eth1(outside)" mgmt="False" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.22" comment="" id="id45AB5C6825451" name="firewall37-1:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id45AB5C6925451" label="eth2(dmz)" mgmt="False" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="this interface is on the subnet that overlaps with eth1" id="id45AB5C6B25451" name="firewall37-1:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.22">
|
|
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">True</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">True</Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">True</Option>
|
|
<Option name="local_nat">True</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">info</Option>
|
|
<Option name="log_prefix">RULE %N -- %A </Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="simple test for a rule that matches local broadcast and should go into INPUT chain, but internal interface of the firewall is dynamic so compiler can not determine that given address is broadcast. Using fake interface to make this address match. " host_OS="linux24" id="id46EFBD7031183" inactive="False" lastCompiled="1188097218" lastInstalled="1142003872" lastModified="1190091778" name="firewall42" platform="iptables" ro="False" version="">
|
|
<NAT id="id46EFBE3731183"/>
|
|
<Policy id="id46EFBD7631183">
|
|
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id46EFBD7731183" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B64FFAC"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id46EFBD8331183" log="False" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id46EFBD8F31183" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3A84EECE"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" direction="Inbound" disabled="False" id="id46EFBD9B31183" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id40236C9A"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id46EFBDA731183" log="False" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3CFBE20C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id46EFBE4731183"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id46EFBE4631183"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id46EFBE4731183" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" dyn="False" id="id46EFBE4A31183" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id46EFBE4C31183" name="firewall42:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id46EFBE5031183" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id46EFBE5231183" name="firewall42:lo:ip" netmask="255.0.0.0"/>
|
|
<IPv4 address="192.168.1.1" comment="" id="id46EFBE5B31183" name="firewall42:lo:ip-1" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Firewall comment="testing action 'Continue' " host_OS="linux24" id="id47339E9919714" inactive="False" lastCompiled="1188097218" lastInstalled="1142003872" lastModified="1194539763" name="firewall50" platform="iptables" ro="False" version="">
|
|
<NAT id="id47339EDC19714"/>
|
|
<Policy id="id47339E9F19714">
|
|
<PolicyRule action="Continue" direction="Both" disabled="False" id="id47339EFA19714" log="False" position="0">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id47339EEC19714" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="color">#8BC065</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Branch" direction="Both" disabled="False" id="id4734305119714" log="False" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3DC75CE6"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="branch_name">rule2_branch</Option>
|
|
<Option name="color">#7694C0</Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
<Policy id="id4734305D19714">
|
|
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id4734305F19714" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id4733CF6F19714" log="True" position="3">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3CEBFDFC"/>
|
|
<ObjectRef ref="id4733FFE419714"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Both" disabled="False" id="id47339F0719714" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id47339EDD19714"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id47339EDE19714" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id47339EF819714" name="firewall50:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id47339EDF19714" name="eth1" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.22.22" id="id47339EE119714" name="firewall50:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id47339EE219714" name="lo" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="127.0.0.1" id="id47339EE519714" name="firewall50:lo:ip1" netmask="255.0.0.0"/>
|
|
<IPv4 address="192.168.1.1" comment="" id="id47339EE619714" name="firewall50:lo:ip2" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="0.0.0.0">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP net unreachable</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="classify_mark_terminating">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">False</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="inst_cmdline"></Option>
|
|
<Option name="inst_script"></Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level">debug</Option>
|
|
<Option name="log_limit_suffix">/second</Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">False</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_ipv6_default_policy">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="proxy_arp">False</Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="sshArgs"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_ip_tool">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">False</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
</ObjectGroup>
|
|
<IntervalGroup id="stdid11_1" name="Time">
|
|
<Interval comment="" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" id="id3D6864D0" name="test time 1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1"/>
|
|
<Interval comment="" from_day="13" from_hour="1" from_minute="1" from_month="3" from_weekday="0" from_year="2007" id="id45F8C4E013056" name="test time 2" to_day="1" to_hour="2" to_minute="2" to_month="1" to_weekday="1" to_year="2010"/>
|
|
</IntervalGroup>
|
|
</Library>
|
|
<Library id="sysid99" name="Deleted Objects" ro="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
<IPv4 address="192.168.1.1" comment="" id="id41D295E2" name="firewall30:ppp.200*:ip" netmask="255.255.255.0"/>
|
|
<Firewall comment="dynamic wildcard interface with a dot in the name" host_OS="linux24" id="id41D294BB" lastCompiled="0" lastInstalled="0" lastModified="0" name="firewall30" platform="iptables" ro="False" version="">
|
|
<NAT id="id41D2953D">
|
|
<NATRule disabled="False" id="id41D2953E" position="0">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id41D2954C" position="1">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="id3AFADBF9"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule comment="" disabled="False" id="id41D2955A" position="2">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</OSrc>
|
|
<ODst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
<NATRule disabled="False" id="id41D29568" position="3">
|
|
<OSrc neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</OSrc>
|
|
<ODst neg="True">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</ODst>
|
|
<OSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</OSrv>
|
|
<TSrc neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</TSrc>
|
|
<TDst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</TDst>
|
|
<TSrv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</TSrv>
|
|
<NATRuleOptions/>
|
|
</NATRule>
|
|
</NAT>
|
|
<Policy id="id41D294C0">
|
|
<PolicyRule action="Deny" comment="ppp clients get addresses on 10.1.1.0" direction="Inbound" disabled="False" id="id41D295AE" log="True" position="0">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3EFBCCBA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to the firewall" direction="Inbound" disabled="False" id="id41D295B8" log="True" position="1">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" direction="Inbound" disabled="False" id="id41D295C2" log="True" position="2">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="ppp clients can only connect to the mail server and web proxy on DMZ" direction="Inbound" disabled="False" id="id41D295CC" log="False" position="3">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3D151943"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SMTP"/>
|
|
<ServiceRef ref="id3B4FF09A"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="ppp clients can not connect to anything else on DMZ and internal net" direction="Inbound" disabled="False" id="id41D295D7" log="True" position="4">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B022266"/>
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D29576"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="" direction="Inbound" disabled="False" id="id41D295F6" log="True" position="5">
|
|
<Src neg="True">
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="id41D295E8"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="hostF has the same IP address as firewal." disabled="False" id="id41D294C1" log="True" position="6">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="icmp-ping_request"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="id"></Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id41D294CB" log="False" position="7">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id41D294D5" log="False" position="8">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id41D294DF" log="False" position="9">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19BF58"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" disabled="False" id="id41D294E9" log="False" position="10">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3AFC191C"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id41D294F4" log="False" position="11">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id41D294FF" log="True" position="12">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3E9870D1"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="tcp-SSH"/>
|
|
<ServiceRef ref="tcp-Telnet"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, so compiler should generate code in both FORWARD and OUTPUT chains" disabled="False" id="id41D2950A" log="False" position="13">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="firewall is part of Any, compiler should generate code for both FORWARD and INPUT chains" disabled="False" id="id41D29514" log="False" position="14">
|
|
<Src neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="because firewall has interface on network internal_net, compiler should generate code for both FORWARD and INPUT chains" disabled="False" id="id41D2951E" log="False" position="15">
|
|
<Src neg="False">
|
|
<ObjectRef ref="host-hostA"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Accept" comment="" disabled="False" id="id41D29528" log="False" position="16">
|
|
<Src neg="False">
|
|
<ObjectRef ref="net-Internal_net"/>
|
|
<ObjectRef ref="id3B022266"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="id3B19C5EB"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions/>
|
|
</PolicyRule>
|
|
<PolicyRule action="Deny" comment="Automatically generated 'catch all' rule" disabled="False" id="id41D29533" log="True" position="17">
|
|
<Src neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Src>
|
|
<Dst neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Dst>
|
|
<Srv neg="False">
|
|
<ServiceRef ref="sysid1"/>
|
|
</Srv>
|
|
<Itf neg="False">
|
|
<ObjectRef ref="sysid0"/>
|
|
</Itf>
|
|
<When neg="False">
|
|
<IntervalRef ref="sysid2"/>
|
|
</When>
|
|
<PolicyRuleOptions>
|
|
<Option name="action_on_reject"></Option>
|
|
<Option name="id"></Option>
|
|
<Option name="limit_suffix"></Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="stateless">True</Option>
|
|
</PolicyRuleOptions>
|
|
</PolicyRule>
|
|
</Policy>
|
|
<Routing id="id41D294BB-routing"/>
|
|
<Interface bridgeport="False" comment="" dyn="True" id="id41D29576" label="" mgmt="False" name="ppp.200*" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id41D295E3" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" id="id41D295E7" name="firewall30:eth0:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id41D295E8" name="eth2" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id41D29600" name="firewall30:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Management address="192.168.1.1">
|
|
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
|
<FWBDManagement enabled="True" identity="" port="9999"/>
|
|
<PolicyInstallScript arguments="" command="" enabled="False"/>
|
|
</Management>
|
|
<FirewallOptions>
|
|
<Option name="accept_established">True</Option>
|
|
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
|
<Option name="action_on_reject">ICMP host prohibited</Option>
|
|
<Option name="activationCmd"></Option>
|
|
<Option name="admUser"></Option>
|
|
<Option name="altAddress"></Option>
|
|
<Option name="bridging_fw">False</Option>
|
|
<Option name="check_shading">False</Option>
|
|
<Option name="clamp_mss_to_mtu">False</Option>
|
|
<Option name="cmdline"></Option>
|
|
<Option name="compiler"></Option>
|
|
<Option name="configure_interfaces">True</Option>
|
|
<Option name="debug">False</Option>
|
|
<Option name="drop_invalid">False</Option>
|
|
<Option name="dyn_addr">False</Option>
|
|
<Option name="epilog_script"></Option>
|
|
<Option name="firewall_dir"></Option>
|
|
<Option name="firewall_is_part_of_any">True</Option>
|
|
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
|
<Option name="id"></Option>
|
|
<Option name="ignore_empty_groups">False</Option>
|
|
<Option name="install_script"></Option>
|
|
<Option name="limit_suffix">/day</Option>
|
|
<Option name="limit_value">0</Option>
|
|
<Option name="linux24_accept_redirects"></Option>
|
|
<Option name="linux24_accept_source_route"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_all"></Option>
|
|
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
|
|
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
|
|
<Option name="linux24_ip_dynaddr"></Option>
|
|
<Option name="linux24_ip_forward"></Option>
|
|
<Option name="linux24_log_martians"></Option>
|
|
<Option name="linux24_path_ip"></Option>
|
|
<Option name="linux24_path_iptables"></Option>
|
|
<Option name="linux24_path_logger"></Option>
|
|
<Option name="linux24_path_lsmod"></Option>
|
|
<Option name="linux24_path_modprobe"></Option>
|
|
<Option name="linux24_rp_filter"></Option>
|
|
<Option name="linux24_tcp_ecn"></Option>
|
|
<Option name="linux24_tcp_fack"></Option>
|
|
<Option name="linux24_tcp_fin_timeout">30</Option>
|
|
<Option name="linux24_tcp_keepalive_interval">1800</Option>
|
|
<Option name="linux24_tcp_sack"></Option>
|
|
<Option name="linux24_tcp_syncookies"></Option>
|
|
<Option name="linux24_tcp_timestamps"></Option>
|
|
<Option name="linux24_tcp_window_scaling"></Option>
|
|
<Option name="load_modules">False</Option>
|
|
<Option name="local_nat">False</Option>
|
|
<Option name="log_all">False</Option>
|
|
<Option name="log_all_dropped">False</Option>
|
|
<Option name="log_invalid">False</Option>
|
|
<Option name="log_ip_opt">False</Option>
|
|
<Option name="log_level"></Option>
|
|
<Option name="log_limit_suffix"></Option>
|
|
<Option name="log_limit_value">0</Option>
|
|
<Option name="log_prefix"></Option>
|
|
<Option name="log_tcp_opt">False</Option>
|
|
<Option name="log_tcp_seq">False</Option>
|
|
<Option name="manage_virtual_addr">True</Option>
|
|
<Option name="mgmt_addr"></Option>
|
|
<Option name="mgmt_ssh">False</Option>
|
|
<Option name="no_iochains_for_any">False</Option>
|
|
<Option name="no_optimisation">False</Option>
|
|
<Option name="output_file"></Option>
|
|
<Option name="platform">iptables</Option>
|
|
<Option name="prolog_place">top</Option>
|
|
<Option name="prolog_script"></Option>
|
|
<Option name="script_env_path"></Option>
|
|
<Option name="snmp_contact"></Option>
|
|
<Option name="snmp_description"></Option>
|
|
<Option name="snmp_location"></Option>
|
|
<Option name="ulog_cprange">0</Option>
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
<Option name="ulog_qthreshold">1</Option>
|
|
<Option name="use_ULOG">False</Option>
|
|
<Option name="use_iptables_restore">False</Option>
|
|
<Option name="use_numeric_log_levels">False</Option>
|
|
<Option name="verify_interfaces">True</Option>
|
|
</FirewallOptions>
|
|
</Firewall>
|
|
<Interface bridgeport="False" dyn="False" id="id41F62C5C" name="eth3" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.23" id="id41F62C60" name="firewall30:eth3:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id41F62C52" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" comment="" id="id41F62C56" name="firewall30:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id429910E6" label="fw8:eth2" mgmt="True" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.100.1" id="id429910EA" name="firewall31:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" comment="VLAN interface" dyn="True" id="id43868A7E1434" label="" mgmt="False" name="eth0.200" security_level="0" unnum="False" unprotected="False"/>
|
|
<Interface bridgeport="False" comment="" dyn="False" id="id4492FF5124380" label="" mgmt="True" name="eth1" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.1.1" comment="" id="id4492FF5324380" name="firewall40:eth1:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<IPv4 address="0.0.0.0" id="id4492FF5F24380" name="firewall40:eth0:ip-1" netmask="0.0.0.0"/>
|
|
<Library color="#d2ffd0" comment="" id="id44EC13FB8791" name="tmp" ro="False">
|
|
<ObjectGroup id="id44EC13FC8791" name="Objects">
|
|
<ObjectGroup id="id44EC13FD8791" name="Addresses"/>
|
|
<ObjectGroup id="id44EC13FE8791" name="DNS Names"/>
|
|
<ObjectGroup id="id44EC13FF8791" name="Address Tables"/>
|
|
<ObjectGroup id="id44EC14008791" name="Groups"/>
|
|
<ObjectGroup id="id44EC14018791" name="Hosts"/>
|
|
<ObjectGroup id="id44EC14028791" name="Networks"/>
|
|
<ObjectGroup id="id44EC14038791" name="Address Ranges"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id44EC14048791" name="Services">
|
|
<ServiceGroup id="id44EC14058791" name="Groups"/>
|
|
<ServiceGroup id="id44EC14068791" name="ICMP"/>
|
|
<ServiceGroup id="id44EC14078791" name="IP"/>
|
|
<ServiceGroup id="id44EC14088791" name="TCP"/>
|
|
<ServiceGroup id="id44EC14098791" name="UDP"/>
|
|
<ServiceGroup id="id44EC140A8791" name="Custom"/>
|
|
<ServiceGroup id="id44EC140B8791" name="TagServices"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id44EC140C8791" name="Firewalls"/>
|
|
<IntervalGroup id="id44EC140D8791" name="Time"/>
|
|
</Library>
|
|
<Interface bridgeport="False" dyn="False" id="id46EFBE4D31183" name="eth2" security_level="100" unnum="False" unprotected="False">
|
|
<IPv4 address="192.168.2.1" id="id46EFBE4F31183" name="firewall42:eth2:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<Interface bridgeport="False" dyn="False" id="id46EFBE5331183" name="eth3" security_level="0" unnum="False" unprotected="False">
|
|
<IPv4 address="22.22.23.23" id="id46EFBE5531183" name="firewall42:eth3:ip" netmask="255.255.255.0"/>
|
|
</Interface>
|
|
<IPv4 address="192.168.1.1" id="id46EFBE4931183" name="firewall42:eth0:ip" netmask="255.255.255.0"/>
|
|
</Library>
|
|
<Library color="#FFFFFF" comment="" id="id4387B43718346" name="transfer" ro="False">
|
|
<ObjectGroup id="id4387B43818346" name="Objects">
|
|
<ObjectGroup id="id4387B43918346" name="Addresses"/>
|
|
<ObjectGroup id="id4387B43A18346" name="DNS Names"/>
|
|
<ObjectGroup id="id4387B43B18346" name="Address Tables"/>
|
|
<ObjectGroup id="id4387B43C18346" name="Groups"/>
|
|
<ObjectGroup id="id4387B43D18346" name="Hosts"/>
|
|
<ObjectGroup id="id4387B43E18346" name="Networks"/>
|
|
<ObjectGroup id="id4387B43F18346" name="Address Ranges"/>
|
|
</ObjectGroup>
|
|
<ServiceGroup id="id4387B44018346" name="Services">
|
|
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices"/>
|
|
<ServiceGroup id="id4387B44118346" name="Groups"/>
|
|
<ServiceGroup id="id4387B44218346" name="ICMP"/>
|
|
<ServiceGroup id="id4387B44318346" name="IP"/>
|
|
<ServiceGroup id="id4387B44418346" name="TCP"/>
|
|
<ServiceGroup id="id4387B44518346" name="UDP"/>
|
|
<ServiceGroup id="id4387B44618346" name="Custom"/>
|
|
</ServiceGroup>
|
|
<ObjectGroup id="id4387B44718346" name="Firewalls"/>
|
|
<IntervalGroup id="id4387B44818346" name="Time"/>
|
|
</Library>
|
|
<Library color="#d4f8ff" comment="Standard objects" id="syslib000" name="Standard" ro="True">
|
|
<ServiceGroup id="stdid05" name="Services">
|
|
<ServiceGroup id="stdid06" name="IP">
|
|
<IPService comment="IPSEC Encapsulating Security Payload Protocol" fragm="False" id="ip-IPSEC" lsrr="False" name="ESP" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
<IPService comment="'Short' fragments" fragm="False" id="ip-IP_Fragments" lsrr="False" name="ip_fragments" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
|
|
<IPService comment="Route recording packets" fragm="False" id="ip-RR" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
|
|
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
|
|
<IPService comment="IPSEC Authentication Header Protocol" fragm="False" id="id3CB12797" lsrr="False" name="AH" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid09" name="TCP">
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" fin_flag_mask="False" id="tcp-Auth" name="auth" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS_zone_transf" name="dns-tcp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" fin_flag_mask="False" id="tcp-FTP" name="ftp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="80" dst_range_start="80" fin_flag="False" fin_flag_mask="False" id="tcp-HTTP" name="http" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="119" dst_range_start="119" fin_flag="False" fin_flag_mask="False" id="tcp-NNTP" name="nntp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="25" dst_range_start="25" fin_flag="False" fin_flag_mask="False" id="tcp-SMTP" name="smtp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="22" dst_range_start="22" fin_flag="False" fin_flag_mask="False" id="tcp-SSH" name="ssh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="23" dst_range_start="23" fin_flag="False" fin_flag_mask="False" id="tcp-Telnet" name="telnet" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="540" dst_range_start="540" fin_flag="False" fin_flag_mask="False" id="tcp-uucp" name="uucp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="13" dst_range_start="13" fin_flag="False" fin_flag_mask="False" id="id3AEDBE6E" name="daytime" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2105" dst_range_start="2105" fin_flag="False" fin_flag_mask="False" id="id3B4FEDA3" name="eklogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="443" dst_range_start="443" fin_flag="False" fin_flag_mask="False" id="id3B4FED69" name="https" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="143" dst_range_start="143" fin_flag="False" fin_flag_mask="False" id="id3AECF776" name="imap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="993" dst_range_start="993" fin_flag="False" fin_flag_mask="False" id="id3B4FED9F" name="imaps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="id3B4FF13C" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="543" dst_range_start="543" fin_flag="False" fin_flag_mask="False" id="id3B4FEE21" name="klogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="544" dst_range_start="544" fin_flag="False" fin_flag_mask="False" id="id3B4FEE23" name="ksh" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="389" dst_range_start="389" fin_flag="False" fin_flag_mask="False" id="id3AECF778" name="ldap" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="98" dst_range_start="98" fin_flag="False" fin_flag_mask="False" id="id3B4FF000" name="linuxconf" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3306" dst_range_start="3306" fin_flag="False" fin_flag_mask="False" id="id3B4FEEEE" name="mysql" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="2049" dst_range_start="2049" fin_flag="False" fin_flag_mask="False" id="id3B4FEE7A" name="nfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="110" dst_range_start="110" fin_flag="False" fin_flag_mask="False" id="id3B4FEE1D" name="pop3" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="5432" dst_range_start="5432" fin_flag="False" fin_flag_mask="False" id="id3B4FF0EA" name="postgres" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="515" dst_range_start="515" fin_flag="False" fin_flag_mask="False" id="id3AECF782" name="printer" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="26000" dst_range_start="26000" fin_flag="False" fin_flag_mask="False" id="id3B4FEF7C" name="quake" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="512" dst_range_start="512" fin_flag="False" fin_flag_mask="False" id="id3AECF77A" name="rexec" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="513" dst_range_start="513" fin_flag="False" fin_flag_mask="False" id="id3AECF77C" name="rlogin" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="514" dst_range_start="514" fin_flag="False" fin_flag_mask="False" id="id3AECF77E" name="rshell" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="4321" dst_range_start="4321" fin_flag="False" fin_flag_mask="False" id="id3B4FEF34" name="rwhois" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="465" dst_range_start="465" fin_flag="False" fin_flag_mask="False" id="id3B4FF04C" name="smtps" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1080" dst_range_start="1080" fin_flag="False" fin_flag_mask="False" id="id3B4FEE76" name="socks" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="111" dst_range_start="111" fin_flag="False" fin_flag_mask="False" id="id3AEDBE00" name="sunrpc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="7100" dst_range_start="7100" fin_flag="False" fin_flag_mask="False" id="id3B4FF1B8" name="xfs" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="tcp-TCP-SYN" name="tcp-syn" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid08" name="UDP">
|
|
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
|
|
<UDPService comment="" dst_range_end="161" dst_range_start="161" id="udp-SNMP" name="snmp" src_range_end="0" src_range_start="0"/>
|
|
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="udp-All_UDP" name="All UDP" src_range_end="0" src_range_start="0"/>
|
|
<UDPService comment="" dst_range_end="67" dst_range_start="67" id="udp-bootps" name="bootps" src_range_end="0" src_range_start="0"/>
|
|
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" name="bootpc" src_range_end="0" src_range_start="0"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid10" name="Groups">
|
|
<ServiceGroup comment="" id="sg-DHCP" name="DHCP">
|
|
<ServiceRef ref="udp-bootpc"/>
|
|
<ServiceRef ref="udp-bootps"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup comment="" id="sg-Useful_ICMP" name="Useful_ICMP">
|
|
<ServiceRef ref="icmp-Time_exceeded"/>
|
|
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
|
|
<ServiceRef ref="icmp-ping_reply"/>
|
|
<ServiceRef ref="icmp-Unreachables"/>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="id3CB1279B" name="IPSEC">
|
|
<ServiceRef ref="id3CB12797"/>
|
|
<ServiceRef ref="ip-IPSEC"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<ServiceGroup id="stdid07" name="ICMP">
|
|
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>
|
|
<ICMPService code="-1" comment="" id="icmp-Unreachables" name="all ICMP unreachables" type="3"/>
|
|
<ICMPService code="-1" comment="" id="id3C20EEB5" name="any ICMP" type="-1"/>
|
|
<ICMPService code="0" comment="ICMP messages of this type are needed for traceroute" id="icmp-Time_exceeded" name="time exceeded" type="11"/>
|
|
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" type="11"/>
|
|
<ICMPService code="0" comment="" id="icmp-ping_reply" name="ping reply" type="0"/>
|
|
</ServiceGroup>
|
|
</ServiceGroup>
|
|
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>
|
|
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>
|
|
<IntervalGroup id="stdid11" name="Time">
|
|
<Interval comment="any day 6:00pm - 12:00am" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" id="int-afterhours" name="afterhours" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1"/>
|
|
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="id3C63479C" name="Sat" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1"/>
|
|
<Interval comment="" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" id="id3C63479E" name="Sun" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
|
|
<Interval comment="any day, 9:00am through 5:00pm" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" id="int-workhours" name="workhours" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1"/>
|
|
<Interval comment="weekends: Saturday 0:00 through Sunday 23:59 " from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" id="int-weekends" name="weekends" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1"/>
|
|
</IntervalGroup>
|
|
<ObjectGroup id="stdid01" name="Objects">
|
|
<ObjectGroup id="stdid15" name="Address Ranges">
|
|
<AddressRange comment="" id="id3F6D115C" name="broadcast" start_address="255.255.255.255" end_address="255.255.255.255"/>
|
|
</ObjectGroup>
|
|
<ObjectGroup id="stdid03" name="Networks">
|
|
<Network comment="224.0.0.0/4 - This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. The IANA guidelines for assignments from this space are described in [RFC3171]. " id="id3DC75CEC" name="all multicasts" address="224.0.0.0" netmask="240.0.0.0"/>
|
|
<Network comment="192.168.1.0/24 - Address often used for home and small office networks. " id="id3DC75CE7-1" name="net-192.168.1.0" address="192.168.1.0" netmask="255.255.255.0"/>
|
|
<Network comment="192.168.0.0/16 - This block is set aside for use in private networks. Its intended use is documented in [RFC1918]. Addresses within this block should not appear on the public Internet. " id="id3DC75CE6" name="net-192.168.0.0" address="192.168.0.0" netmask="255.255.0.0"/>
|
|
</ObjectGroup>
|
|
</ObjectGroup>
|
|
</Library>
|
|
</FWObjectDatabase>
|