45 files changed, 177 insertions, 0 deletions

diff --git a/templates/firewall/broadcast-ping/node.def b/templates/firewall/broadcast-ping/node.def
new file mode 100644
index 0000000..f49831c
--- /dev/null
+++ b/templates/firewall/broadcast-ping/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: "ignore all ICMP ECHO and TIMESTAMP requests sent via broadcast/multicast"
+default: "disable"
+syntax: $(@) in "enable", "disable"; "broadcast-ping must be enable or disable"
+create: "if [ x$(@) == xenable ]; \
+          then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; \
+          else echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi"
+update: "if [ x$(@) == xenable ]; \
+          then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; \
+          else echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi"
+delete: "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
diff --git a/templates/firewall/ip-src-route/node.def b/templates/firewall/ip-src-route/node.def
new file mode 100644
index 0000000..eb8bc0a
--- /dev/null
+++ b/templates/firewall/ip-src-route/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: "Accept packets with SRR option"
+default: "disable"
+syntax: $(@) in "enable", "disable"; "ip-src-route must be enable or disable"
+create: "if [ x$(@) == xenable ]; \
+          then echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route; \
+          else echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi"
+update: "if [ x$(@) == xenable ]; \
+          then echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route; \
+          else echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi"
+delete: "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route"
diff --git a/templates/firewall/log-martians/node.def b/templates/firewall/log-martians/node.def
new file mode 100644
index 0000000..928a23a
--- /dev/null
+++ b/templates/firewall/log-martians/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: "Allow syslog logging of packets with impossible addresses"
+default: "enable"
+syntax: $(@) in "enable", "disable"; "log-martians must be enable or disable"
+create: "if [ x$(@) == xenable ]; \
+                 then echo 1 > /proc/sys/net/ipv4/conf/all/log_martians; \
+                 else echo 0 > /proc/sys/net/ipv4/conf/all/log_martians; fi"
+update: "if [ x$(@) == xenable ]; \
+                 then echo 1 > /proc/sys/net/ipv4/conf/all/log_martians; \
+                 else echo 0 > /proc/sys/net/ipv4/conf/all/log_martians; fi"
+delete: "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def
new file mode 100644
index 0000000..5591c1f
--- /dev/null
+++ b/templates/firewall/name/node.def
@@ -0,0 +1,4 @@
+tag:
+type: txt
+syntax: pattern $(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\""
+help: "Configure firewall rule set name"
diff --git a/templates/firewall/name/node.tag/description/node.def b/templates/firewall/name/node.tag/description/node.def
new file mode 100644
index 0000000..3df7bc0
--- /dev/null
+++ b/templates/firewall/name/node.tag/description/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: "Configure firewall description"
diff --git a/templates/firewall/name/node.tag/rule/node.def b/templates/firewall/name/node.tag/rule/node.def
new file mode 100644
index 0000000..b7a1c0c
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.def
@@ -0,0 +1,4 @@
+tag:
+type: u32
+help: "Configure firewall rule number from 1 to 1024"
+syntax: $(@) > 0 && $(@) < 1025; "firewall rule number must be between 1 and 1024"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/action/node.def b/templates/firewall/name/node.tag/rule/node.tag/action/node.def
new file mode 100644
index 0000000..c8ea6c5
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/action/node.def
@@ -0,0 +1,3 @@
+type:  txt
+help: "Configure firewall rule action"
+syntax: $(@) in "drop", "reject", "accept"; "action must be one of drop, reject, or accept"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/description/node.def b/templates/firewall/name/node.tag/rule/node.tag/description/node.def
new file mode 100644
index 0000000..3648c8a
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/description/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: "Configure rule description"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def
new file mode 100644
index 0000000..89546fa
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure firewall destination address"
+syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv4_negate '$(@)'" ; "invalid destination address \"$(@)\""
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/network/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/network/node.def
new file mode 100644
index 0000000..dfc93f9
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/network/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure firewall destination network"
+syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv4net_negate '$(@)'" ; "invalid destination network \"$(@)\""
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/node.def
new file mode 100644
index 0000000..8b12941
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/node.def
@@ -0,0 +1 @@
+help: "Configure firewall destination parameters"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-name/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-name/node.def
new file mode 100644
index 0000000..89c7ee9
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-name/node.def
@@ -0,0 +1,10 @@
+multi:
+type: txt
+help: "Configure destination port name"
+syntax: exec "sh -c 'if grep -q '\\''^$(@)[ \t]'\\'' /etc/services; \
+then exit 0; else \
+  if grep -q \
+    '\\''^[^ \t]\\+[ \t]\\+[^ \t]\\+[^#]*[ \t]$(@)\\([ \t]\\|\\$\\)'\\'' \
+    /etc/services; then exit 0; else exit 1; \
+  fi; \
+fi' " ; "invalid port name $(@)"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-number/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-number/node.def
new file mode 100644
index 0000000..9afe6c8
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-number/node.def
@@ -0,0 +1,4 @@
+multi:
+type: u32; "destination port must be between 1 and 65535"
+help: "Configure destination port number"
+syntax: $(@) > 0 && $(@) < 65536; "destination port must be between 1 and 65535"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/node.def
new file mode 100644
index 0000000..2dcf2f4
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/node.def
@@ -0,0 +1 @@
+help: "Configure destination port range"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/start/node.def
new file mode 100644
index 0000000..5e8610d
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/start/node.def
@@ -0,0 +1,3 @@
+type: u32; "destination port start should be between 1 and 65535"
+help: "Configure destination port range start"
+syntax: $(@) > 0 && $(@) < 65536; "destination port start should be between 1 and 65535"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/stop/node.def
new file mode 100644
index 0000000..22c5e89
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/stop/node.def
@@ -0,0 +1,3 @@
+type: u32; "destination port stop should be between 1 and 65535"
+help: "Configure destination port range start"
+syntax: $(@) > 0 && $(@) < 65536; "destination port stop should be between 1 and 65535"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def
new file mode 100644
index 0000000..89f6456
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def
@@ -0,0 +1 @@
+help: "Configure destination address range"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def
new file mode 100644
index 0000000..f83ec75
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def
@@ -0,0 +1,2 @@
+type: ipv4; "destination range start should be an IPv4 address"
+help: "Configure destination range start"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def
new file mode 100644
index 0000000..17673c2
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def
@@ -0,0 +1,2 @@
+type: ipv4; "destination range stop should be an IPv4 address"
+help: "Configure destination range stop"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def
new file mode 100644
index 0000000..318b7b5
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def
@@ -0,0 +1,3 @@
+type: u32; "ICMP code must be between 0 and 255"
+help: "ICMP code must be between 0 and 255"
+syntax: $(@) >=0 && $(@) <= 255; "ICMP code must be between 0 and 255"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/node.def
new file mode 100644
index 0000000..db820cf
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/node.def
@@ -0,0 +1 @@
+help: "Configure rule ICMP type and code settings"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def
new file mode 100644
index 0000000..cb1043d
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def
@@ -0,0 +1,3 @@
+type: u32; "ICMP type must be between 0 and 255"
+help: "ICMP type must be between 0 and 255"
+syntax: $(@) >=0 && $(@) <= 255; "ICMP type must be between 0 and 255"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/log/node.def b/templates/firewall/name/node.tag/rule/node.tag/log/node.def
new file mode 100644
index 0000000..dac6966
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/log/node.def
@@ -0,0 +1,3 @@
+type: txt; "firwall logging must be enable or disable"
+help: "Configure firewall logging"
+syntax: $(@) in "enable", "disable"; "firwall logging must be enable or disable"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def
new file mode 100644
index 0000000..06d0cbe
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure which protocol to match (this can be a protocol name in /etc/protocols, a protocol number, or \"all\")"
+syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$(@)'" ; "invalid protocol \"$(@)\""
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def
new file mode 100644
index 0000000..13d2813
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure firewall source address"
+syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv4_negate '$(@)'" ; "invalid source address \"$(@)\""
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def
new file mode 100644
index 0000000..c72d1c7
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure source MAC address"
+syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$(@)'" ; "invalid MAC address \"$(@)\""
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/network/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/network/node.def
new file mode 100644
index 0000000..141d325
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/network/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure firewall source network"
+syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv4net_negate '$(@)'" ; "invalid source network \"$(@)\""
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/node.def
new file mode 100644
index 0000000..c2eabc3
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/node.def
@@ -0,0 +1 @@
+help: "Configure firewall source parameters"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-name/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-name/node.def
new file mode 100644
index 0000000..b67c597
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-name/node.def
@@ -0,0 +1,10 @@
+multi:
+type: txt
+help: "Configure source port name"
+syntax: exec "sh -c 'if grep -q '\\''^$(@)[ \t]'\\'' /etc/services; \
+then exit 0; else \
+  if grep -q \
+    '\\''^[^ \t]\\+[ \t]\\+[^ \t]\\+[^#]*[ \t]$(@)\\([ \t]\\|\\$\\)'\\'' \
+    /etc/services; then exit 0; else exit 1; \
+  fi; \
+fi' " ; "invalid port name $(@)"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-number/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-number/node.def
new file mode 100644
index 0000000..6440da9
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-number/node.def
@@ -0,0 +1,4 @@
+multi:
+type: u32; "source port must be between 1 and 65535"
+help: "Configure source port number"
+syntax: $(@) > 0 && $(@) < 65536; "source port must be between 1 and 65535"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-range/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/node.def
new file mode 100644
index 0000000..0f9e60c
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/node.def
@@ -0,0 +1 @@
+help: "Configure source port range"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/start/node.def
new file mode 100644
index 0000000..0835d4c
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/start/node.def
@@ -0,0 +1,3 @@
+type: u32; "source port start should be between 1 and 65535"
+help: "Configure source port range start"
+syntax: $(@) > 0 && $(@) < 65536; "source port start should be between 1 and 65535"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/stop/node.def
new file mode 100644
index 0000000..e032b60
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/stop/node.def
@@ -0,0 +1,3 @@
+type: u32; "source port stop should be between 1 and 65535"
+help: "Configure source port range start"
+syntax: $(@) > 0 && $(@) < 65536; "source port stop should be between 1 and 65535"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def
new file mode 100644
index 0000000..b02f8cb
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def
@@ -0,0 +1 @@
+help: "Configure source address range"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def
new file mode 100644
index 0000000..01de6f8
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def
@@ -0,0 +1,2 @@
+type: ipv4; "source range start should be an IPv4 address"
+help: "Configure source range start"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def
new file mode 100644
index 0000000..fdec72b
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def
@@ -0,0 +1,2 @@
+type: ipv4; "source range stop should be an IPv4 address"
+help: "Configure source range stop"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/established/node.def
new file mode 100644
index 0000000..9fa8224
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/state/established/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure established state"
+syntax: $(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/invalid/node.def
new file mode 100644
index 0000000..d944257
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/state/invalid/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure invalid state"
+syntax: $(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/new/node.def
new file mode 100644
index 0000000..5d78f83
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/state/new/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure new state"
+syntax: $(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/node.def
new file mode 100644
index 0000000..b0b50aa
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/state/node.def
@@ -0,0 +1 @@
+help: "Session state"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/related/node.def
new file mode 100644
index 0000000..7ab397a
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/state/related/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "Configure related state"
+syntax: $(@) in "enable", "disable" ; "state value must be enable or disable"
diff --git a/templates/firewall/node.def b/templates/firewall/node.def
new file mode 100644
index 0000000..8ffda0a
--- /dev/null
+++ b/templates/firewall/node.def
@@ -0,0 +1,4 @@
+help: "Configure firewall"
+end: "/opt/vyatta/sbin/vyatta-firewall.pl --update-rules"
+create: "/opt/vyatta/sbin/vyatta-firewall.pl --setup"
+delete: "/opt/vyatta/sbin/vyatta-firewall.pl --teardown"
diff --git a/templates/firewall/receive-redirects/node.def b/templates/firewall/receive-redirects/node.def
new file mode 100644
index 0000000..cd3504b
--- /dev/null
+++ b/templates/firewall/receive-redirects/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: "accept redirects"
+default: "disable"
+syntax: $(@) in "enable", "disable"; "receive-redirects must be enable or disable"
+create: "if [ x$(@) == xenable ]; \
+            then echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects; \
+            else echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi"
+update: "if [ x$(@) == xenable ]; \
+            then echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects; \
+            else echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi"
+delete: "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects"
diff --git a/templates/firewall/send-redirects/node.def b/templates/firewall/send-redirects/node.def
new file mode 100644
index 0000000..f5ecea7
--- /dev/null
+++ b/templates/firewall/send-redirects/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: "send ICMP redirects"
+default: "disable"
+syntax: $(@) in "enable", "disable"; "send-redirects must be enable or disable"
+create: "if [ x$(@) == xenable ]; \
+               then echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects; \
+               else echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi"
+update: "if [ x$(@) == xenable ]; \
+               then echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects; \
+               else echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi"
+delete: "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects"
diff --git a/templates/firewall/syn-cookies/node.def b/templates/firewall/syn-cookies/node.def
new file mode 100644
index 0000000..df9f5a9
--- /dev/null
+++ b/templates/firewall/syn-cookies/node.def
@@ -0,0 +1,8 @@
+type: txt
+help: "use TCP syn cookies"
+default: "enable"
+syntax: $(@) in "enable", "disable"; "syn-cookies must be enable or disable"
+update: "if [ x$(@) == xenable ]; \
+                 then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; \
+                 else echo 0 > /proc/sys/net/ipv4/tcp_syncookies; fi"
+delete: "echo 1 > /proc/sys/net/ipv4/tcp_syncookies"