diff options
Diffstat (limited to 'templates')
45 files changed, 177 insertions, 0 deletions
diff --git a/templates/firewall/broadcast-ping/node.def b/templates/firewall/broadcast-ping/node.def new file mode 100644 index 0000000..f49831c --- /dev/null +++ b/templates/firewall/broadcast-ping/node.def @@ -0,0 +1,11 @@ +type: txt +help: "ignore all ICMP ECHO and TIMESTAMP requests sent via broadcast/multicast" +default: "disable" +syntax: $(@) in "enable", "disable"; "broadcast-ping must be enable or disable" +create: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; \ + else echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi" +update: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; \ + else echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi" +delete: "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" diff --git a/templates/firewall/ip-src-route/node.def b/templates/firewall/ip-src-route/node.def new file mode 100644 index 0000000..eb8bc0a --- /dev/null +++ b/templates/firewall/ip-src-route/node.def @@ -0,0 +1,11 @@ +type: txt +help: "Accept packets with SRR option" +default: "disable" +syntax: $(@) in "enable", "disable"; "ip-src-route must be enable or disable" +create: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route; \ + else echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi" +update: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route; \ + else echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi" +delete: "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route" diff --git a/templates/firewall/log-martians/node.def b/templates/firewall/log-martians/node.def new file mode 100644 index 0000000..928a23a --- /dev/null +++ b/templates/firewall/log-martians/node.def @@ -0,0 +1,11 @@ +type: txt +help: "Allow syslog logging of packets with impossible addresses" +default: "enable" +syntax: $(@) in "enable", "disable"; "log-martians must be enable or disable" +create: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/conf/all/log_martians; \ + else echo 0 > /proc/sys/net/ipv4/conf/all/log_martians; fi" +update: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/conf/all/log_martians; \ + else echo 0 > /proc/sys/net/ipv4/conf/all/log_martians; fi" +delete: "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def new file mode 100644 index 0000000..5591c1f --- /dev/null +++ b/templates/firewall/name/node.def @@ -0,0 +1,4 @@ +tag: +type: txt +syntax: pattern $(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\"" +help: "Configure firewall rule set name" diff --git a/templates/firewall/name/node.tag/description/node.def b/templates/firewall/name/node.tag/description/node.def new file mode 100644 index 0000000..3df7bc0 --- /dev/null +++ b/templates/firewall/name/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: "Configure firewall description" diff --git a/templates/firewall/name/node.tag/rule/node.def b/templates/firewall/name/node.tag/rule/node.def new file mode 100644 index 0000000..b7a1c0c --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.def @@ -0,0 +1,4 @@ +tag: +type: u32 +help: "Configure firewall rule number from 1 to 1024" +syntax: $(@) > 0 && $(@) < 1025; "firewall rule number must be between 1 and 1024" diff --git a/templates/firewall/name/node.tag/rule/node.tag/action/node.def b/templates/firewall/name/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..c8ea6c5 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure firewall rule action" +syntax: $(@) in "drop", "reject", "accept"; "action must be one of drop, reject, or accept" diff --git a/templates/firewall/name/node.tag/rule/node.tag/description/node.def b/templates/firewall/name/node.tag/rule/node.tag/description/node.def new file mode 100644 index 0000000..3648c8a --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: "Configure rule description" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..89546fa --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure firewall destination address" +syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv4_negate '$(@)'" ; "invalid destination address \"$(@)\"" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/network/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/network/node.def new file mode 100644 index 0000000..dfc93f9 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/network/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure firewall destination network" +syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv4net_negate '$(@)'" ; "invalid destination network \"$(@)\"" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/node.def new file mode 100644 index 0000000..8b12941 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: "Configure firewall destination parameters" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-name/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-name/node.def new file mode 100644 index 0000000..89c7ee9 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-name/node.def @@ -0,0 +1,10 @@ +multi: +type: txt +help: "Configure destination port name" +syntax: exec "sh -c 'if grep -q '\\''^$(@)[ \t]'\\'' /etc/services; \ +then exit 0; else \ + if grep -q \ + '\\''^[^ \t]\\+[ \t]\\+[^ \t]\\+[^#]*[ \t]$(@)\\([ \t]\\|\\$\\)'\\'' \ + /etc/services; then exit 0; else exit 1; \ + fi; \ +fi' " ; "invalid port name $(@)" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-number/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-number/node.def new file mode 100644 index 0000000..9afe6c8 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-number/node.def @@ -0,0 +1,4 @@ +multi: +type: u32; "destination port must be between 1 and 65535" +help: "Configure destination port number" +syntax: $(@) > 0 && $(@) < 65536; "destination port must be between 1 and 65535" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/node.def new file mode 100644 index 0000000..2dcf2f4 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/node.def @@ -0,0 +1 @@ +help: "Configure destination port range" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/start/node.def new file mode 100644 index 0000000..5e8610d --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/start/node.def @@ -0,0 +1,3 @@ +type: u32; "destination port start should be between 1 and 65535" +help: "Configure destination port range start" +syntax: $(@) > 0 && $(@) < 65536; "destination port start should be between 1 and 65535" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/stop/node.def new file mode 100644 index 0000000..22c5e89 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/port-range/stop/node.def @@ -0,0 +1,3 @@ +type: u32; "destination port stop should be between 1 and 65535" +help: "Configure destination port range start" +syntax: $(@) > 0 && $(@) < 65536; "destination port stop should be between 1 and 65535" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def new file mode 100644 index 0000000..89f6456 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/range/node.def @@ -0,0 +1 @@ +help: "Configure destination address range" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def new file mode 100644 index 0000000..f83ec75 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/range/start/node.def @@ -0,0 +1,2 @@ +type: ipv4; "destination range start should be an IPv4 address" +help: "Configure destination range start" diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def new file mode 100644 index 0000000..17673c2 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/range/stop/node.def @@ -0,0 +1,2 @@ +type: ipv4; "destination range stop should be an IPv4 address" +help: "Configure destination range stop" diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def new file mode 100644 index 0000000..318b7b5 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def @@ -0,0 +1,3 @@ +type: u32; "ICMP code must be between 0 and 255" +help: "ICMP code must be between 0 and 255" +syntax: $(@) >=0 && $(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/node.def new file mode 100644 index 0000000..db820cf --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/node.def @@ -0,0 +1 @@ +help: "Configure rule ICMP type and code settings" diff --git a/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def new file mode 100644 index 0000000..cb1043d --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def @@ -0,0 +1,3 @@ +type: u32; "ICMP type must be between 0 and 255" +help: "ICMP type must be between 0 and 255" +syntax: $(@) >=0 && $(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/firewall/name/node.tag/rule/node.tag/log/node.def b/templates/firewall/name/node.tag/rule/node.tag/log/node.def new file mode 100644 index 0000000..dac6966 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/log/node.def @@ -0,0 +1,3 @@ +type: txt; "firwall logging must be enable or disable" +help: "Configure firewall logging" +syntax: $(@) in "enable", "disable"; "firwall logging must be enable or disable" diff --git a/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..06d0cbe --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure which protocol to match (this can be a protocol name in /etc/protocols, a protocol number, or \"all\")" +syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$(@)'" ; "invalid protocol \"$(@)\"" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..13d2813 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/address/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure firewall source address" +syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv4_negate '$(@)'" ; "invalid source address \"$(@)\"" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..c72d1c7 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure source MAC address" +syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$(@)'" ; "invalid MAC address \"$(@)\"" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/network/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/network/node.def new file mode 100644 index 0000000..141d325 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/network/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure firewall source network" +syntax: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv4net_negate '$(@)'" ; "invalid source network \"$(@)\"" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/node.def new file mode 100644 index 0000000..c2eabc3 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: "Configure firewall source parameters" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-name/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-name/node.def new file mode 100644 index 0000000..b67c597 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-name/node.def @@ -0,0 +1,10 @@ +multi: +type: txt +help: "Configure source port name" +syntax: exec "sh -c 'if grep -q '\\''^$(@)[ \t]'\\'' /etc/services; \ +then exit 0; else \ + if grep -q \ + '\\''^[^ \t]\\+[ \t]\\+[^ \t]\\+[^#]*[ \t]$(@)\\([ \t]\\|\\$\\)'\\'' \ + /etc/services; then exit 0; else exit 1; \ + fi; \ +fi' " ; "invalid port name $(@)" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-number/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-number/node.def new file mode 100644 index 0000000..6440da9 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-number/node.def @@ -0,0 +1,4 @@ +multi: +type: u32; "source port must be between 1 and 65535" +help: "Configure source port number" +syntax: $(@) > 0 && $(@) < 65536; "source port must be between 1 and 65535" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-range/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/node.def new file mode 100644 index 0000000..0f9e60c --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/node.def @@ -0,0 +1 @@ +help: "Configure source port range" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/start/node.def new file mode 100644 index 0000000..0835d4c --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/start/node.def @@ -0,0 +1,3 @@ +type: u32; "source port start should be between 1 and 65535" +help: "Configure source port range start" +syntax: $(@) > 0 && $(@) < 65536; "source port start should be between 1 and 65535" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/port-range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/stop/node.def new file mode 100644 index 0000000..e032b60 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/port-range/stop/node.def @@ -0,0 +1,3 @@ +type: u32; "source port stop should be between 1 and 65535" +help: "Configure source port range start" +syntax: $(@) > 0 && $(@) < 65536; "source port stop should be between 1 and 65535" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def new file mode 100644 index 0000000..b02f8cb --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/range/node.def @@ -0,0 +1 @@ +help: "Configure source address range" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def new file mode 100644 index 0000000..01de6f8 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/range/start/node.def @@ -0,0 +1,2 @@ +type: ipv4; "source range start should be an IPv4 address" +help: "Configure source range start" diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def new file mode 100644 index 0000000..fdec72b --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/range/stop/node.def @@ -0,0 +1,2 @@ +type: ipv4; "source range stop should be an IPv4 address" +help: "Configure source range stop" diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/established/node.def new file mode 100644 index 0000000..9fa8224 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/state/established/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure established state" +syntax: $(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/invalid/node.def new file mode 100644 index 0000000..d944257 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/state/invalid/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure invalid state" +syntax: $(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/new/node.def new file mode 100644 index 0000000..5d78f83 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/state/new/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure new state" +syntax: $(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/node.def new file mode 100644 index 0000000..b0b50aa --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/state/node.def @@ -0,0 +1 @@ +help: "Session state" diff --git a/templates/firewall/name/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/name/node.tag/rule/node.tag/state/related/node.def new file mode 100644 index 0000000..7ab397a --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/state/related/node.def @@ -0,0 +1,3 @@ +type: txt +help: "Configure related state" +syntax: $(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/node.def b/templates/firewall/node.def new file mode 100644 index 0000000..8ffda0a --- /dev/null +++ b/templates/firewall/node.def @@ -0,0 +1,4 @@ +help: "Configure firewall" +end: "/opt/vyatta/sbin/vyatta-firewall.pl --update-rules" +create: "/opt/vyatta/sbin/vyatta-firewall.pl --setup" +delete: "/opt/vyatta/sbin/vyatta-firewall.pl --teardown" diff --git a/templates/firewall/receive-redirects/node.def b/templates/firewall/receive-redirects/node.def new file mode 100644 index 0000000..cd3504b --- /dev/null +++ b/templates/firewall/receive-redirects/node.def @@ -0,0 +1,11 @@ +type: txt +help: "accept redirects" +default: "disable" +syntax: $(@) in "enable", "disable"; "receive-redirects must be enable or disable" +create: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects; \ + else echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi" +update: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects; \ + else echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi" +delete: "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects" diff --git a/templates/firewall/send-redirects/node.def b/templates/firewall/send-redirects/node.def new file mode 100644 index 0000000..f5ecea7 --- /dev/null +++ b/templates/firewall/send-redirects/node.def @@ -0,0 +1,11 @@ +type: txt +help: "send ICMP redirects" +default: "disable" +syntax: $(@) in "enable", "disable"; "send-redirects must be enable or disable" +create: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects; \ + else echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi" +update: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects; \ + else echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi" +delete: "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects" diff --git a/templates/firewall/syn-cookies/node.def b/templates/firewall/syn-cookies/node.def new file mode 100644 index 0000000..df9f5a9 --- /dev/null +++ b/templates/firewall/syn-cookies/node.def @@ -0,0 +1,8 @@ +type: txt +help: "use TCP syn cookies" +default: "enable" +syntax: $(@) in "enable", "disable"; "syn-cookies must be enable or disable" +update: "if [ x$(@) == xenable ]; \ + then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; \ + else echo 0 > /proc/sys/net/ipv4/tcp_syncookies; fi" +delete: "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" |