From 654c8cad2daaf84a07e4664d2c0469a863a46bdc Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 25 May 2021 23:17:16 +0300 Subject: firewall: T3568: add XML definitions for firewall Add XML for configuration mode firewall. Used for future rewriting it to Python style. --- interface-definitions/firewall.xml.in | 782 ++++++++++++++++++++++++++++++++++ 1 file changed, 782 insertions(+) create mode 100644 interface-definitions/firewall.xml.in (limited to 'interface-definitions/firewall.xml.in') diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in new file mode 100644 index 000000000..5528d6bc5 --- /dev/null +++ b/interface-definitions/firewall.xml.in @@ -0,0 +1,782 @@ + + + + + 199 + Firewall + + + + + Policy for handling of all IPv4 ICMP echo requests + + enable disable + + + enable + Enable processing of all IPv4 ICMP echo requests + + + disable + Disable processing of all IPv4 ICMP echo requests + + + ^(enable|disable)$ + + + + + + Policy for handling broadcast IPv4 ICMP echo and timestamp requests + + enable disable + + + enable + Enable processing of broadcast IPv4 ICMP echo/timestamp requests + + + disable + Disable processing of broadcast IPv4 ICMP echo/timestamp requests + + + ^(enable|disable)$ + + + + + + SNMP trap generation on firewall configuration changes + + enable disable + + + enable + Enable sending SNMP trap on firewall configuration change + + + disable + Disable sending SNMP trap on firewall configuration change + + + ^(enable|disable)$ + + + + + + Firewall group + + + + + Firewall address-group + + + + + Address-group member + + ipv4 + IPv4 address to match + + + ipv4range + IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) + + + + + + + + + #include + + + + + Firewall ipv6-address-group + + + + + Address-group member + + ipv6 + IPv6 address to match + + + + + + + + #include + + + + + Network-group member + + + #include + + + Network-group member + + ipv6net + IPv6 address to match + + + + + + + + + + + + Firewall network-group + + + #include + + + Network-group member + + ipv4net + IPv4 Subnet to match + + + + + + + + + + + + Firewall port-group + + + #include + + + Port-group member + + txt + Named port (any name in /etc/services, e.g., http) + + + u32:1-65535 + Numbered port + + + start-end + Numbered port range (e.g. 1001-1050) + + + + + + + + + + + Policy for handling IPv4 packets with source route option + + enable disable + + + enable + Enable processing of IPv4 packets with source route option + + + disable + Disable processing of IPv4 packets with source route option + + + ^(enable|disable)$ + + + + + + IPv6 firewall rule-set name + + + #include + #include + #include + + + Rule number (1-9999) + + + #include + #include + + + Destination parameters + + + #include + #include + #include + + + + + Source parameters + + + #include + #include + #include + + + #include + + + Hop Limit + + + + + Value to match a hop limit equal to it + + u32:0-255 + Hop limit equal to value + + + + + + + + + Value to match a hop limit greater than or equal to it + + u32:0-255 + Hop limit greater than value + + + + + + + + + Value to match a hop limit less than or equal to it + + u32:0-255 + Hop limit less than value + + + + + + + + + + + ICMPv6 type and code information + + + + + ICMP type-name + + any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply + + + any + Any ICMP type/code + + + echo-reply + ICMP type/code name + + + pong + ICMP type/code name + + + destination-unreachable + ICMP type/code name + + + network-unreachable + ICMP type/code name + + + host-unreachable + ICMP type/code name + + + protocol-unreachable + ICMP type/code name + + + port-unreachable + ICMP type/code name + + + fragmentation-needed + ICMP type/code name + + + source-route-failed + ICMP type/code name + + + network-unknown + ICMP type/code name + + + host-unknown + ICMP type/code name + + + network-prohibited + ICMP type/code name + + + host-prohibited + ICMP type/code name + + + TOS-network-unreachable + ICMP type/code name + + + TOS-host-unreachable + ICMP type/code name + + + communication-prohibited + ICMP type/code name + + + host-precedence-violation + ICMP type/code name + + + precedence-cutoff + ICMP type/code name + + + source-quench + ICMP type/code name + + + redirect + ICMP type/code name + + + network-redirect + ICMP type/code name + + + host-redirect + ICMP type/code name + + + TOS-network-redirect + ICMP type/code name + + + TOS host-redirect + ICMP type/code name + + + echo-request + ICMP type/code name + + + ping + ICMP type/code name + + + router-advertisement + ICMP type/code name + + + router-solicitation + ICMP type/code name + + + time-exceeded + ICMP type/code name + + + ttl-exceeded + ICMP type/code name + + + ttl-zero-during-transit + ICMP type/code name + + + ttl-zero-during-reassembly + ICMP type/code name + + + parameter-problem + ICMP type/code name + + + ip-header-bad + ICMP type/code name + + + required-option-missing + ICMP type/code name + + + timestamp-request + ICMP type/code name + + + timestamp-reply + ICMP type/code name + + + address-mask-request + ICMP type/code name + + + address-mask-reply + ICMP type/code name + + + ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$ + + + + + + + + + P2P application packets + + + + + AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets + + + + + + AppleJuice application packets + + + + + + BitTorrent application packets + + + + + + Direct Connect application packets + + + + + + eDonkey/eMule application packets + + + + + + Gnutella application packets + + + + + + KaZaA application packets + + + + + + + + + + + + Policy for handling received ICMPv6 redirect messages + + enable disable + + + enable + Enable processing of received ICMPv6 redirect messages + + + disable + Disable processing of received ICMPv6 redirect messages + + + ^(enable|disable)$ + + + + + + Policy for handling IPv6 packets with routing extension header + + enable disable + + + enable + Enable processing of IPv6 packets with routing header type 2 + + + disable + Disable processing of IPv6 packets with routing header + + + ^(enable|disable)$ + + + + + + Policy for logging IPv4 packets with invalid addresses + + enable disable + + + enable + Enable logging of IPv4 packets with invalid addresses + + + disable + Disable logging of Ipv4 packets with invalid addresses + + + ^(enable|disable)$ + + + + + + IPv4 firewall rule-set name + + + #include + #include + #include + + + Rule number (1-9999) + + + #include + #include + + + Destination parameters + + + #include + #include + #include + + + + + Source parameters + + + #include + #include + #include + + + #include + + + ICMP type and code information + + + + + ICMP code (0-255) + + u32:0-255 + ICMP code (0-255) + + + + + + + + + ICMP type (0-255) + + u32:0-255 + ICMP type (0-255) + + + + + + + #include + + + + + + + + + Policy for handling received IPv4 ICMP redirect messages + + enable disable + + + enable + Enable processing of received IPv4 ICMP redirect messages + + + disable + Disable processing of received IPv4 ICMP redirect messages + + + ^(enable|disable)$ + + + + + + Policy for sending IPv4 ICMP redirect messages + + enable disable + + + enable + Enable sending IPv4 ICMP redirect messages + + + disable + Disable sending IPv4 ICMP redirect messages + + + ^(enable|disable)$ + + + + + + Policy for source validation by reversed path, as specified in RFC3704 + + strict loose disable + + + strict + Enable Strict Reverse Path Forwarding as defined in RFC3704 + + + loose + Enable Loose Reverse Path Forwarding as defined in RFC3704 + + + disable + No source validation + + + ^(strict|loose|disable)$ + + + + + + Global firewall state-policy + + + + + Global firewall policy for packets part of an established connection + + + #include + #include + + + + + Global firewall policy for packets part of an invalid connection + + + #include + #include + + + + + Global firewall policy for packets part of a related connection + + + #include + #include + + + + + + + Policy for using TCP SYN cookies with IPv4 + + enable disable + + + enable + Enable use of TCP SYN cookies with IPv4 + + + disable + Disable use of TCP SYN cookies with IPv4 + + + ^(enable|disable)$ + + + + + + RFC1337 TCP TIME-WAIT assasination hazards protection + + enable disable + + + enable + Enable RFC1337 TIME-WAIT hazards protection + + + disable + Disable RFC1337 TIME-WAIT hazards protection + + + ^(enable|disable)$ + + + + + + -- cgit v1.2.3