-- **SDOC********************************************************************** -- **************************************************************************** -- -- Copyright(c) 2005 Mediatrix Telecom, Inc. -- -- NOTICE: -- This document contains information that is confidential and proprietary -- to Mediatrix Telecom, Inc. -- -- Mediatrix Telecom, Inc. reserves all rights to this document as well as -- to the Intellectual Property of the document and the technology and -- know-how that it includes and represents. -- -- This publication cannot be reproduced, neither in whole nor in part, in -- any form whatsoever without written prior approval by -- Mediatrix Telecom, Inc. -- -- Mediatrix Telecom, Inc. reserves the right to revise this publication -- and make changes at any time and without the obligation to notify any -- person and/or entity of such revisions and/or changes. -- -- **************************************************************************** -- **************************************************************************** -- -- MX-FIREWALL-MIB.my -- -- Root for the module used to configure the Firewall. -- -- **************************************************************************** -- **EDOC********************************************************************** MX-FIREWALL-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Integer32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MxEnableState, FROM MX-TC mediatrixConfig FROM MX-SMI; firewallMIB MODULE-IDENTITY LAST-UPDATED "200603060000Z" ORGANIZATION "Mediatrix Telecom, Inc." CONTACT-INFO "Mediatrix Telecom, Inc. 4229, Garlock Street Sherbrooke (Quebec) Canada Phone: (819) 829-8749 " DESCRIPTION "This MIB provides information to configure the firewall module. This module is responsible to accept or drop packets intended for the unit and the clients on the LAN. The DROP action is done silently by default, without sending packets in answer. Otherwise, the specific action will be documented." -- ************************************************************************ -- Revision history -- ************************************************************************ REVISION "200603060000Z" DESCRIPTION "Modified the description of the firewallEnable variable." REVISION "200504190000Z" DESCRIPTION "Creation" ::= { mediatrixConfig 450 } firewallMIBObjects OBJECT IDENTIFIER ::= { firewallMIB 1 } firewallConformance OBJECT IDENTIFIER ::= { firewallMIB 2 } -- ************************************************************************* -- Config variables -- ************************************************************************* firewallEnable OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the firewall. enable : The traffic is analyzed and filtered by all the rules configured in this module. All the enabled security rules in this module apply immediately. disable : No security rule is activated. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. This variable's semantics are different depending on the hardware platform. Please refer to the documentation shipped with your device for more details. " DEFVAL { enable } ::= { firewallMIBObjects 10 } -- ************************************************************************* -- Firewall Security variables -- ************************************************************************* firewallSecurity OBJECT IDENTIFIER ::= { firewallMIBObjects 100 } firewallSecurityBadTcpPacketRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to drop the bad TCP packets from the WAN side. When enabled, this variable configures rules that check incoming TCP packets for malformed headers. If a bad TCP packet is found, the firewall drops it silently. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { enable } ::= { firewallSecurity 10 } firewallSecurityTcpSynCookiesRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to protect the unit against the common 'syn flood attack'. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { enable } ::= { firewallSecurity 20 } firewallSecuritySourceRoutedPacketRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to drop source routed packets (packets with SRR option) from the WAN side. When enabled, this variable configures rules that drop all packets with this option silently. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { disable } ::= { firewallSecurity 30 } firewallSecurityMulticastPacketRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to drop multicast packets from the WAN side. When enabled, this variable configures rules that drop incoming WAN multicast packets. If multicast packets are found, the firewall drops them silently. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { enable } ::= { firewallSecurity 40 } firewallSecurityIdentRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to drop IDENT request packets from the WAN side. When enabled, this variable configures rules that drop incoming IDENT request packets and send back a TCP RST packet. This behavior is required because dropping silently on port 113 may cause connection problems. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { enable } ::= { firewallSecurity 50 } firewallSecurityReversePathFilteringRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to filter packets by reverse path filtering. When enabled, this variable configures rules that silently drop packets received on one interface and answered on another interface. In this case, the packet is bogus and the firewall drops it. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { disable } ::= { firewallSecurity 60 } firewallSecurityBlockWanEchoRequestRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to silently drop ICMP echo requests received from the WAN side. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { disable } ::= { firewallSecurity 70 } firewallSecurityBlockLanEchoRequestRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to silently drop ICMP echo requests received on the LAN interface. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { disable } ::= { firewallSecurity 80 } firewallSecurityBlockWanEchoBroadcastRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to silently drop incoming WAN ICMP echo requests sent to the broadcast address. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { enable } ::= { firewallSecurity 90 } firewallSecurityBlockIcmpRedirectionInRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to silently drop the reception of ICMP redirect messages from the WAN side. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { enable } ::= { firewallSecurity 100 } firewallSecurityBlockIcmpRedirectionOutRule OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the behavior to block sending of ICMP redirect messages. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { enable } ::= { firewallSecurity 110 } -- ************************************************************************* -- Spoof Security variables -- ************************************************************************* firewallSecuritySpoof OBJECT IDENTIFIER ::= { firewallSecurity 1000 } firewallSecuritySpoofEnable OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the security rules against IP addresses spoofing contained in the table firewallSecuritySpoofTable. These rules can prevent reception of packets from the WAN side according to the source address of those packets. This variable applies only if the variable firewallEnable is enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { enable } ::= { firewallSecuritySpoof 10 } -- ************************************************************************ -- Spoof table -- ************************************************************************ firewallSecuritySpoofTable OBJECT-TYPE SYNTAX SEQUENCE OF FirewallSecuritySpoofEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A table that contains the static security rules against spoofing. Each one of these rules must be enabled by the variable firewallSecuritySpoofRuleEnable. This table applies only if the variable firewallSecuritySpoofEnable is enabled and if the variable firewallEnable is also enabled. The user cannot add rules in this table. The user can simply enable or disable the rules present. " ::= { firewallSecuritySpoof 100 } firewallSecuritySpoofEntry OBJECT-TYPE SYNTAX FirewallSecuritySpoofEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in the firewallSecuritySpoofTable used to specify a spoofing rule. An entry is enabled if the variable firewallEnable is enabled and if the variable firewallSecuritySpoofRuleEnable of this row is also enabled. " INDEX { firewallSecuritySpoofIndex } ::= { firewallSecuritySpoofTable 5 } FirewallSecuritySpoofEntry ::= SEQUENCE { firewallSecuritySpoofIndex Unsigned32, firewallSecuritySpoofLabel OCTET STRING, firewallSecuritySpoofAddress OCTET STRING, firewallSecuritySpoofRuleEnable MxEnableState } firewallSecuritySpoofIndex OBJECT-TYPE SYNTAX Unsigned32 (1..255) MAX-ACCESS read-only STATUS current DESCRIPTION "Anti-spoofing rule index for this row. " ::= { firewallSecuritySpoofEntry 10 } firewallSecuritySpoofLabel OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "Short description of the anti-spoofing rule. " ::= { firewallSecuritySpoofEntry 20 } firewallSecuritySpoofAddress OBJECT-TYPE SYNTAX OCTET STRING (SIZE(0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "Source IP address and mask of the packets this rule must drop silently. " ::= { firewallSecuritySpoofEntry 30 } firewallSecuritySpoofRuleEnable OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Indicates if the specific anti-spoofing rule of a row is used or not. This variable applies only if both the variable firewallEnable and this table are enabled. Since the modification of this variable will be applied in real time, new settings can affect the current network connections. " DEFVAL { disable } ::= { firewallSecuritySpoofEntry 40 } -- ************************************************************************* -- Firewall Security variables -- ************************************************************************* firewallSyslog OBJECT IDENTIFIER ::= { firewallMIBObjects 200 } firewallSyslogEnable OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION "Enables/Disables the syslog for the firewall notification messages. " DEFVAL { disable } ::= { firewallSyslog 10 } -- ************************************************************************ -- Conformance information -- ************************************************************************ firewallCompliances OBJECT IDENTIFIER ::= { firewallConformance 1 } firewallComplVer1 MODULE-COMPLIANCE STATUS current DESCRIPTION "Minimal parameters definitions to support the firewall configuration." MODULE -- This Module MANDATORY-GROUPS { firewallGroupVer1, firewallSecurityGroupVer1, firewallSecuritySpoofGroupVer1, firewallSyslogGroupVer1 } ::= { firewallCompliances 1 } -- ************************************************************************ -- MIB variable grouping -- ************************************************************************ firewallGroups OBJECT IDENTIFIER ::= { firewallConformance 2 } firewallGroupVer1 OBJECT-GROUP OBJECTS { firewallEnable } STATUS current DESCRIPTION " This group holds the minimal set of objects to enable the firewall basic services. " ::= { firewallGroups 1 } firewallSecurityGroupVer1 OBJECT-GROUP OBJECTS { firewallSecurityBadTcpPacketRule, firewallSecurityTcpSynCookiesRule, firewallSecuritySourceRoutedPacketRule, firewallSecurityMulticastPacketRule, firewallSecurityIdentRule, firewallSecurityReversePathFilteringRule, firewallSecurityBlockWanEchoRequestRule, firewallSecurityBlockLanEchoRequestRule, firewallSecurityBlockWanEchoBroadcastRule, firewallSecurityBlockIcmpRedirectionInRule, firewallSecurityBlockIcmpRedirectionOutRule } STATUS current DESCRIPTION " This group holds the minimal set of objects that defines the firewall rules. " ::= { firewallGroups 2 } firewallSecuritySpoofGroupVer1 OBJECT-GROUP OBJECTS { firewallSecuritySpoofEnable, firewallSecuritySpoofLabel, firewallSecuritySpoofAddress, firewallSecuritySpoofRuleEnable } STATUS current DESCRIPTION " This group holds the minimal set of objects that defines the firewall rules against anti-spoofing. " ::= { firewallGroups 3 } firewallSyslogGroupVer1 OBJECT-GROUP OBJECTS { firewallSyslogEnable } STATUS current DESCRIPTION " This group holds the minimal set of objects to enable the firewall syslog. " ::= { firewallGroups 4 } END