-- **************************************************************************** -- **************************************************************************** -- Copyright(c) 2004 Mediatrix Telecom, Inc. -- NOTICE: -- This document contains information that is confidential and proprietary -- to Mediatrix Telecom, Inc. -- Mediatrix Telecom, Inc. reserves all rights to this document as well as -- to the Intellectual Property of the document and the technology and -- know-how that it includes and represents. -- This publication cannot be reproduced, neither in whole nor in part in -- any form whatsoever without written prior approval by -- Mediatrix Telecom, Inc. -- Mediatrix Telecom, Inc. reserves the right to revise this publication -- and make changes at any time and without the obligation to notify any -- person and/or entity of such revisions and/or changes. -- **************************************************************************** -- **************************************************************************** MX-LFW-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Integer32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MxEnableState, MxActivationState, MxIpHostName, MxIpAddress, MxIpPort, MxAdvancedIpPort, MxIpSubnetMask, MxDigitMap FROM MX-TC MxUInt64, MxFloat32, MxIpHostNamePort, MxIpAddr, MxIpAddrPort, MxIpAddrMask, MxUri, MxUrl FROM MX-TC2 mediatrixServices FROM MX-SMI2; lfwMIB MODULE-IDENTITY LAST-UPDATED "1910210000Z" ORGANIZATION " Mediatrix Telecom, Inc. " CONTACT-INFO " Mediatrix Telecom, Inc. 4229, Garlock Street Sherbrooke (Quebec) Canada Phone: (819) 829-8749 " DESCRIPTION " Local Firewall The Local Firewall (LFW) service allows the administrator to filter the network with the unit as final destination. " ::= { mediatrixServices 2200 } lfwMIBObjects OBJECT IDENTIFIER ::= { lfwMIB 1 } -- Scalar:Configuration Modified Status configModifiedStatus OBJECT-TYPE SYNTAX INTEGER { yes(100) , no(200) } MAX-ACCESS read-only STATUS current DESCRIPTION " Configuration Modified Status Shows whether or not the Local Firewall configuration has been modified without being applied. 1. Yes: The configuration has been modified but it has not been applied. 2. No: The Local Firewall service uses the configured rules. Use the Lfw.ApplyConfig command to apply the configuration. " ::= { lfwMIBObjects 100 } -- ***************************************************************************** -- Table:Local Rules Status -- ***************************************************************************** localRulesStatusTable OBJECT-TYPE SYNTAX SEQUENCE OF LocalRulesStatusEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Local Rules Status This table shows the local rules applied in the firewall. " ::= { lfwMIBObjects 200 } localRulesStatusEntry OBJECT-TYPE SYNTAX LocalRulesStatusEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in table Local Rules Status. " INDEX { localRulesStatusPriority } ::= { localRulesStatusTable 1 } LocalRulesStatusEntry ::= SEQUENCE { localRulesStatusPriority Unsigned32, localRulesStatusSourceAddress OCTET STRING, localRulesStatusSourcePort OCTET STRING, localRulesStatusDestinationAddress OCTET STRING, localRulesStatusDestinationPort OCTET STRING, localRulesStatusProtocol INTEGER, localRulesStatusBlacklistEnable MxEnableState, localRulesStatusRateLimitValue Unsigned32, localRulesStatusRateLimitTimePeriod Unsigned32, localRulesStatusAction INTEGER } -- Index:Rule priority localRulesStatusPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION " Rule priority Unique identifier of the row in the table. " ::= { localRulesStatusEntry 100 } -- Columnar:Source Address localRulesStatusSourceAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Source Address Source address[/mask] criteria an incoming packet must have to match this rule. An empty string matches any address. " ::= { localRulesStatusEntry 200 } -- Columnar:Source Port localRulesStatusSourcePort OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Source Port Source port[-port] criteria an incoming packet must have to match this rule. MinPort-MaxPort specifies a port range. An empty string means that no filtering is applied on the source port thus matching any port. This parameter is only effective when the LocalRulesStatus.Protocol parameter is set to Tcp or Udp. " ::= { localRulesStatusEntry 300 } -- Columnar:Destination Address localRulesStatusDestinationAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Destination Address Destination address[/mask] criteria an incoming packet must have to match this rule. An empty string matches any address. " ::= { localRulesStatusEntry 400 } -- Columnar:Destination Port localRulesStatusDestinationPort OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Destination Port Destination port[-port] criteria an incoming packet must have to match this rule. MinPort-MaxPort specifies a port range. An empty string means that no filtering is applied on the destination port thus matching any port. This parameter is only effective when the LocalRulesStatus.Protocol parameter is set to Tcp or Udp. " ::= { localRulesStatusEntry 500 } -- Columnar:Protocol localRulesStatusProtocol OBJECT-TYPE SYNTAX INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) } MAX-ACCESS read-only STATUS current DESCRIPTION " Protocol Protocol criteria an incoming packet must have to match this rule. The protocol can be one of the following: * All: Match packets using any protocols. * Tcp: Only match TCP packets. * Udp: Only match UDP packets. * Icmp: Only match ICMP packets. " DEFVAL { all } ::= { localRulesStatusEntry 600 } -- Columnar:Blacklist Enable localRulesStatusBlacklistEnable OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-only STATUS current DESCRIPTION " Blacklist Enable Indicates if blacklisting is enabled for this rule. * Enable: When a packet establishing a connection matches this rule, the action is executed and the source IP address is added to the blacklist. * Disable: When a packet establishing a connection matches this rule, the action is executed but the source IP address is not added to the blacklist. Note: If rate limiting is enabled for this rule, blacklisted IP addresses are added to the rate limit blacklist. " ::= { localRulesStatusEntry 620 } -- Columnar:Rate Limit Value localRulesStatusRateLimitValue OBJECT-TYPE SYNTAX Unsigned32 ( 1..5000 ) MAX-ACCESS read-only STATUS current DESCRIPTION " Rate Limit Value Number of new connections allowed to match this rule from a single source IP address within a certain time period. " ::= { localRulesStatusEntry 650 } -- Columnar:Rate Limit Time Period localRulesStatusRateLimitTimePeriod OBJECT-TYPE SYNTAX Unsigned32 ( 1..86400 ) MAX-ACCESS read-only STATUS current DESCRIPTION " Rate Limit Time Period The time period on which to base the rate limit. This period is expressed in seconds. Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60 means a limit of 10 new connections per minute. " ::= { localRulesStatusEntry 680 } -- Columnar:Action localRulesStatusAction OBJECT-TYPE SYNTAX INTEGER { accept(100) , reject(200) , drop(300) , rateLimitPerSource(400) } MAX-ACCESS read-only STATUS current DESCRIPTION " Action Action taken when this rule matches a packet. Action can be one of the following: * Accept: Let the packet through. * Reject: Send back an ICMP port unreachable in response to the matched packet, the packet is then dropped. * Drop: The packet is dropped without any notification. * RateLimitPerSource: Drop the packets received from a given source IP address when it exceeds a configurable rate. The rate is set using the RateLimitValue and RateLimitTimePeriod parameters. Note: This action is only allowed when the ConnectionState parameter is set to 'New'. " ::= { localRulesStatusEntry 700 } -- End of table:Local Rules Status -- Scalar:Local Firewall Default Policy defaultPolicy OBJECT-TYPE SYNTAX INTEGER { accept(100) , drop(300) } MAX-ACCESS read-write STATUS current DESCRIPTION " Local Firewall Default Policy Action taken when a packet does not match any rule. Default policy can be one of the following: * Accept: Let the packet through. * Drop: The packet is dropped without any notification. Make sure that there are some rules with Action set to 'Accept' in the local firewall BEFORE applying changes that will set the default policy to 'Drop'. Failing to comply with this warning results in losing contact with the unit and a partial or factory reset is required. To have no filtering applied to incoming packets, set the default policy to 'Accept' and remove all rules from the local firewall. " DEFVAL { accept } ::= { lfwMIBObjects 550 } -- ***************************************************************************** -- Table:Local Rules -- ***************************************************************************** localRulesTable OBJECT-TYPE SYNTAX SEQUENCE OF LocalRulesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Local Rules This table shows the configured local rules for the firewall. " ::= { lfwMIBObjects 600 } localRulesEntry OBJECT-TYPE SYNTAX LocalRulesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in table Local Rules. " INDEX { localRulesPriority } ::= { localRulesTable 1 } LocalRulesEntry ::= SEQUENCE { localRulesPriority Unsigned32, localRulesActivation MxEnableState, localRulesSourceAddress OCTET STRING, localRulesSourcePort OCTET STRING, localRulesDestinationAddress OCTET STRING, localRulesDestinationPort OCTET STRING, localRulesProtocol INTEGER, localRulesBlacklistEnable MxEnableState, localRulesRateLimitValue Unsigned32, localRulesRateLimitTimePeriod Unsigned32, localRulesAction INTEGER, localRulesUp INTEGER, localRulesDown INTEGER, localRulesInsert INTEGER, localRulesDelete INTEGER } -- Index:Rule Priority localRulesPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION " Rule Priority Unique identifier of the row in the table. " ::= { localRulesEntry 100 } -- Row command:Down localRulesDown OBJECT-TYPE SYNTAX INTEGER { noOp(0), down(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Down Moves the current row downwards. " DEFVAL { noOp } ::= { localRulesEntry 1000 } -- Row command:Insert localRulesInsert OBJECT-TYPE SYNTAX INTEGER { noOp(0), insert(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Insert Inserts a new row before this row. " DEFVAL { noOp } ::= { localRulesEntry 1100 } -- Row command:Delete localRulesDelete OBJECT-TYPE SYNTAX INTEGER { noOp(0), delete(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Delete Deletes this row. " DEFVAL { noOp } ::= { localRulesEntry 1200 } -- Columnar:Activation localRulesActivation OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " Activation Current activation state for this rule. * Enable: This rule is active in the firewall. * Disable: This rule is not in the firewall. " DEFVAL { disable } ::= { localRulesEntry 200 } -- Columnar:Source Address localRulesSourceAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..51) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Source Address Source address of the incoming packet using the following format: address[/mask] or network interface name/. The address can either be a network IP address (using /mask) or one of the host IP addresses. When specifying a network interface name, it is mandatory to use the suffix '/'. Doing so indicates that the network address of this interface is used instead of the host address. Also, it must match one of the values in the networkInterfacesStatusTable.InterfaceName parameter from the Basic Network Interface (BNI) service. Note that if the specified network interface is disabled or removed, the rule is automatically disabled thus removed from the firewall. When the network interface is enabled or added back, the rule is automatically enabled and applied in the firewall. Mask must be a plain number specifying the number of binary 1s at the left side of the network mask. E.g.: a mask of 24 specifies a network mask of 255.255.255.0. Leaving the default empty string matches any address. " DEFVAL { "" } ::= { localRulesEntry 300 } -- Columnar:Source Port localRulesSourcePort OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..11) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Source Port Source port of the incoming packet using the following format: port[-port]. MinPort-MaxPort specifies a port range. The default empty string means that no filtering is applied on the source port thus matching any port. This parameter is only effective when the LocalRules.Protocol parameter is set to Tcp or Udp. " DEFVAL { "" } ::= { localRulesEntry 400 } -- Columnar:Destination Address localRulesDestinationAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..51) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Destination Address Destination address of the incoming packet using the following format: address or network interface name. The address must be one of the host IP addresses. Specifying a network address here is invalid since this is a local firewall. When specifying a network interface name, the host address of this interface is used. Also, it must match one of the values in the networkInterfacesStatusTable.InterfaceName parameter from the Basic Network Interface (BNI) service. Note that if the specified network interface is disabled or removed, the rule is automatically disabled thus removed from the firewall. When the network interface is enabled or added back, the rule is automatically enabled and applied in the firewall. Leaving the default empty string matches any address. " DEFVAL { "" } ::= { localRulesEntry 500 } -- Columnar:Destination Port localRulesDestinationPort OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..11) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Destination Port Destination port of the incoming packet using the following format: port[-port]. MinPort-MaxPort specifies a port range. The default empty string means that no filtering is applied on the destination port thus matching any port. This parameter is only effective when the LocalRules.Protocol parameter is set to Tcp or Udp. " DEFVAL { "" } ::= { localRulesEntry 600 } -- Columnar:Protocol localRulesProtocol OBJECT-TYPE SYNTAX INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) } MAX-ACCESS read-write STATUS current DESCRIPTION " Protocol Protocol of the incoming packet. The protocol can be one of the following: * All: Match packets using any protocols. * Tcp: Only match TCP packets. * Udp: Only match UDP packets. * Icmp: Only match ICMP packets. " DEFVAL { all } ::= { localRulesEntry 700 } -- Columnar:Blacklist Enable localRulesBlacklistEnable OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " Blacklist Enable Indicates if blacklisting is enabled for this rule. * Enable: When a packet establishing a connection matches this rule, the action is executed and the source IP address is added to the blacklist. * Disable: When a packet establishing a connection matches this rule, the action is executed but the source IP address is not added to the blacklist. Note: If rate limiting is enabled for this rule, blacklisted IP addresses are added to the rate limit blacklist. " DEFVAL { disable } ::= { localRulesEntry 720 } -- Columnar:Rate Limit Value localRulesRateLimitValue OBJECT-TYPE SYNTAX Unsigned32 ( 1..5000 ) MAX-ACCESS read-write STATUS current DESCRIPTION " Rate Limit Value Number of new connections allowed to match this rule from a single source IP address within a certain time period. " DEFVAL { 10 } ::= { localRulesEntry 750 } -- Columnar:Rate Limit Time Period localRulesRateLimitTimePeriod OBJECT-TYPE SYNTAX Unsigned32 ( 1..86400 ) MAX-ACCESS read-write STATUS current DESCRIPTION " Rate Limit Time Period The time period on which to base the rate limit. This period is expressed in seconds. Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60 means a limit of 10 new connections per minute. " DEFVAL { 60 } ::= { localRulesEntry 780 } -- Columnar:Action localRulesAction OBJECT-TYPE SYNTAX INTEGER { accept(100) , reject(200) , drop(300) , rateLimitPerSource(400) } MAX-ACCESS read-write STATUS current DESCRIPTION " Action Action taken when this rule matches a packet. Action can be one of the following: * Accept: Let the packet through. * Reject: Send back an ICMP port unreachable in response to the matched packet, the packet is then dropped. * Drop: The packet is dropped without any notification. * RateLimitPerSource: Drop the packets received from a given source IP address when it exceeds a configurable rate. The rate is set using the RateLimitValue and RateLimitTimePeriod parameters. Note: This action is only allowed when the ConnectionState parameter is set to 'New'. " DEFVAL { accept } ::= { localRulesEntry 800 } -- Row command:Up localRulesUp OBJECT-TYPE SYNTAX INTEGER { noOp(0), up(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Up Moves the current row upwards. " DEFVAL { noOp } ::= { localRulesEntry 900 } -- End of table:Local Rules -- **************************************************************************** -- Group:Blacklist -- **************************************************************************** blacklistGroup OBJECT IDENTIFIER ::= { lfwMIBObjects 700 } -- Scalar:Blacklist Timeout blacklistTimeout OBJECT-TYPE SYNTAX Unsigned32 ( 1..86400 ) MAX-ACCESS read-write STATUS current DESCRIPTION " Blacklist Timeout The time an address stays in the blacklist. If Lfw receives a packet from a blacklisted source, the packet is dropped and the remaining blacklist time is reset to this value. The time units are seconds. " DEFVAL { 60 } ::= { blacklistGroup 100 } -- Scalar:Blacklist Rate Limit Timeout blacklistRateLimitTimeout OBJECT-TYPE SYNTAX Unsigned32 ( 1..86400 ) MAX-ACCESS read-write STATUS current DESCRIPTION " Blacklist Rate Limit Timeout The time an address stays in the 'rate limit' blacklist. If Lfw receives a packet from a 'rate limit' blacklisted source, the packet is dropped but the remaining blacklist time is not reset. The time units are seconds. " DEFVAL { 60 } ::= { blacklistGroup 200 } -- End of group:Blacklist -- **************************************************************************** -- Group:Notification Messages Configuration -- **************************************************************************** notificationsGroup OBJECT IDENTIFIER ::= { lfwMIBObjects 60010 } -- Scalar:Minimal Severity of Notification minSeverity OBJECT-TYPE SYNTAX INTEGER { disable(0) , debug(100) , info(200) , warning(300) , error(400) , critical (500) } MAX-ACCESS read-write STATUS current DESCRIPTION " Minimal Severity of Notification Sets the minimal severity to issue a notification message incoming from this service. * Disable: No notification is issued. * Debug: All notification messages are issued. * Info: Notification messages with a 'Informational' and higher severity are issued. * Warning: Notification messages with a 'Warning' and higher severity are issued. * Error: Notification messages with an 'Error' and higher severity are issued. * Critical: Notification messages with a 'Critical' severity are issued. " DEFVAL { warning } ::= { notificationsGroup 100 } -- End of group:Notification Messages Configuration -- **************************************************************************** -- Group:Configuration Settings -- **************************************************************************** configurationGroup OBJECT IDENTIFIER ::= { lfwMIBObjects 60020 } -- Scalar:Need Restart needRestartInfo OBJECT-TYPE SYNTAX INTEGER { no(0) , yes(100) } MAX-ACCESS read-only STATUS current DESCRIPTION " Need Restart Indicates if the service needs to be restarted for the configuration to fully take effect. * Yes: Service needs to be restarted. * No: Service does not need to be restarted. Services can be restarted by using the Scm.ServiceCommands.Restart command. " ::= { configurationGroup 100 } -- End of group:Configuration Settings END