-- **************************************************************************** -- **************************************************************************** -- Copyright(c) 2004 Mediatrix Telecom, Inc. -- NOTICE: -- This document contains information that is confidential and proprietary -- to Mediatrix Telecom, Inc. -- Mediatrix Telecom, Inc. reserves all rights to this document as well as -- to the Intellectual Property of the document and the technology and -- know-how that it includes and represents. -- This publication cannot be reproduced, neither in whole nor in part in -- any form whatsoever without written prior approval by -- Mediatrix Telecom, Inc. -- Mediatrix Telecom, Inc. reserves the right to revise this publication -- and make changes at any time and without the obligation to notify any -- person and/or entity of such revisions and/or changes. -- **************************************************************************** -- **************************************************************************** MX-NFW-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Integer32 FROM SNMPv2-SMI MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MxEnableState, MxActivationState, MxIpHostName, MxIpAddress, MxIpPort, MxAdvancedIpPort, MxIpSubnetMask, MxDigitMap FROM MX-TC MxUInt64, MxFloat32, MxIpHostNamePort, MxIpAddr, MxIpAddrPort, MxIpAddrMask, MxUri, MxUrl FROM MX-TC2 mediatrixServices FROM MX-SMI2; nfwMIB MODULE-IDENTITY LAST-UPDATED "1910210000Z" ORGANIZATION " Mediatrix Telecom, Inc. " CONTACT-INFO " Mediatrix Telecom, Inc. 4229, Garlock Street Sherbrooke (Quebec) Canada Phone: (819) 829-8749 " DESCRIPTION " Network Firewall The Network Firewall (NFW) service allows the administrator to filter traffic that is routed between networks. " ::= { mediatrixServices 2250 } nfwMIBObjects OBJECT IDENTIFIER ::= { nfwMIB 1 } -- Scalar:Configuration Modified Status configModifiedStatus OBJECT-TYPE SYNTAX INTEGER { yes(100) , no(200) } MAX-ACCESS read-only STATUS current DESCRIPTION " Configuration Modified Status Shows whether or not the Network Firewall configuration has been modified without being applied. 1. Yes: The configuration has been modified but it has not been applied. 2. No: The Network Firewall service uses the configured rules. Use the Nfw.ApplyConfig command to apply the configuration. " ::= { nfwMIBObjects 100 } -- ***************************************************************************** -- Table:Network Rules Status -- ***************************************************************************** networkRulesStatusTable OBJECT-TYPE SYNTAX SEQUENCE OF NetworkRulesStatusEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Network Rules Status This table shows the network rules applied in the firewall. " ::= { nfwMIBObjects 200 } networkRulesStatusEntry OBJECT-TYPE SYNTAX NetworkRulesStatusEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in table Network Rules Status. " INDEX { networkRulesStatusPriority } ::= { networkRulesStatusTable 1 } NetworkRulesStatusEntry ::= SEQUENCE { networkRulesStatusPriority Unsigned32, networkRulesStatusSourceAddress OCTET STRING, networkRulesStatusSourcePort OCTET STRING, networkRulesStatusDestinationAddress OCTET STRING, networkRulesStatusDestinationPort OCTET STRING, networkRulesStatusProtocol INTEGER, networkRulesStatusConnectionState INTEGER, networkRulesStatusBlacklistEnable MxEnableState, networkRulesStatusRateLimitValue Unsigned32, networkRulesStatusRateLimitTimePeriod Unsigned32, networkRulesStatusAction INTEGER } -- Index:Rule Priority networkRulesStatusPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION " Rule Priority Unique identifier of the row in the table. " ::= { networkRulesStatusEntry 100 } -- Columnar:Source Address networkRulesStatusSourceAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Source Address Source address[/mask] criteria an incoming packet must have to match this rule. An empty string matches any address. " ::= { networkRulesStatusEntry 200 } -- Columnar:Source Port networkRulesStatusSourcePort OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Source Port Source port[-port] criteria an incoming packet must have to match this rule. MinPort-MaxPort specifies a port range. An empty string means that no filtering is applied on the source port thus matching any port. This parameter is only effective when the NetworkRulesStatus.Protocol parameter is set to Tcp or Udp. " ::= { networkRulesStatusEntry 300 } -- Columnar:Destination Address networkRulesStatusDestinationAddress OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Destination Address Destination address[/mask] criteria an incoming packet must have to match this rule. An empty string matches any address. " ::= { networkRulesStatusEntry 400 } -- Columnar:Destination Port networkRulesStatusDestinationPort OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION " Destination Port Destination port[-port] criteria an incoming packet must have to match this rule. MinPort-MaxPort specifies a port range. An empty string means that no filtering is applied on the destination port thus matching any port. This parameter is only effective when the NetworkRulesStatus.Protocol parameter is set to Tcp or Udp. " ::= { networkRulesStatusEntry 500 } -- Columnar:Protocol networkRulesStatusProtocol OBJECT-TYPE SYNTAX INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) } MAX-ACCESS read-only STATUS current DESCRIPTION " Protocol Protocol criteria an incoming packet must have to match this rule. The protocol can be one of the following: * All: Match packets using any protocols. * Tcp: Only match TCP packets. * Udp: Only match UDP packets. * Icmp: Only match ICMP packets. " ::= { networkRulesStatusEntry 600 } -- Columnar:Connection State networkRulesStatusConnectionState OBJECT-TYPE SYNTAX INTEGER { all(100) , new(200) , establishedOrRelated(300) } MAX-ACCESS read-only STATUS current DESCRIPTION " Connection State Connection state associated with the incoming packet. The connection state can be one of the following: * All: Match packets in any state. * New: Match packets that are not part of an existing connection. * EstablishedOrRelated: Match packets that are part of an existing connection. " DEFVAL { all } ::= { networkRulesStatusEntry 650 } -- Columnar:Blacklist Enable networkRulesStatusBlacklistEnable OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-only STATUS current DESCRIPTION " Blacklist Enable Indicates if blacklisting is enabled for this rule. * Enable: When a packet establishing a connection matches this rule, the action is executed and the source IP address is added to the blacklist. * Disable: When a packet establishing a connection matches this rule, the action is executed but the source IP address is not added to the blacklist. Note: If rate limiting is enabled for this rule, blacklisted IP addresses are added to the rate limit blacklist. " ::= { networkRulesStatusEntry 660 } -- Columnar:Rate Limit Value networkRulesStatusRateLimitValue OBJECT-TYPE SYNTAX Unsigned32 ( 1..5000 ) MAX-ACCESS read-only STATUS current DESCRIPTION " Rate Limit Value Number of packets allowed to match this rule from a single source IP address within a certain time period. " ::= { networkRulesStatusEntry 670 } -- Columnar:Rate Limit Time Period networkRulesStatusRateLimitTimePeriod OBJECT-TYPE SYNTAX Unsigned32 ( 1..86400 ) MAX-ACCESS read-only STATUS current DESCRIPTION " Rate Limit Time Period The time period on which to base the rate limit. This period is expressed in seconds. Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60 means a limit of 10 new connections per minute. " ::= { networkRulesStatusEntry 680 } -- Columnar:Action networkRulesStatusAction OBJECT-TYPE SYNTAX INTEGER { accept(100) , reject(200) , drop(300) , rateLimitPerSource(400) } MAX-ACCESS read-only STATUS current DESCRIPTION " Action Action taken when this rule matches a packet. Action can be one of the following: * Accept: Let the packet through. * Reject: Send back an ICMP port unreachable in response to the matched packet, the packet is then dropped. * Drop: The packet is dropped without any notification. " ::= { networkRulesStatusEntry 700 } -- End of table:Network Rules Status -- Scalar:Network Firewall Default Policy defaultPolicy OBJECT-TYPE SYNTAX INTEGER { accept(100) , drop(300) } MAX-ACCESS read-write STATUS current DESCRIPTION " Network Firewall Default Policy Action taken when a packet does not match any rule. Default policy can be one of the following: * Accept: Let the packet through. * Drop: The packet is dropped without any notification. To have no filtering applied to forwarded packets, set the default policy to 'Accept' and remove all rules from the network firewall. " DEFVAL { drop } ::= { nfwMIBObjects 550 } -- ***************************************************************************** -- Table:Network Rules -- ***************************************************************************** networkRulesTable OBJECT-TYPE SYNTAX SEQUENCE OF NetworkRulesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " Network Rules This table shows the configured network rules for the firewall. " ::= { nfwMIBObjects 600 } networkRulesEntry OBJECT-TYPE SYNTAX NetworkRulesEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION " A row in table Network Rules. " INDEX { networkRulesPriority } ::= { networkRulesTable 1 } NetworkRulesEntry ::= SEQUENCE { networkRulesPriority Unsigned32, networkRulesActivation MxEnableState, networkRulesSourceAddress OCTET STRING, networkRulesSourcePort OCTET STRING, networkRulesDestinationAddress OCTET STRING, networkRulesDestinationPort OCTET STRING, networkRulesProtocol INTEGER, networkRulesBlacklistEnable MxEnableState, networkRulesRateLimitValue Unsigned32, networkRulesRateLimitTimePeriod Unsigned32, networkRulesConnectionState INTEGER, networkRulesAction INTEGER, networkRulesUp INTEGER, networkRulesDown INTEGER, networkRulesInsert INTEGER, networkRulesDelete INTEGER } -- Index:Rule Priority networkRulesPriority OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-only STATUS current DESCRIPTION " Rule Priority Unique identifier of the row in the table. " ::= { networkRulesEntry 100 } -- Row command:Down networkRulesDown OBJECT-TYPE SYNTAX INTEGER { noOp(0), down(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Down Moves the current row downwards. " DEFVAL { noOp } ::= { networkRulesEntry 1000 } -- Row command:Insert networkRulesInsert OBJECT-TYPE SYNTAX INTEGER { noOp(0), insert(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Insert Inserts a new row before this row. " DEFVAL { noOp } ::= { networkRulesEntry 1100 } -- Row command:Delete networkRulesDelete OBJECT-TYPE SYNTAX INTEGER { noOp(0), delete(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Delete Deletes this row. " DEFVAL { noOp } ::= { networkRulesEntry 1200 } -- Columnar:Activation networkRulesActivation OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " Activation Activates this rule. * Enable: This rule is active in the firewall. * Disable: This rule is not in the firewall. " DEFVAL { disable } ::= { networkRulesEntry 200 } -- Columnar:Source Address networkRulesSourceAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..51) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Source Address Source address of the incoming packet using the following format: address[/mask] or network interface name/. Address can be either a network IP address (using /mask) or one of the host IP addresses. When specifying a network interface name, it is mandatory to use the suffix '/'. Doing so indicates that the network address of this interface is used instead of the host address. Also, it must match one of the values in the networkInterfacesStatusTable.InterfaceName parameter from the Basic Network Interface (BNI) service. Note that if the specified network interface is disabled or removed, the rule is automatically disabled thus removed from the firewall. When the network interface is enabled or added back, the rule is automatically enabled and applied in the firewall. Mask must be a plain number specifying the number of binary 1s at the left side of the network mask. E.g.: a mask of 24 specifies a network mask of 255.255.255.0. Leaving the default empty string matches any address. " DEFVAL { "" } ::= { networkRulesEntry 300 } -- Columnar:Source Port networkRulesSourcePort OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..11) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Source Port Source port of the incoming packet using the following format: port[-port]. MinPort-MaxPort specifies a port range. The default empty string means that no filtering is applied on the source port thus matching any port. This parameter is only effective when the NetworkRules.Protocol parameter is set to Tcp or Udp. " DEFVAL { "" } ::= { networkRulesEntry 400 } -- Columnar:Destination Address networkRulesDestinationAddress OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..51) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Destination Address Destination address of the incoming packet using the following format: address[/mask] or network interface name/. The address can either be a network IP address (using /mask) or one of the host IP addresses. When specifying a network interface name, it is mandatory to use the suffix '/'. Doing so indicates that the network address of this interface is used instead of the host address. Also, it must match one of the values in the networkInterfacesStatusTable.InterfaceName parameter from the Basic Network Interface (BNI) service. Note that if the specified network interface is disabled or removed, the rule is automatically disabled thus removed from the firewall. When the network interface is enabled or added back, the rule is automatically enabled and applied in the firewall. Mask must be a plain number specifying the number of binary 1s at the left side of the network mask. E.g.: a mask of 24 specifies a network mask of 255.255.255.0. Leaving the default empty string matches any address. " DEFVAL { "" } ::= { networkRulesEntry 500 } -- Columnar:Destination Port networkRulesDestinationPort OBJECT-TYPE SYNTAX OCTET STRING ( SIZE(0..11) ) MAX-ACCESS read-write STATUS current DESCRIPTION " Destination Port Destination port of the incoming packet using the following format: port[-port]. MinPort-MaxPort specifies a port range. The default empty string means that no filtering is applied on the destination port thus matching any port. This parameter is only effective when the NetworkRules.Protocol parameter is set to Tcp or Udp. " DEFVAL { "" } ::= { networkRulesEntry 600 } -- Columnar:Protocol networkRulesProtocol OBJECT-TYPE SYNTAX INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) } MAX-ACCESS read-write STATUS current DESCRIPTION " Protocol Protocol of the incoming packet. The protocol can be one of the following: * All: Match packets using any protocols. * Tcp: Only match TCP packets. * Udp: Only match UDP packets. * Icmp: Only match ICMP packets. " DEFVAL { all } ::= { networkRulesEntry 700 } -- Columnar:Blacklist Enable networkRulesBlacklistEnable OBJECT-TYPE SYNTAX MxEnableState MAX-ACCESS read-write STATUS current DESCRIPTION " Blacklist Enable Indicates if blacklisting is enabled for this rule. * Enable: When a packet establishing a connection matches this rule, the action is executed and the source IP address is added to the blacklist. * Disable: When a packet establishing a connection matches this rule, the action is executed but the source IP address is not added to the blacklist. Note: If rate limiting is enabled for this rule, blacklisted IP addresses are added to the rate limit blacklist. " DEFVAL { disable } ::= { networkRulesEntry 720 } -- Columnar:Rate Limit Value networkRulesRateLimitValue OBJECT-TYPE SYNTAX Unsigned32 ( 1..5000 ) MAX-ACCESS read-write STATUS current DESCRIPTION " Rate Limit Value Number of packets allowed to match this rule from a single source IP address within a certain time period. " DEFVAL { 10 } ::= { networkRulesEntry 730 } -- Columnar:Rate Limit Time Period networkRulesRateLimitTimePeriod OBJECT-TYPE SYNTAX Unsigned32 ( 1..86400 ) MAX-ACCESS read-write STATUS current DESCRIPTION " Rate Limit Time Period The time period on which to base the rate limit. This period is expressed in seconds. Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60 means a limit of 10 packets per minute. " DEFVAL { 60 } ::= { networkRulesEntry 740 } -- Columnar:Connection State networkRulesConnectionState OBJECT-TYPE SYNTAX INTEGER { all(100) , new(200) , establishedOrRelated(300) } MAX-ACCESS read-write STATUS current DESCRIPTION " Connection State Connection state associated with the incoming packet. The connection state can be one of the following: * All: Match packets in any state. * New: Match packets that are not part of an existing connection. * EstablishedOrRelated: Match packets that are part of an existing connection. " DEFVAL { all } ::= { networkRulesEntry 750 } -- Columnar:Action networkRulesAction OBJECT-TYPE SYNTAX INTEGER { accept(100) , reject(200) , drop(300) , rateLimitPerSource(400) } MAX-ACCESS read-write STATUS current DESCRIPTION " Action Action taken when this rule matches a packet. Action can be one of the following: * Accept: Let the packet through. * Reject: Send back an ICMP port unreachable in response to the matched packet, the packet is then dropped. * Drop: The packet is dropped without any notification. * RateLimitPerSource: Drop the packets received from a given source IP address when it exceeds a configurable rate. The rate is set using the RateLimitValue and RateLimitTimePeriod parameters. Note: This action is only allowed when the ConnectionState parameter is set to 'New'. " DEFVAL { accept } ::= { networkRulesEntry 800 } -- Row command:Up networkRulesUp OBJECT-TYPE SYNTAX INTEGER { noOp(0), up(10) } MAX-ACCESS read-write STATUS current DESCRIPTION " Up Moves the current row upwards. " DEFVAL { noOp } ::= { networkRulesEntry 900 } -- End of table:Network Rules -- **************************************************************************** -- Group:Blacklist -- **************************************************************************** blacklistGroup OBJECT IDENTIFIER ::= { nfwMIBObjects 700 } -- Scalar:Blacklist Timeout blacklistTimeout OBJECT-TYPE SYNTAX Unsigned32 ( 1..86400 ) MAX-ACCESS read-write STATUS current DESCRIPTION " Blacklist Timeout The time an address stays in the blacklist. If Nfw receives a packet from a blacklisted source, the packet is dropped and the remaining blacklist time is reset to this value. The time units are seconds. " DEFVAL { 60 } ::= { blacklistGroup 100 } -- Scalar:Blacklist Rate Limit Timeout blacklistRateLimitTimeout OBJECT-TYPE SYNTAX Unsigned32 ( 1..86400 ) MAX-ACCESS read-write STATUS current DESCRIPTION " Blacklist Rate Limit Timeout The time an address stays in the 'rate limit' blacklist. If Nfw receives a packet from a 'rate limit' blacklisted source, the packet is dropped and the remaining blacklist time stays the same. The time units are seconds. " DEFVAL { 60 } ::= { blacklistGroup 200 } -- End of group:Blacklist -- **************************************************************************** -- Group:Notification Messages Configuration -- **************************************************************************** notificationsGroup OBJECT IDENTIFIER ::= { nfwMIBObjects 60010 } -- Scalar:Minimal Severity of Notification minSeverity OBJECT-TYPE SYNTAX INTEGER { disable(0) , debug(100) , info(200) , warning(300) , error(400) , critical (500) } MAX-ACCESS read-write STATUS current DESCRIPTION " Minimal Severity of Notification Sets the minimal severity to issue a notification message incoming from this service. * Disable: No notification is issued. * Debug: All notification messages are issued. * Info: Notification messages with a 'Informational' and higher severity are issued. * Warning: Notification messages with a 'Warning' and higher severity are issued. * Error: Notification messages with an 'Error' and higher severity are issued. * Critical: Notification messages with a 'Critical' severity are issued. " DEFVAL { warning } ::= { notificationsGroup 100 } -- End of group:Notification Messages Configuration -- **************************************************************************** -- Group:Configuration Settings -- **************************************************************************** configurationGroup OBJECT IDENTIFIER ::= { nfwMIBObjects 60020 } -- Scalar:Need Restart needRestartInfo OBJECT-TYPE SYNTAX INTEGER { no(0) , yes(100) } MAX-ACCESS read-only STATUS current DESCRIPTION " Need Restart Indicates if the service needs to be restarted for the configuration to fully take effect. * Yes: Service needs to be restarted. * No: Service does not need to be restarted. Services can be restarted by using the Scm.ServiceCommands.Restart command. " ::= { configurationGroup 100 } -- End of group:Configuration Settings END