392 lines
12 KiB
Plaintext
392 lines
12 KiB
Plaintext
|
|
-- Copyright (C) 2012 by Zhone Technologies. All Rights Reserved.
|
|
|
|
-- ======================================================================
|
|
-- == ==
|
|
-- == ZHNFIREWALL MIB ==
|
|
-- == ==
|
|
-- == Copyright (C) 2012 Zhone Technologies, Inc. ==
|
|
-- == Confidential, Unpublished Property of Zhone Technologies. ==
|
|
-- == Rights Reserved Under the Copyright Laws of the United States. ==
|
|
-- == ==
|
|
-- ======================================================================
|
|
|
|
ZHNFIREWALL DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY , OBJECT-TYPE , enterprises,
|
|
Integer32, Unsigned32, IpAddress, Gauge32
|
|
FROM SNMPv2-SMI
|
|
MODULE-COMPLIANCE, OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
TEXTUAL-CONVENTION, MacAddress, RowStatus, TruthValue
|
|
FROM SNMPv2-TC
|
|
ZhoneRowStatus
|
|
FROM Zhone-TC
|
|
zhoneWtn
|
|
FROM Zhone
|
|
lanDeviceIndex, lanEthernetIndex
|
|
FROM ZHNLANDEVICE;
|
|
|
|
-- 1.3.6.1.4.1.5504.2.5.41
|
|
zhnFirewall MODULE-IDENTITY
|
|
LAST-UPDATED "201204181200Z" -- Apr 18, 2012
|
|
ORGANIZATION
|
|
"Zhone Technologies, Inc."
|
|
CONTACT-INFO
|
|
"Zhone Technologies, Inc.
|
|
Florida Design Center
|
|
8545 126th Avenue North
|
|
Largo, FL 33773
|
|
|
|
Toll-Free: +1 877-ZHONE20 (+1 877-946-6320)
|
|
Tel: +1-510-777-7000
|
|
Fax: +1-510-777-7001
|
|
E-mail: support@zhone.com"
|
|
|
|
|
|
DESCRIPTION
|
|
"This file defines the private Enterprise MIB extensions
|
|
that define LAN Management Access Service Filters and Port
|
|
Forwarding objects supported by the Zhone CPEs."
|
|
|
|
|
|
REVISION "201204181200Z" -- Apr 18, 2012
|
|
DESCRIPTION "Added https to FirewallMgmtAccessServiceValues"
|
|
|
|
REVISION "201202031200Z" -- Feb 03, 2012
|
|
DESCRIPTION "First Draft"
|
|
|
|
::= { zhoneWtn 45 }
|
|
|
|
|
|
|
|
-- 1.3.6.1.4.1.5504.2.5.45.1
|
|
zhnFirewallObjects OBJECT IDENTIFIER ::= { zhnFirewall 1 }
|
|
|
|
--
|
|
-- Textual Conventions
|
|
--
|
|
FirewallMgmtAccessServiceValues ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION "LAN Management Access Services that can be blocked from the
|
|
CPEs management network."
|
|
SYNTAX INTEGER {
|
|
http (1),
|
|
https (2),
|
|
ping (3),
|
|
snmp (4),
|
|
snmpTrap (5),
|
|
ssh (6),
|
|
telnet (7)
|
|
}
|
|
|
|
FirewallMgmtAccessServiceActions ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION "LAN Management Access Service actions to perform for the
|
|
specified service."
|
|
SYNTAX INTEGER {
|
|
allow (1),
|
|
deny (2),
|
|
undefined (3)
|
|
}
|
|
|
|
|
|
FirewallPortTypeValues ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION "LAN Port Forwarding actions supported."
|
|
SYNTAX INTEGER {
|
|
portRange (1), -- Range indicates that any traffic on those ports will be
|
|
-- sent to the private IP address.
|
|
portRemap (2), -- Remap indicates that any traffic on those ports will be
|
|
-- sent to the private IP address at the private port.
|
|
dmz (3) -- When DMZ is chosen it is the only rule allowed on that
|
|
-- interface. A DMZ rule is effectively the same as a Range
|
|
-- rule with all ports included. Range rules are more secure
|
|
-- than setting a DMZ rule, because Range rules allow specific
|
|
-- ports or groups of ports to be opened up.
|
|
}
|
|
|
|
FirewallPortProtocolValues ::= TEXTUAL-CONVENTION
|
|
STATUS current
|
|
DESCRIPTION "LAN Port Forwarding protocols that can be filtered, per port."
|
|
SYNTAX INTEGER {
|
|
tcp (1),
|
|
udp (2),
|
|
tcpOrUdp (3),
|
|
icmp (4),
|
|
icmpv4 (5),
|
|
none (6)
|
|
}
|
|
|
|
|
|
|
|
--
|
|
-- LAN Device Objects
|
|
-- InternetGatewayDevice.LANDevice.{i}.LANHostConfigManagement.IPInterface.{i}.X_ZHONE_MgmtAccessCfg.{i}.
|
|
--
|
|
-- 1.3.6.1.4.1.5504.2.5.45.1.1
|
|
--
|
|
firewallMgmtAccessTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF FirewallMgmtAccessEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Table of LAN Management Access Service Filters"
|
|
::= { zhnFirewallObjects 1}
|
|
|
|
firewallMgmtAccessEntry OBJECT-TYPE
|
|
SYNTAX FirewallMgmtAccessEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Table of entries of LAN Management Access service filters. This
|
|
table is used to configure management access on the device. It
|
|
is useful in making the device management network by blocking
|
|
protocols or services that are highly susceptible to external
|
|
attacks."
|
|
INDEX { lanDeviceIndex, lanEthernetIndex, firewallMgmtServiceIndex }
|
|
::= { firewallMgmtAccessTable 1}
|
|
|
|
FirewallMgmtAccessEntry ::=
|
|
SEQUENCE {
|
|
firewallMgmtServiceIndex FirewallMgmtAccessServiceValues,
|
|
firewallMgmtService OCTET STRING,
|
|
firewallMgmtAction FirewallMgmtAccessServiceActions
|
|
}
|
|
|
|
firewallMgmtServiceIndex OBJECT-TYPE
|
|
SYNTAX FirewallMgmtAccessServiceValues
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"LAN Management Access Services Table index. Enumerated values:
|
|
Http (1),
|
|
Https (2),
|
|
Ping (3),
|
|
Snmp (4),
|
|
SnmpTrap (5),
|
|
Ssh (6),
|
|
Telnet (7)
|
|
"
|
|
::= { firewallMgmtAccessEntry 1}
|
|
|
|
firewallMgmtService OBJECT-TYPE
|
|
SYNTAX OCTET STRING
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION
|
|
"LAN Management Access Service description."
|
|
::= { firewallMgmtAccessEntry 2}
|
|
|
|
firewallMgmtAction OBJECT-TYPE
|
|
SYNTAX FirewallMgmtAccessServiceActions
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"LAN Management Access Service filtering action. Enumerated values:
|
|
Allow (1),
|
|
Deny (2),
|
|
Undefined (3)
|
|
"
|
|
::= { firewallMgmtAccessEntry 3}
|
|
|
|
|
|
--
|
|
-- LAN Device Objects
|
|
-- InternetGatewayDevice.LANDevice.{i}.LANHostConfigManagement.IPInterface.{i}.X_ZHONE_PortForwardingCfg.{i}.
|
|
--
|
|
-- 1.3.6.1.4.1.5504.2.5.45.1.2
|
|
--
|
|
firewallPortForwardingTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF FirewallPortForwardingEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Table of LAN Port Forwarding Rules. Note that the rules in this table
|
|
have no effect until the global firewall object (sysFirewallEnable)
|
|
is enabled."
|
|
::= { zhnFirewallObjects 2}
|
|
|
|
firewallPortForwardingEntry OBJECT-TYPE
|
|
SYNTAX FirewallPortForwardingEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"This table is used to configure port forwarding firewall rules for
|
|
the device."
|
|
INDEX { lanDeviceIndex, lanEthernetIndex, firewallPortForwardingIndex }
|
|
::= { firewallPortForwardingTable 1}
|
|
|
|
FirewallPortForwardingEntry ::=
|
|
SEQUENCE {
|
|
firewallPortForwardingIndex Unsigned32,
|
|
firewallPortForwardingName OCTET STRING,
|
|
firewallPortType FirewallPortTypeValues,
|
|
firewallPortProtocol FirewallPortProtocolValues,
|
|
firewallPortPublicPortStart Unsigned32,
|
|
firewallPortPublicPortEnd Unsigned32,
|
|
firewallPortPrivatePort Unsigned32,
|
|
firewallPortPrivateIPAddress IpAddress,
|
|
firewallPortForwardingRowStatus ZhoneRowStatus
|
|
}
|
|
|
|
firewallPortForwardingIndex OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION
|
|
"LAN Port Forwarding Rules index."
|
|
::= { firewallPortForwardingEntry 1}
|
|
|
|
firewallPortForwardingName OBJECT-TYPE
|
|
SYNTAX OCTET STRING
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Descriptive name for a LAN Port Forwarding Rule."
|
|
::= { firewallPortForwardingEntry 2}
|
|
|
|
firewallPortType OBJECT-TYPE
|
|
SYNTAX FirewallPortTypeValues
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enumerated value of:
|
|
portRange (1), -- Range indicates that any traffic on those ports will be
|
|
-- sent to the private IP address.
|
|
portRemap (2), -- Remap indicates that any traffic on those ports will be
|
|
-- sent to the private IP address at the private port.
|
|
dmz (3) -- When DMZ is chosen it is the only rule allowed on that
|
|
-- interface. A DMZ rule is effectively the same as a Range
|
|
-- rule with all ports included. Range rules are more secure
|
|
-- than setting a DMZ rule, because Range rules allow specific
|
|
-- ports or groups of ports to be opened up.
|
|
"
|
|
::= { firewallPortForwardingEntry 3}
|
|
|
|
firewallPortProtocol OBJECT-TYPE
|
|
SYNTAX FirewallPortProtocolValues
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Enumerated value of:
|
|
tcp (1),
|
|
udp (2),
|
|
tcpOrUdp (3),
|
|
icmp (4),
|
|
icmpv4 (5),
|
|
none (6)
|
|
"
|
|
::= { firewallPortForwardingEntry 4}
|
|
|
|
firewallPortPublicPortStart OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Lowest value port number for the range."
|
|
::= { firewallPortForwardingEntry 5}
|
|
|
|
firewallPortPublicPortEnd OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Highest value port number for the range. This can be equal to
|
|
firewallPortPublicPortStart if there is only one port."
|
|
::= { firewallPortForwardingEntry 6}
|
|
|
|
firewallPortPrivatePort OBJECT-TYPE
|
|
SYNTAX Unsigned32
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The port number with which to send the traffic."
|
|
::= { firewallPortForwardingEntry 7}
|
|
|
|
firewallPortPrivateIPAddress OBJECT-TYPE
|
|
SYNTAX IpAddress
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The port IP Address with which to send the traffic."
|
|
::= { firewallPortForwardingEntry 8}
|
|
|
|
firewallPortForwardingRowStatus OBJECT-TYPE
|
|
SYNTAX ZhoneRowStatus
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The SNMP RowStatus of the current row. The following objects must
|
|
be specified upon row creation:
|
|
firewallPortForwardingName
|
|
firewallPortPrivateIPAddress
|
|
"
|
|
::= { firewallPortForwardingEntry 9}
|
|
|
|
|
|
-- ****************************************************************************
|
|
--
|
|
-- Conformance Information
|
|
--
|
|
|
|
zhnFirewallConformance OBJECT IDENTIFIER ::= { zhnFirewall 3 }
|
|
|
|
zhnFirewallGroups OBJECT IDENTIFIER ::= { zhnFirewallConformance 1}
|
|
zhnFirewallCompliances OBJECT IDENTIFIER ::= { zhnFirewallConformance 2}
|
|
|
|
--
|
|
-- Compliance Statements
|
|
--
|
|
|
|
zhnFirewallCompliance MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"The Compliance statement for SNMP entities which
|
|
manage the Zhone CPE LAN Firewall Management Access Services
|
|
and Port Forwarding Information"
|
|
MODULE -- this module
|
|
MANDATORY-GROUPS {
|
|
zhnFirewallMgmtAccessGroup
|
|
}
|
|
::= {zhnFirewallCompliances 1}
|
|
|
|
|
|
--
|
|
-- Units of Conformance
|
|
--
|
|
|
|
zhnFirewallMgmtAccessGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
firewallMgmtService,
|
|
firewallMgmtAction
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of Zhone IP objects that describe the
|
|
LAN Management Access Services that can be filtered for
|
|
a particular LAN interface."
|
|
::= { zhnFirewallGroups 1}
|
|
|
|
zhnFirewallPortForwardingGroup OBJECT-GROUP
|
|
OBJECTS {
|
|
firewallPortForwardingName,
|
|
firewallPortType,
|
|
firewallPortProtocol,
|
|
firewallPortPublicPortStart,
|
|
firewallPortPublicPortEnd,
|
|
firewallPortPrivatePort,
|
|
firewallPortPrivateIPAddress,
|
|
firewallPortForwardingRowStatus
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"A collection of Zhone IP objects that describe the
|
|
LAN Port Forwarding Management rules for filtering
|
|
protocols and ports for a particular LAN interface."
|
|
::= { zhnFirewallGroups 2}
|
|
|
|
|
|
END
|