513 lines
22 KiB
Plaintext
513 lines
22 KiB
Plaintext
-- **SDOC**********************************************************************
|
|
-- ****************************************************************************
|
|
--
|
|
-- Copyright(c) 2005 Mediatrix Telecom, Inc.
|
|
--
|
|
-- NOTICE:
|
|
-- This document contains information that is confidential and proprietary
|
|
-- to Mediatrix Telecom, Inc.
|
|
--
|
|
-- Mediatrix Telecom, Inc. reserves all rights to this document as well as
|
|
-- to the Intellectual Property of the document and the technology and
|
|
-- know-how that it includes and represents.
|
|
--
|
|
-- This publication cannot be reproduced, neither in whole nor in part, in
|
|
-- any form whatsoever without written prior approval by
|
|
-- Mediatrix Telecom, Inc.
|
|
--
|
|
-- Mediatrix Telecom, Inc. reserves the right to revise this publication
|
|
-- and make changes at any time and without the obligation to notify any
|
|
-- person and/or entity of such revisions and/or changes.
|
|
--
|
|
-- ****************************************************************************
|
|
-- ****************************************************************************
|
|
--
|
|
-- MX-FIREWALL-MIB.my
|
|
--
|
|
-- Root for the module used to configure the Firewall.
|
|
--
|
|
-- ****************************************************************************
|
|
-- **EDOC**********************************************************************
|
|
|
|
MX-FIREWALL-MIB
|
|
DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS
|
|
MODULE-IDENTITY,
|
|
OBJECT-TYPE,
|
|
Unsigned32,
|
|
Integer32
|
|
FROM SNMPv2-SMI
|
|
MODULE-COMPLIANCE,
|
|
OBJECT-GROUP
|
|
FROM SNMPv2-CONF
|
|
MxEnableState,
|
|
FROM MX-TC
|
|
mediatrixConfig
|
|
FROM MX-SMI;
|
|
|
|
firewallMIB MODULE-IDENTITY
|
|
LAST-UPDATED "200603060000Z"
|
|
ORGANIZATION "Mediatrix Telecom, Inc."
|
|
CONTACT-INFO "Mediatrix Telecom, Inc.
|
|
4229, Garlock Street
|
|
Sherbrooke (Quebec)
|
|
Canada
|
|
Phone: (819) 829-8749
|
|
"
|
|
DESCRIPTION "This MIB provides information to configure the firewall module.
|
|
|
|
This module is responsible to accept or drop packets intended for the unit
|
|
and the clients on the LAN.
|
|
|
|
The DROP action is done silently by default, without sending packets in answer.
|
|
Otherwise, the specific action will be documented."
|
|
-- ************************************************************************
|
|
-- Revision history
|
|
-- ************************************************************************
|
|
REVISION "200603060000Z"
|
|
DESCRIPTION "Modified the description of the firewallEnable variable."
|
|
REVISION "200504190000Z"
|
|
DESCRIPTION "Creation"
|
|
::= { mediatrixConfig 450 }
|
|
|
|
firewallMIBObjects OBJECT IDENTIFIER ::= { firewallMIB 1 }
|
|
firewallConformance OBJECT IDENTIFIER ::= { firewallMIB 2 }
|
|
|
|
|
|
-- *************************************************************************
|
|
-- Config variables
|
|
-- *************************************************************************
|
|
|
|
firewallEnable OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the firewall.
|
|
|
|
enable : The traffic is analyzed and filtered by all the rules configured in this module.
|
|
|
|
All the enabled security rules in this module apply immediately.
|
|
|
|
disable : No security rule is activated.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
|
|
This variable's semantics are different depending on the hardware platform.
|
|
Please refer to the documentation shipped with your device for more
|
|
details.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallMIBObjects 10 }
|
|
|
|
|
|
-- *************************************************************************
|
|
-- Firewall Security variables
|
|
-- *************************************************************************
|
|
firewallSecurity OBJECT IDENTIFIER ::= { firewallMIBObjects 100 }
|
|
|
|
|
|
firewallSecurityBadTcpPacketRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to drop the bad TCP packets from the WAN side.
|
|
|
|
When enabled, this variable configures rules that check incoming TCP packets
|
|
for malformed headers. If a bad TCP packet is found, the firewall drops it silently.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallSecurity 10 }
|
|
|
|
|
|
firewallSecurityTcpSynCookiesRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to protect the unit against the common 'syn flood attack'.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallSecurity 20 }
|
|
|
|
|
|
firewallSecuritySourceRoutedPacketRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to drop source routed packets (packets with
|
|
SRR option) from the WAN side.
|
|
|
|
When enabled, this variable configures rules that drop all
|
|
packets with this option silently.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { disable }
|
|
::= { firewallSecurity 30 }
|
|
|
|
|
|
firewallSecurityMulticastPacketRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to drop multicast packets from the WAN side.
|
|
|
|
When enabled, this variable configures rules that drop incoming WAN multicast
|
|
packets. If multicast packets are found, the firewall drops them silently.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallSecurity 40 }
|
|
|
|
|
|
firewallSecurityIdentRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to drop IDENT request packets from the WAN side.
|
|
|
|
When enabled, this variable configures rules that drop incoming IDENT request
|
|
packets and send back a TCP RST packet. This behavior is required because
|
|
dropping silently on port 113 may cause connection problems.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallSecurity 50 }
|
|
|
|
|
|
firewallSecurityReversePathFilteringRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to filter packets by reverse path filtering.
|
|
|
|
When enabled, this variable configures rules that silently drop packets
|
|
received on one interface and answered on another interface. In this case,
|
|
the packet is bogus and the firewall drops it.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { disable }
|
|
::= { firewallSecurity 60 }
|
|
|
|
|
|
firewallSecurityBlockWanEchoRequestRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to silently drop ICMP echo requests received from the WAN side.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { disable }
|
|
::= { firewallSecurity 70 }
|
|
|
|
|
|
firewallSecurityBlockLanEchoRequestRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to silently drop ICMP echo requests received on
|
|
the LAN interface.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { disable }
|
|
::= { firewallSecurity 80 }
|
|
|
|
|
|
firewallSecurityBlockWanEchoBroadcastRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to silently drop incoming WAN ICMP echo
|
|
requests sent to the broadcast address.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallSecurity 90 }
|
|
|
|
|
|
firewallSecurityBlockIcmpRedirectionInRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to silently drop the reception of ICMP redirect
|
|
messages from the WAN side.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallSecurity 100 }
|
|
|
|
|
|
firewallSecurityBlockIcmpRedirectionOutRule OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the behavior to block sending of ICMP redirect messages.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallSecurity 110 }
|
|
|
|
|
|
|
|
-- *************************************************************************
|
|
-- Spoof Security variables
|
|
-- *************************************************************************
|
|
firewallSecuritySpoof OBJECT IDENTIFIER ::= { firewallSecurity 1000 }
|
|
|
|
|
|
firewallSecuritySpoofEnable OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the security rules against IP addresses spoofing contained in the
|
|
table firewallSecuritySpoofTable.
|
|
|
|
These rules can prevent reception of packets from the WAN side according to
|
|
the source address of those packets.
|
|
|
|
This variable applies only if the variable firewallEnable is enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { enable }
|
|
::= { firewallSecuritySpoof 10 }
|
|
|
|
|
|
-- ************************************************************************
|
|
-- Spoof table
|
|
-- ************************************************************************
|
|
|
|
firewallSecuritySpoofTable OBJECT-TYPE
|
|
SYNTAX SEQUENCE OF FirewallSecuritySpoofEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "
|
|
A table that contains the static security rules against spoofing. Each one of these
|
|
rules must be enabled by the variable firewallSecuritySpoofRuleEnable.
|
|
|
|
This table applies only if the variable firewallSecuritySpoofEnable is enabled and if the
|
|
variable firewallEnable is also enabled.
|
|
|
|
The user cannot add rules in this table. The user can simply enable or disable the rules
|
|
present.
|
|
"
|
|
::= { firewallSecuritySpoof 100 }
|
|
|
|
|
|
firewallSecuritySpoofEntry OBJECT-TYPE
|
|
SYNTAX FirewallSecuritySpoofEntry
|
|
MAX-ACCESS not-accessible
|
|
STATUS current
|
|
DESCRIPTION "
|
|
A row in the firewallSecuritySpoofTable used to specify a spoofing rule.
|
|
An entry is enabled if the variable firewallEnable is enabled and if the
|
|
variable firewallSecuritySpoofRuleEnable of this row is also enabled.
|
|
"
|
|
INDEX {
|
|
firewallSecuritySpoofIndex
|
|
}
|
|
::= { firewallSecuritySpoofTable 5 }
|
|
|
|
|
|
FirewallSecuritySpoofEntry ::= SEQUENCE
|
|
{
|
|
firewallSecuritySpoofIndex Unsigned32,
|
|
firewallSecuritySpoofLabel OCTET STRING,
|
|
firewallSecuritySpoofAddress OCTET STRING,
|
|
firewallSecuritySpoofRuleEnable MxEnableState
|
|
}
|
|
|
|
|
|
firewallSecuritySpoofIndex OBJECT-TYPE
|
|
SYNTAX Unsigned32 (1..255)
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Anti-spoofing rule index for this row.
|
|
"
|
|
::= { firewallSecuritySpoofEntry 10 }
|
|
|
|
|
|
firewallSecuritySpoofLabel OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255))
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Short description of the anti-spoofing rule.
|
|
"
|
|
::= { firewallSecuritySpoofEntry 20 }
|
|
|
|
|
|
firewallSecuritySpoofAddress OBJECT-TYPE
|
|
SYNTAX OCTET STRING (SIZE(0..255))
|
|
MAX-ACCESS read-only
|
|
STATUS current
|
|
DESCRIPTION "Source IP address and mask of the packets this rule must drop silently.
|
|
"
|
|
::= { firewallSecuritySpoofEntry 30 }
|
|
|
|
|
|
firewallSecuritySpoofRuleEnable OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Indicates if the specific anti-spoofing rule of a row is used or not.
|
|
|
|
This variable applies only if both the variable firewallEnable and this table
|
|
are enabled.
|
|
|
|
Since the modification of this variable will be applied in real time, new settings can
|
|
affect the current network connections.
|
|
"
|
|
DEFVAL { disable }
|
|
::= { firewallSecuritySpoofEntry 40 }
|
|
|
|
|
|
-- *************************************************************************
|
|
-- Firewall Security variables
|
|
-- *************************************************************************
|
|
firewallSyslog OBJECT IDENTIFIER ::= { firewallMIBObjects 200 }
|
|
|
|
firewallSyslogEnable OBJECT-TYPE
|
|
SYNTAX MxEnableState
|
|
MAX-ACCESS read-write
|
|
STATUS current
|
|
DESCRIPTION "Enables/Disables the syslog for the firewall notification messages.
|
|
"
|
|
DEFVAL { disable }
|
|
::= { firewallSyslog 10 }
|
|
|
|
|
|
-- ************************************************************************
|
|
-- Conformance information
|
|
-- ************************************************************************
|
|
|
|
firewallCompliances OBJECT IDENTIFIER ::= { firewallConformance 1 }
|
|
|
|
firewallComplVer1 MODULE-COMPLIANCE
|
|
STATUS current
|
|
DESCRIPTION
|
|
"Minimal parameters definitions to support the firewall configuration."
|
|
MODULE -- This Module
|
|
MANDATORY-GROUPS {
|
|
firewallGroupVer1,
|
|
firewallSecurityGroupVer1,
|
|
firewallSecuritySpoofGroupVer1,
|
|
firewallSyslogGroupVer1
|
|
}
|
|
::= { firewallCompliances 1 }
|
|
|
|
|
|
-- ************************************************************************
|
|
-- MIB variable grouping
|
|
-- ************************************************************************
|
|
firewallGroups OBJECT IDENTIFIER ::= { firewallConformance 2 }
|
|
|
|
firewallGroupVer1 OBJECT-GROUP
|
|
OBJECTS {
|
|
firewallEnable
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"
|
|
This group holds the minimal set of objects to enable the firewall basic services.
|
|
"
|
|
::= { firewallGroups 1 }
|
|
|
|
|
|
firewallSecurityGroupVer1 OBJECT-GROUP
|
|
OBJECTS {
|
|
firewallSecurityBadTcpPacketRule,
|
|
firewallSecurityTcpSynCookiesRule,
|
|
firewallSecuritySourceRoutedPacketRule,
|
|
firewallSecurityMulticastPacketRule,
|
|
firewallSecurityIdentRule,
|
|
firewallSecurityReversePathFilteringRule,
|
|
firewallSecurityBlockWanEchoRequestRule,
|
|
firewallSecurityBlockLanEchoRequestRule,
|
|
firewallSecurityBlockWanEchoBroadcastRule,
|
|
firewallSecurityBlockIcmpRedirectionInRule,
|
|
firewallSecurityBlockIcmpRedirectionOutRule
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"
|
|
This group holds the minimal set of objects that defines
|
|
the firewall rules.
|
|
"
|
|
::= { firewallGroups 2 }
|
|
|
|
firewallSecuritySpoofGroupVer1 OBJECT-GROUP
|
|
OBJECTS {
|
|
firewallSecuritySpoofEnable,
|
|
firewallSecuritySpoofLabel,
|
|
firewallSecuritySpoofAddress,
|
|
firewallSecuritySpoofRuleEnable
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"
|
|
This group holds the minimal set of objects that defines the firewall rules against anti-spoofing.
|
|
"
|
|
::= { firewallGroups 3 }
|
|
|
|
|
|
firewallSyslogGroupVer1 OBJECT-GROUP
|
|
OBJECTS {
|
|
firewallSyslogEnable
|
|
}
|
|
STATUS current
|
|
DESCRIPTION
|
|
"
|
|
This group holds the minimal set of objects to enable the firewall syslog.
|
|
"
|
|
::= { firewallGroups 4 }
|
|
|
|
END
|
|
|