WebApps/Observium_CE
1
0
Fork 0
Code Pull Requests Activity
Observium_CE/mibs/media5/MX-LFW-MIB

810 lines
26 KiB
Plaintext
Raw Blame History

-- ****************************************************************************
-- ****************************************************************************
-- Copyright(c) 2004 Mediatrix Telecom, Inc.
-- NOTICE:
-- This document contains information that is confidential and proprietary
-- to Mediatrix Telecom, Inc.
-- Mediatrix Telecom, Inc. reserves all rights to this document as well as
-- to the Intellectual Property of the document and the technology and
-- know-how that it includes and represents.
-- This publication cannot be reproduced, neither in whole nor in part in
-- any form whatsoever without written prior approval by
-- Mediatrix Telecom, Inc.
-- Mediatrix Telecom, Inc. reserves the right to revise this publication
-- and make changes at any time and without the obligation to notify any
-- person and/or entity of such revisions and/or changes.
-- ****************************************************************************
-- ****************************************************************************
MX-LFW-MIB
DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
Unsigned32,
Integer32
FROM SNMPv2-SMI
MODULE-COMPLIANCE,
OBJECT-GROUP
FROM SNMPv2-CONF
MxEnableState,
MxActivationState,
MxIpHostName,
MxIpAddress,
MxIpPort,
MxAdvancedIpPort,
MxIpSubnetMask,
MxDigitMap
FROM MX-TC
MxUInt64,
MxFloat32,
MxIpHostNamePort,
MxIpAddr,
MxIpAddrPort,
MxIpAddrMask,
MxUri,
MxUrl
FROM MX-TC2
mediatrixServices
FROM MX-SMI2;
lfwMIB MODULE-IDENTITY
LAST-UPDATED "1910210000Z"
ORGANIZATION " Mediatrix Telecom, Inc. "
CONTACT-INFO " Mediatrix Telecom, Inc.
4229, Garlock Street
Sherbrooke (Quebec)
Canada
Phone: (819) 829-8749
"
DESCRIPTION " Local Firewall
The Local Firewall (LFW) service allows the administrator to
filter the network with the unit as final destination.
"
::= { mediatrixServices 2200 }
lfwMIBObjects OBJECT IDENTIFIER ::= { lfwMIB 1 }
-- Scalar:Configuration Modified Status
configModifiedStatus OBJECT-TYPE
SYNTAX INTEGER { yes(100) , no(200) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Configuration Modified Status
Shows whether or not the Local Firewall configuration has been
modified without being applied.
1. Yes: The configuration has been modified but it has not been
applied.
2. No: The Local Firewall service uses the configured rules.
Use the Lfw.ApplyConfig command to apply the configuration.
"
::= { lfwMIBObjects 100 }
-- *****************************************************************************
-- Table:Local Rules Status
-- *****************************************************************************
localRulesStatusTable OBJECT-TYPE
SYNTAX SEQUENCE OF LocalRulesStatusEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION " Local Rules Status
This table shows the local rules applied in the firewall.
"
::= { lfwMIBObjects 200 }
localRulesStatusEntry OBJECT-TYPE
SYNTAX LocalRulesStatusEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION " A row in table Local Rules Status. "
INDEX {
localRulesStatusPriority
}
::= { localRulesStatusTable 1 }
LocalRulesStatusEntry ::= SEQUENCE
{
localRulesStatusPriority Unsigned32,
localRulesStatusSourceAddress OCTET STRING,
localRulesStatusSourcePort OCTET STRING,
localRulesStatusDestinationAddress OCTET STRING,
localRulesStatusDestinationPort OCTET STRING,
localRulesStatusProtocol INTEGER,
localRulesStatusBlacklistEnable MxEnableState,
localRulesStatusRateLimitValue Unsigned32,
localRulesStatusRateLimitTimePeriod Unsigned32,
localRulesStatusAction INTEGER
}
-- Index:Rule priority
localRulesStatusPriority OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Rule priority
Unique identifier of the row in the table.
"
::= { localRulesStatusEntry 100 }
-- Columnar:Source Address
localRulesStatusSourceAddress OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Source Address
Source address[/mask] criteria an incoming packet must have to
match this rule.
An empty string matches any address.
"
::= { localRulesStatusEntry 200 }
-- Columnar:Source Port
localRulesStatusSourcePort OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Source Port
Source port[-port] criteria an incoming packet must have to
match this rule.
MinPort-MaxPort specifies a port range.
An empty string means that no filtering is applied on the
source port thus matching any port.
This parameter is only effective when the
LocalRulesStatus.Protocol parameter is set to Tcp or Udp.
"
::= { localRulesStatusEntry 300 }
-- Columnar:Destination Address
localRulesStatusDestinationAddress OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Destination Address
Destination address[/mask] criteria an incoming packet must
have to match this rule.
An empty string matches any address.
"
::= { localRulesStatusEntry 400 }
-- Columnar:Destination Port
localRulesStatusDestinationPort OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Destination Port
Destination port[-port] criteria an incoming packet must have
to match this rule.
MinPort-MaxPort specifies a port range.
An empty string means that no filtering is applied on the
destination port thus matching any port.
This parameter is only effective when the
LocalRulesStatus.Protocol parameter is set to Tcp or Udp.
"
::= { localRulesStatusEntry 500 }
-- Columnar:Protocol
localRulesStatusProtocol OBJECT-TYPE
SYNTAX INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Protocol
Protocol criteria an incoming packet must have to match this
rule.
The protocol can be one of the following:
* All: Match packets using any protocols.
* Tcp: Only match TCP packets.
* Udp: Only match UDP packets.
* Icmp: Only match ICMP packets.
"
DEFVAL { all }
::= { localRulesStatusEntry 600 }
-- Columnar:Blacklist Enable
localRulesStatusBlacklistEnable OBJECT-TYPE
SYNTAX MxEnableState
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Blacklist Enable
Indicates if blacklisting is enabled for this rule.
* Enable: When a packet establishing a connection matches
this rule, the action is executed and the source IP address
is added to the blacklist.
* Disable: When a packet establishing a connection matches
this rule, the action is executed but the source IP address
is not added to the blacklist.
Note: If rate limiting is enabled for this rule, blacklisted IP
addresses are added to the rate limit blacklist.
"
::= { localRulesStatusEntry 620 }
-- Columnar:Rate Limit Value
localRulesStatusRateLimitValue OBJECT-TYPE
SYNTAX Unsigned32 ( 1..5000 )
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Rate Limit Value
Number of new connections allowed to match this rule from a
single source IP address within a certain time period.
"
::= { localRulesStatusEntry 650 }
-- Columnar:Rate Limit Time Period
localRulesStatusRateLimitTimePeriod OBJECT-TYPE
SYNTAX Unsigned32 ( 1..86400 )
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Rate Limit Time Period
The time period on which to base the rate limit. This period is
expressed in seconds.
Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60
means a limit of 10 new connections per minute.
"
::= { localRulesStatusEntry 680 }
-- Columnar:Action
localRulesStatusAction OBJECT-TYPE
SYNTAX INTEGER { accept(100) , reject(200) , drop(300) ,
rateLimitPerSource(400) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Action
Action taken when this rule matches a packet.
Action can be one of the following:
* Accept: Let the packet through.
* Reject: Send back an ICMP port unreachable in response to
the matched packet, the packet is then dropped.
* Drop: The packet is dropped without any notification.
* RateLimitPerSource: Drop the packets received from a given
source IP address when it exceeds a configurable rate. The
rate is set using the RateLimitValue and
RateLimitTimePeriod parameters.
Note: This action is only allowed when the ConnectionState
parameter is set to 'New'.
"
::= { localRulesStatusEntry 700 }
-- End of table:Local Rules Status
-- Scalar:Local Firewall Default Policy
defaultPolicy OBJECT-TYPE
SYNTAX INTEGER { accept(100) , drop(300) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Local Firewall Default Policy
Action taken when a packet does not match any rule.
Default policy can be one of the following:
* Accept: Let the packet through.
* Drop: The packet is dropped without any notification.
Make sure that there are some rules with Action set to 'Accept'
in the local firewall BEFORE applying changes that will set the
default policy to 'Drop'. Failing to comply with this warning
results in losing contact with the unit and a partial or factory
reset is required.
To have no filtering applied to incoming packets, set the
default policy to 'Accept' and remove all rules from the local
firewall.
"
DEFVAL { accept }
::= { lfwMIBObjects 550 }
-- *****************************************************************************
-- Table:Local Rules
-- *****************************************************************************
localRulesTable OBJECT-TYPE
SYNTAX SEQUENCE OF LocalRulesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION " Local Rules
This table shows the configured local rules for the
firewall.
"
::= { lfwMIBObjects 600 }
localRulesEntry OBJECT-TYPE
SYNTAX LocalRulesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION " A row in table Local Rules. "
INDEX {
localRulesPriority
}
::= { localRulesTable 1 }
LocalRulesEntry ::= SEQUENCE
{
localRulesPriority Unsigned32,
localRulesActivation MxEnableState,
localRulesSourceAddress OCTET STRING,
localRulesSourcePort OCTET STRING,
localRulesDestinationAddress OCTET STRING,
localRulesDestinationPort OCTET STRING,
localRulesProtocol INTEGER,
localRulesBlacklistEnable MxEnableState,
localRulesRateLimitValue Unsigned32,
localRulesRateLimitTimePeriod Unsigned32,
localRulesAction INTEGER,
localRulesUp INTEGER,
localRulesDown INTEGER,
localRulesInsert INTEGER,
localRulesDelete INTEGER
}
-- Index:Rule Priority
localRulesPriority OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Rule Priority
Unique identifier of the row in the table.
"
::= { localRulesEntry 100 }
-- Row command:Down
localRulesDown OBJECT-TYPE
SYNTAX INTEGER { noOp(0), down(10) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Down
Moves the current row downwards.
"
DEFVAL { noOp }
::= { localRulesEntry 1000 }
-- Row command:Insert
localRulesInsert OBJECT-TYPE
SYNTAX INTEGER { noOp(0), insert(10) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Insert
Inserts a new row before this row.
"
DEFVAL { noOp }
::= { localRulesEntry 1100 }
-- Row command:Delete
localRulesDelete OBJECT-TYPE
SYNTAX INTEGER { noOp(0), delete(10) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Delete
Deletes this row.
"
DEFVAL { noOp }
::= { localRulesEntry 1200 }
-- Columnar:Activation
localRulesActivation OBJECT-TYPE
SYNTAX MxEnableState
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Activation
Current activation state for this rule.
* Enable: This rule is active in the firewall.
* Disable: This rule is not in the firewall.
"
DEFVAL { disable }
::= { localRulesEntry 200 }
-- Columnar:Source Address
localRulesSourceAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE(0..51) )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Source Address
Source address of the incoming packet using the following
format: address[/mask] or network interface name/.
The address can either be a network IP address (using /mask) or
one of the host IP addresses.
When specifying a network interface name, it is mandatory to
use the suffix '/'. Doing so indicates that the network address
of this interface is used instead of the host address. Also, it
must match one of the values in the
networkInterfacesStatusTable.InterfaceName parameter from the
Basic Network Interface (BNI) service. Note that if the
specified network interface is disabled or removed, the rule is
automatically disabled thus removed from the firewall. When the
network interface is enabled or added back, the rule is
automatically enabled and applied in the firewall.
Mask must be a plain number specifying the number of binary 1s
at the left side of the network mask. E.g.: a mask of 24
specifies a network mask of 255.255.255.0.
Leaving the default empty string matches any address.
"
DEFVAL { "" }
::= { localRulesEntry 300 }
-- Columnar:Source Port
localRulesSourcePort OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE(0..11) )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Source Port
Source port of the incoming packet using the following format:
port[-port].
MinPort-MaxPort specifies a port range.
The default empty string means that no filtering is applied on
the source port thus matching any port.
This parameter is only effective when the LocalRules.Protocol
parameter is set to Tcp or Udp.
"
DEFVAL { "" }
::= { localRulesEntry 400 }
-- Columnar:Destination Address
localRulesDestinationAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE(0..51) )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Destination Address
Destination address of the incoming packet using the following
format: address or network interface name.
The address must be one of the host IP addresses. Specifying a
network address here is invalid since this is a local firewall.
When specifying a network interface name, the host address of
this interface is used. Also, it must match one of the values
in the networkInterfacesStatusTable.InterfaceName parameter
from the Basic Network Interface (BNI) service. Note that if
the specified network interface is disabled or removed, the
rule is automatically disabled thus removed from the firewall.
When the network interface is enabled or added back, the rule
is automatically enabled and applied in the firewall.
Leaving the default empty string matches any address.
"
DEFVAL { "" }
::= { localRulesEntry 500 }
-- Columnar:Destination Port
localRulesDestinationPort OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE(0..11) )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Destination Port
Destination port of the incoming packet using the following
format: port[-port].
MinPort-MaxPort specifies a port range.
The default empty string means that no filtering is applied on
the destination port thus matching any port.
This parameter is only effective when the LocalRules.Protocol
parameter is set to Tcp or Udp.
"
DEFVAL { "" }
::= { localRulesEntry 600 }
-- Columnar:Protocol
localRulesProtocol OBJECT-TYPE
SYNTAX INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Protocol
Protocol of the incoming packet.
The protocol can be one of the following:
* All: Match packets using any protocols.
* Tcp: Only match TCP packets.
* Udp: Only match UDP packets.
* Icmp: Only match ICMP packets.
"
DEFVAL { all }
::= { localRulesEntry 700 }
-- Columnar:Blacklist Enable
localRulesBlacklistEnable OBJECT-TYPE
SYNTAX MxEnableState
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Blacklist Enable
Indicates if blacklisting is enabled for this rule.
* Enable: When a packet establishing a connection matches
this rule, the action is executed and the source IP address
is added to the blacklist.
* Disable: When a packet establishing a connection matches
this rule, the action is executed but the source IP address
is not added to the blacklist.
Note: If rate limiting is enabled for this rule, blacklisted IP
addresses are added to the rate limit blacklist.
"
DEFVAL { disable }
::= { localRulesEntry 720 }
-- Columnar:Rate Limit Value
localRulesRateLimitValue OBJECT-TYPE
SYNTAX Unsigned32 ( 1..5000 )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Rate Limit Value
Number of new connections allowed to match this rule from a
single source IP address within a certain time period.
"
DEFVAL { 10 }
::= { localRulesEntry 750 }
-- Columnar:Rate Limit Time Period
localRulesRateLimitTimePeriod OBJECT-TYPE
SYNTAX Unsigned32 ( 1..86400 )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Rate Limit Time Period
The time period on which to base the rate limit. This period is
expressed in seconds.
Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60
means a limit of 10 new connections per minute.
"
DEFVAL { 60 }
::= { localRulesEntry 780 }
-- Columnar:Action
localRulesAction OBJECT-TYPE
SYNTAX INTEGER { accept(100) , reject(200) , drop(300) ,
rateLimitPerSource(400) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Action
Action taken when this rule matches a packet.
Action can be one of the following:
* Accept: Let the packet through.
* Reject: Send back an ICMP port unreachable in response to
the matched packet, the packet is then dropped.
* Drop: The packet is dropped without any notification.
* RateLimitPerSource: Drop the packets received from a given
source IP address when it exceeds a configurable rate. The
rate is set using the RateLimitValue and
RateLimitTimePeriod parameters.
Note: This action is only allowed when the ConnectionState
parameter is set to 'New'.
"
DEFVAL { accept }
::= { localRulesEntry 800 }
-- Row command:Up
localRulesUp OBJECT-TYPE
SYNTAX INTEGER { noOp(0), up(10) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Up
Moves the current row upwards.
"
DEFVAL { noOp }
::= { localRulesEntry 900 }
-- End of table:Local Rules
-- ****************************************************************************
-- Group:Blacklist
-- ****************************************************************************
blacklistGroup OBJECT IDENTIFIER
::= { lfwMIBObjects 700 }
-- Scalar:Blacklist Timeout
blacklistTimeout OBJECT-TYPE
SYNTAX Unsigned32 ( 1..86400 )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Blacklist Timeout
The time an address stays in the blacklist. If Lfw receives a
packet from a blacklisted source, the packet is dropped and
the remaining blacklist time is reset to this value.
The time units are seconds.
"
DEFVAL { 60 }
::= { blacklistGroup 100 }
-- Scalar:Blacklist Rate Limit Timeout
blacklistRateLimitTimeout OBJECT-TYPE
SYNTAX Unsigned32 ( 1..86400 )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Blacklist Rate Limit Timeout
The time an address stays in the 'rate limit' blacklist. If
Lfw receives a packet from a 'rate limit' blacklisted source,
the packet is dropped but the remaining blacklist time is not
reset.
The time units are seconds.
"
DEFVAL { 60 }
::= { blacklistGroup 200 }
-- End of group:Blacklist
-- ****************************************************************************
-- Group:Notification Messages Configuration
-- ****************************************************************************
notificationsGroup OBJECT IDENTIFIER
::= { lfwMIBObjects 60010 }
-- Scalar:Minimal Severity of Notification
minSeverity OBJECT-TYPE
SYNTAX INTEGER { disable(0) , debug(100) , info(200) , warning(300) ,
error(400) , critical (500) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Minimal Severity of Notification
Sets the minimal severity to issue a notification message
incoming from this service.
* Disable: No notification is issued.
* Debug: All notification messages are issued.
* Info: Notification messages with a 'Informational' and
higher severity are issued.
* Warning: Notification messages with a 'Warning' and higher
severity are issued.
* Error: Notification messages with an 'Error' and higher
severity are issued.
* Critical: Notification messages with a 'Critical' severity
are issued.
"
DEFVAL { warning }
::= { notificationsGroup 100 }
-- End of group:Notification Messages Configuration
-- ****************************************************************************
-- Group:Configuration Settings
-- ****************************************************************************
configurationGroup OBJECT IDENTIFIER
::= { lfwMIBObjects 60020 }
-- Scalar:Need Restart
needRestartInfo OBJECT-TYPE
SYNTAX INTEGER { no(0) , yes(100) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Need Restart
Indicates if the service needs to be restarted for the
configuration to fully take effect.
* Yes: Service needs to be restarted.
* No: Service does not need to be restarted.
Services can be restarted by using the
Scm.ServiceCommands.Restart command.
"
::= { configurationGroup 100 }
-- End of group:Configuration Settings
END
View Git Blame Copy Permalink