WebApps/Observium_CE
1
0
Fork 0
Code Pull Requests Activity
Observium_CE/mibs/media5/MX-NFW-MIB

848 lines
27 KiB
Plaintext
Raw Blame History

-- ****************************************************************************
-- ****************************************************************************
-- Copyright(c) 2004 Mediatrix Telecom, Inc.
-- NOTICE:
-- This document contains information that is confidential and proprietary
-- to Mediatrix Telecom, Inc.
-- Mediatrix Telecom, Inc. reserves all rights to this document as well as
-- to the Intellectual Property of the document and the technology and
-- know-how that it includes and represents.
-- This publication cannot be reproduced, neither in whole nor in part in
-- any form whatsoever without written prior approval by
-- Mediatrix Telecom, Inc.
-- Mediatrix Telecom, Inc. reserves the right to revise this publication
-- and make changes at any time and without the obligation to notify any
-- person and/or entity of such revisions and/or changes.
-- ****************************************************************************
-- ****************************************************************************
MX-NFW-MIB
DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
Unsigned32,
Integer32
FROM SNMPv2-SMI
MODULE-COMPLIANCE,
OBJECT-GROUP
FROM SNMPv2-CONF
MxEnableState,
MxActivationState,
MxIpHostName,
MxIpAddress,
MxIpPort,
MxAdvancedIpPort,
MxIpSubnetMask,
MxDigitMap
FROM MX-TC
MxUInt64,
MxFloat32,
MxIpHostNamePort,
MxIpAddr,
MxIpAddrPort,
MxIpAddrMask,
MxUri,
MxUrl
FROM MX-TC2
mediatrixServices
FROM MX-SMI2;
nfwMIB MODULE-IDENTITY
LAST-UPDATED "1910210000Z"
ORGANIZATION " Mediatrix Telecom, Inc. "
CONTACT-INFO " Mediatrix Telecom, Inc.
4229, Garlock Street
Sherbrooke (Quebec)
Canada
Phone: (819) 829-8749
"
DESCRIPTION " Network Firewall
The Network Firewall (NFW) service allows the administrator to
filter traffic that is routed between networks.
"
::= { mediatrixServices 2250 }
nfwMIBObjects OBJECT IDENTIFIER ::= { nfwMIB 1 }
-- Scalar:Configuration Modified Status
configModifiedStatus OBJECT-TYPE
SYNTAX INTEGER { yes(100) , no(200) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Configuration Modified Status
Shows whether or not the Network Firewall configuration has been
modified without being applied.
1. Yes: The configuration has been modified but it has not been
applied.
2. No: The Network Firewall service uses the configured rules.
Use the Nfw.ApplyConfig command to apply the configuration.
"
::= { nfwMIBObjects 100 }
-- *****************************************************************************
-- Table:Network Rules Status
-- *****************************************************************************
networkRulesStatusTable OBJECT-TYPE
SYNTAX SEQUENCE OF NetworkRulesStatusEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION " Network Rules Status
This table shows the network rules applied in the firewall.
"
::= { nfwMIBObjects 200 }
networkRulesStatusEntry OBJECT-TYPE
SYNTAX NetworkRulesStatusEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION " A row in table Network Rules Status. "
INDEX {
networkRulesStatusPriority
}
::= { networkRulesStatusTable 1 }
NetworkRulesStatusEntry ::= SEQUENCE
{
networkRulesStatusPriority Unsigned32,
networkRulesStatusSourceAddress OCTET STRING,
networkRulesStatusSourcePort OCTET STRING,
networkRulesStatusDestinationAddress OCTET STRING,
networkRulesStatusDestinationPort OCTET STRING,
networkRulesStatusProtocol INTEGER,
networkRulesStatusConnectionState INTEGER,
networkRulesStatusBlacklistEnable MxEnableState,
networkRulesStatusRateLimitValue Unsigned32,
networkRulesStatusRateLimitTimePeriod Unsigned32,
networkRulesStatusAction INTEGER
}
-- Index:Rule Priority
networkRulesStatusPriority OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Rule Priority
Unique identifier of the row in the table.
"
::= { networkRulesStatusEntry 100 }
-- Columnar:Source Address
networkRulesStatusSourceAddress OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Source Address
Source address[/mask] criteria an incoming packet must have to
match this rule.
An empty string matches any address.
"
::= { networkRulesStatusEntry 200 }
-- Columnar:Source Port
networkRulesStatusSourcePort OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Source Port
Source port[-port] criteria an incoming packet must have to
match this rule.
MinPort-MaxPort specifies a port range.
An empty string means that no filtering is applied on the
source port thus matching any port.
This parameter is only effective when the
NetworkRulesStatus.Protocol parameter is set to Tcp or Udp.
"
::= { networkRulesStatusEntry 300 }
-- Columnar:Destination Address
networkRulesStatusDestinationAddress OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Destination Address
Destination address[/mask] criteria an incoming packet must
have to match this rule.
An empty string matches any address.
"
::= { networkRulesStatusEntry 400 }
-- Columnar:Destination Port
networkRulesStatusDestinationPort OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Destination Port
Destination port[-port] criteria an incoming packet must have
to match this rule.
MinPort-MaxPort specifies a port range.
An empty string means that no filtering is applied on the
destination port thus matching any port.
This parameter is only effective when the
NetworkRulesStatus.Protocol parameter is set to Tcp or Udp.
"
::= { networkRulesStatusEntry 500 }
-- Columnar:Protocol
networkRulesStatusProtocol OBJECT-TYPE
SYNTAX INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Protocol
Protocol criteria an incoming packet must have to match this
rule.
The protocol can be one of the following:
* All: Match packets using any protocols.
* Tcp: Only match TCP packets.
* Udp: Only match UDP packets.
* Icmp: Only match ICMP packets.
"
::= { networkRulesStatusEntry 600 }
-- Columnar:Connection State
networkRulesStatusConnectionState OBJECT-TYPE
SYNTAX INTEGER { all(100) , new(200) , establishedOrRelated(300) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Connection State
Connection state associated with the incoming packet.
The connection state can be one of the following:
* All: Match packets in any state.
* New: Match packets that are not part of an existing
connection.
* EstablishedOrRelated: Match packets that are part of an
existing connection.
"
DEFVAL { all }
::= { networkRulesStatusEntry 650 }
-- Columnar:Blacklist Enable
networkRulesStatusBlacklistEnable OBJECT-TYPE
SYNTAX MxEnableState
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Blacklist Enable
Indicates if blacklisting is enabled for this rule.
* Enable: When a packet establishing a connection matches
this rule, the action is executed and the source IP address
is added to the blacklist.
* Disable: When a packet establishing a connection matches
this rule, the action is executed but the source IP address
is not added to the blacklist.
Note: If rate limiting is enabled for this rule, blacklisted IP
addresses are added to the rate limit blacklist.
"
::= { networkRulesStatusEntry 660 }
-- Columnar:Rate Limit Value
networkRulesStatusRateLimitValue OBJECT-TYPE
SYNTAX Unsigned32 ( 1..5000 )
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Rate Limit Value
Number of packets allowed to match this rule from a single
source IP address within a certain time period.
"
::= { networkRulesStatusEntry 670 }
-- Columnar:Rate Limit Time Period
networkRulesStatusRateLimitTimePeriod OBJECT-TYPE
SYNTAX Unsigned32 ( 1..86400 )
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Rate Limit Time Period
The time period on which to base the rate limit. This period is
expressed in seconds.
Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60
means a limit of 10 new connections per minute.
"
::= { networkRulesStatusEntry 680 }
-- Columnar:Action
networkRulesStatusAction OBJECT-TYPE
SYNTAX INTEGER { accept(100) , reject(200) , drop(300) ,
rateLimitPerSource(400) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Action
Action taken when this rule matches a packet.
Action can be one of the following:
* Accept: Let the packet through.
* Reject: Send back an ICMP port unreachable in response to
the matched packet, the packet is then dropped.
* Drop: The packet is dropped without any notification.
"
::= { networkRulesStatusEntry 700 }
-- End of table:Network Rules Status
-- Scalar:Network Firewall Default Policy
defaultPolicy OBJECT-TYPE
SYNTAX INTEGER { accept(100) , drop(300) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Network Firewall Default Policy
Action taken when a packet does not match any rule.
Default policy can be one of the following:
* Accept: Let the packet through.
* Drop: The packet is dropped without any notification.
To have no filtering applied to forwarded packets, set the
default policy to 'Accept' and remove all rules from the network
firewall.
"
DEFVAL { drop }
::= { nfwMIBObjects 550 }
-- *****************************************************************************
-- Table:Network Rules
-- *****************************************************************************
networkRulesTable OBJECT-TYPE
SYNTAX SEQUENCE OF NetworkRulesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION " Network Rules
This table shows the configured network rules for the
firewall.
"
::= { nfwMIBObjects 600 }
networkRulesEntry OBJECT-TYPE
SYNTAX NetworkRulesEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION " A row in table Network Rules. "
INDEX {
networkRulesPriority
}
::= { networkRulesTable 1 }
NetworkRulesEntry ::= SEQUENCE
{
networkRulesPriority Unsigned32,
networkRulesActivation MxEnableState,
networkRulesSourceAddress OCTET STRING,
networkRulesSourcePort OCTET STRING,
networkRulesDestinationAddress OCTET STRING,
networkRulesDestinationPort OCTET STRING,
networkRulesProtocol INTEGER,
networkRulesBlacklistEnable MxEnableState,
networkRulesRateLimitValue Unsigned32,
networkRulesRateLimitTimePeriod Unsigned32,
networkRulesConnectionState INTEGER,
networkRulesAction INTEGER,
networkRulesUp INTEGER,
networkRulesDown INTEGER,
networkRulesInsert INTEGER,
networkRulesDelete INTEGER
}
-- Index:Rule Priority
networkRulesPriority OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Rule Priority
Unique identifier of the row in the table.
"
::= { networkRulesEntry 100 }
-- Row command:Down
networkRulesDown OBJECT-TYPE
SYNTAX INTEGER { noOp(0), down(10) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Down
Moves the current row downwards.
"
DEFVAL { noOp }
::= { networkRulesEntry 1000 }
-- Row command:Insert
networkRulesInsert OBJECT-TYPE
SYNTAX INTEGER { noOp(0), insert(10) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Insert
Inserts a new row before this row.
"
DEFVAL { noOp }
::= { networkRulesEntry 1100 }
-- Row command:Delete
networkRulesDelete OBJECT-TYPE
SYNTAX INTEGER { noOp(0), delete(10) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Delete
Deletes this row.
"
DEFVAL { noOp }
::= { networkRulesEntry 1200 }
-- Columnar:Activation
networkRulesActivation OBJECT-TYPE
SYNTAX MxEnableState
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Activation
Activates this rule.
* Enable: This rule is active in the firewall.
* Disable: This rule is not in the firewall.
"
DEFVAL { disable }
::= { networkRulesEntry 200 }
-- Columnar:Source Address
networkRulesSourceAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE(0..51) )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Source Address
Source address of the incoming packet using the following
format: address[/mask] or network interface name/.
Address can be either a network IP address (using /mask) or one
of the host IP addresses.
When specifying a network interface name, it is mandatory to
use the suffix '/'. Doing so indicates that the network address
of this interface is used instead of the host address. Also, it
must match one of the values in the
networkInterfacesStatusTable.InterfaceName parameter from the
Basic Network Interface (BNI) service. Note that if the
specified network interface is disabled or removed, the rule is
automatically disabled thus removed from the firewall. When the
network interface is enabled or added back, the rule is
automatically enabled and applied in the firewall.
Mask must be a plain number specifying the number of binary 1s
at the left side of the network mask. E.g.: a mask of 24
specifies a network mask of 255.255.255.0.
Leaving the default empty string matches any address.
"
DEFVAL { "" }
::= { networkRulesEntry 300 }
-- Columnar:Source Port
networkRulesSourcePort OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE(0..11) )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Source Port
Source port of the incoming packet using the following format:
port[-port].
MinPort-MaxPort specifies a port range.
The default empty string means that no filtering is applied on
the source port thus matching any port.
This parameter is only effective when the NetworkRules.Protocol
parameter is set to Tcp or Udp.
"
DEFVAL { "" }
::= { networkRulesEntry 400 }
-- Columnar:Destination Address
networkRulesDestinationAddress OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE(0..51) )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Destination Address
Destination address of the incoming packet using the following
format: address[/mask] or network interface name/.
The address can either be a network IP address (using /mask) or
one of the host IP addresses.
When specifying a network interface name, it is mandatory to
use the suffix '/'. Doing so indicates that the network address
of this interface is used instead of the host address. Also, it
must match one of the values in the
networkInterfacesStatusTable.InterfaceName parameter from the
Basic Network Interface (BNI) service. Note that if the
specified network interface is disabled or removed, the rule is
automatically disabled thus removed from the firewall. When the
network interface is enabled or added back, the rule is
automatically enabled and applied in the firewall.
Mask must be a plain number specifying the number of binary 1s
at the left side of the network mask. E.g.: a mask of 24
specifies a network mask of 255.255.255.0.
Leaving the default empty string matches any address.
"
DEFVAL { "" }
::= { networkRulesEntry 500 }
-- Columnar:Destination Port
networkRulesDestinationPort OBJECT-TYPE
SYNTAX OCTET STRING ( SIZE(0..11) )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Destination Port
Destination port of the incoming packet using the following
format: port[-port].
MinPort-MaxPort specifies a port range.
The default empty string means that no filtering is applied on
the destination port thus matching any port.
This parameter is only effective when the NetworkRules.Protocol
parameter is set to Tcp or Udp.
"
DEFVAL { "" }
::= { networkRulesEntry 600 }
-- Columnar:Protocol
networkRulesProtocol OBJECT-TYPE
SYNTAX INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Protocol
Protocol of the incoming packet.
The protocol can be one of the following:
* All: Match packets using any protocols.
* Tcp: Only match TCP packets.
* Udp: Only match UDP packets.
* Icmp: Only match ICMP packets.
"
DEFVAL { all }
::= { networkRulesEntry 700 }
-- Columnar:Blacklist Enable
networkRulesBlacklistEnable OBJECT-TYPE
SYNTAX MxEnableState
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Blacklist Enable
Indicates if blacklisting is enabled for this rule.
* Enable: When a packet establishing a connection matches
this rule, the action is executed and the source IP address
is added to the blacklist.
* Disable: When a packet establishing a connection matches
this rule, the action is executed but the source IP address
is not added to the blacklist.
Note: If rate limiting is enabled for this rule, blacklisted IP
addresses are added to the rate limit blacklist.
"
DEFVAL { disable }
::= { networkRulesEntry 720 }
-- Columnar:Rate Limit Value
networkRulesRateLimitValue OBJECT-TYPE
SYNTAX Unsigned32 ( 1..5000 )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Rate Limit Value
Number of packets allowed to match this rule from a single
source IP address within a certain time period.
"
DEFVAL { 10 }
::= { networkRulesEntry 730 }
-- Columnar:Rate Limit Time Period
networkRulesRateLimitTimePeriod OBJECT-TYPE
SYNTAX Unsigned32 ( 1..86400 )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Rate Limit Time Period
The time period on which to base the rate limit. This period is
expressed in seconds.
Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60
means a limit of 10 packets per minute.
"
DEFVAL { 60 }
::= { networkRulesEntry 740 }
-- Columnar:Connection State
networkRulesConnectionState OBJECT-TYPE
SYNTAX INTEGER { all(100) , new(200) , establishedOrRelated(300) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Connection State
Connection state associated with the incoming packet.
The connection state can be one of the following:
* All: Match packets in any state.
* New: Match packets that are not part of an existing
connection.
* EstablishedOrRelated: Match packets that are part of an
existing connection.
"
DEFVAL { all }
::= { networkRulesEntry 750 }
-- Columnar:Action
networkRulesAction OBJECT-TYPE
SYNTAX INTEGER { accept(100) , reject(200) , drop(300) ,
rateLimitPerSource(400) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Action
Action taken when this rule matches a packet.
Action can be one of the following:
* Accept: Let the packet through.
* Reject: Send back an ICMP port unreachable in response to
the matched packet, the packet is then dropped.
* Drop: The packet is dropped without any notification.
* RateLimitPerSource: Drop the packets received from a given
source IP address when it exceeds a configurable rate. The
rate is set using the RateLimitValue and
RateLimitTimePeriod parameters.
Note: This action is only allowed when the ConnectionState
parameter is set to 'New'.
"
DEFVAL { accept }
::= { networkRulesEntry 800 }
-- Row command:Up
networkRulesUp OBJECT-TYPE
SYNTAX INTEGER { noOp(0), up(10) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Up
Moves the current row upwards.
"
DEFVAL { noOp }
::= { networkRulesEntry 900 }
-- End of table:Network Rules
-- ****************************************************************************
-- Group:Blacklist
-- ****************************************************************************
blacklistGroup OBJECT IDENTIFIER
::= { nfwMIBObjects 700 }
-- Scalar:Blacklist Timeout
blacklistTimeout OBJECT-TYPE
SYNTAX Unsigned32 ( 1..86400 )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Blacklist Timeout
The time an address stays in the blacklist. If Nfw receives a
packet from a blacklisted source, the packet is dropped and
the remaining blacklist time is reset to this value.
The time units are seconds.
"
DEFVAL { 60 }
::= { blacklistGroup 100 }
-- Scalar:Blacklist Rate Limit Timeout
blacklistRateLimitTimeout OBJECT-TYPE
SYNTAX Unsigned32 ( 1..86400 )
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Blacklist Rate Limit Timeout
The time an address stays in the 'rate limit' blacklist. If
Nfw receives a packet from a 'rate limit' blacklisted source,
the packet is dropped and the remaining blacklist time stays
the same.
The time units are seconds.
"
DEFVAL { 60 }
::= { blacklistGroup 200 }
-- End of group:Blacklist
-- ****************************************************************************
-- Group:Notification Messages Configuration
-- ****************************************************************************
notificationsGroup OBJECT IDENTIFIER
::= { nfwMIBObjects 60010 }
-- Scalar:Minimal Severity of Notification
minSeverity OBJECT-TYPE
SYNTAX INTEGER { disable(0) , debug(100) , info(200) , warning(300) ,
error(400) , critical (500) }
MAX-ACCESS read-write
STATUS current
DESCRIPTION " Minimal Severity of Notification
Sets the minimal severity to issue a notification message
incoming from this service.
* Disable: No notification is issued.
* Debug: All notification messages are issued.
* Info: Notification messages with a 'Informational' and
higher severity are issued.
* Warning: Notification messages with a 'Warning' and higher
severity are issued.
* Error: Notification messages with an 'Error' and higher
severity are issued.
* Critical: Notification messages with a 'Critical' severity
are issued.
"
DEFVAL { warning }
::= { notificationsGroup 100 }
-- End of group:Notification Messages Configuration
-- ****************************************************************************
-- Group:Configuration Settings
-- ****************************************************************************
configurationGroup OBJECT IDENTIFIER
::= { nfwMIBObjects 60020 }
-- Scalar:Need Restart
needRestartInfo OBJECT-TYPE
SYNTAX INTEGER { no(0) , yes(100) }
MAX-ACCESS read-only
STATUS current
DESCRIPTION " Need Restart
Indicates if the service needs to be restarted for the
configuration to fully take effect.
* Yes: Service needs to be restarted.
* No: Service does not need to be restarted.
Services can be restarted by using the
Scm.ServiceCommands.Restart command.
"
::= { configurationGroup 100 }
-- End of group:Configuration Settings
END
View Git Blame Copy Permalink