|
|
@@ -1,6 +1,6 @@
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
|
|
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="24" lastModified="1582232065" id="root">
|
|
|
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="24" lastModified="1584393142" id="root">
|
|
|
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
|
|
|
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
|
|
|
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
|
|
|
@@ -2117,6 +2117,11 @@
|
|
|
<IPv6 id="id4185X2148" name="web01:eth0:ipv6-c" comment="" ro="False" address="2a01:4f8:201:142d::10:c" netmask="112"/>
|
|
|
<IPv4 id="id4102X50770" name="web02:eth0:ip" comment="" ro="False" address="192.168.122.19" netmask="255.255.255.0"/>
|
|
|
<IPv4 id="id6932X4137" name="yuvashakti01:eth0:ip" comment="" ro="False" address="192.168.122.200" netmask="255.255.255.0"/>
|
|
|
+ <Policy id="id13497X2190" name="Policy_ipv6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
|
|
|
+ <RuleSetOptions>
|
|
|
+ <Option name="mangle_only_rule_set">False</Option>
|
|
|
+ </RuleSetOptions>
|
|
|
+ </Policy>
|
|
|
</Library>
|
|
|
<Library id="id1582X5690" color="#d2ffd0" name="User" comment="" ro="False">
|
|
|
<ObjectGroup id="id1583X5690" name="Objects" comment="" ro="False">
|
|
|
@@ -2224,7 +2229,7 @@
|
|
|
<Host id="id8526X5690" name="mail01" comment="This host is used in examples and template objects" ro="False">
|
|
|
<Interface id="id8528X5690" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
|
|
|
<IPv4 id="id11185X65696" name="mail01:eth0:ip-new" comment="" ro="False" address="10.64.1.20" netmask="255.255.255.0"/>
|
|
|
- <IPv6 id="id11202X65696" name="mail01:eth0:ipv6-new" comment="" ro="False" address="2a01:4f9:2a:a55::10:20" netmask="128"/>
|
|
|
+ <IPv6 id="id11202X65696" name="mail01:eth0:ipv6" comment="" ro="False" address="2a01:4f9:2a:a55::10:20" netmask="128"/>
|
|
|
<InterfaceOptions/>
|
|
|
</Interface>
|
|
|
<Management address="192.168.1.10">
|
|
|
@@ -2443,7 +2448,7 @@
|
|
|
<ServiceGroup id="id1599X5690" name="TagServices" comment="" ro="False"/>
|
|
|
</ServiceGroup>
|
|
|
<ObjectGroup id="id1600X5690" name="Firewalls" comment="" ro="False">
|
|
|
- <Firewall id="id8899X28426" host_OS="linux24" inactive="False" lastCompiled="1583313823" lastInstalled="1583313835" lastModified="1583313815" platform="iptables" version="" name="kvmhost02" comment="" ro="False">
|
|
|
+ <Firewall id="id8899X28426" host_OS="linux24" inactive="False" lastCompiled="1584394462" lastInstalled="1584394481" lastModified="1584394452" platform="iptables" version="" name="kvmhost02" comment="" ro="False">
|
|
|
<NAT id="id13393X65696" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
|
<NATRule id="id13395X65696" disabled="False" group="outgoing NAT" position="0" action="Translate" comment="NAT all outgoing mail traffic to mail IP">
|
|
|
<OSrc neg="False">
|
|
|
@@ -2477,7 +2482,7 @@
|
|
|
<ObjectRef ref="id11343X65696"/>
|
|
|
</OSrc>
|
|
|
<ODst neg="False">
|
|
|
- <ObjectRef ref="id4422X5690"/>
|
|
|
+ <ObjectRef ref="id11343X65696"/>
|
|
|
</ODst>
|
|
|
<OSrv neg="False">
|
|
|
<ServiceRef ref="sysid1"/>
|
|
|
@@ -2499,7 +2504,7 @@
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
- <NATRule id="id12515X6099" disabled="False" group="outgoing NAT" position="2" action="Translate" comment="NAT all outgoing traffic">
|
|
|
+ <NATRule id="id12515X6099" disabled="True" group="outgoing NAT" position="2" action="Translate" comment="NAT all outgoing traffic">
|
|
|
<OSrc neg="False">
|
|
|
<ObjectRef ref="id11343X65696"/>
|
|
|
</OSrc>
|
|
|
@@ -2522,7 +2527,7 @@
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</ItfInb>
|
|
|
<ItfOutb neg="False">
|
|
|
- <ObjectRef ref="id8907X28426"/>
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
@@ -2603,7 +2608,7 @@
|
|
|
<ObjectRef ref="sysid0"/>
|
|
|
</ItfInb>
|
|
|
<ItfOutb neg="False">
|
|
|
- <ObjectRef ref="sysid0"/>
|
|
|
+ <ObjectRef ref="id8907X28426"/>
|
|
|
</ItfOutb>
|
|
|
<NATRuleOptions/>
|
|
|
</NATRule>
|
|
|
@@ -3000,7 +3005,7 @@
|
|
|
</NATRule>
|
|
|
<RuleSetOptions/>
|
|
|
</NAT>
|
|
|
- <Policy id="id8901X28426" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
|
+ <Policy id="id8901X28426" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
|
<PolicyRule id="id10952X28426" disabled="False" group="Firewall" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id8899X28426"/>
|
|
|
@@ -3617,7 +3622,7 @@
|
|
|
<Option name="stateless">False</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <PolicyRule id="id12677X6099" disabled="False" group="outgoing traffic" log="True" position="24" action="Accept" direction="Both" comment="From ipv6 Network">
|
|
|
+ <PolicyRule id="id12677X6099" disabled="False" group="outgoing traffic" log="True" position="24" action="Accept" direction="Outbound" comment="From ipv6 Network">
|
|
|
<Src neg="False">
|
|
|
<ObjectRef ref="id11367X65696"/>
|
|
|
</Src>
|
|
|
@@ -3682,9 +3687,189 @@
|
|
|
<Option name="ulog_nlgroup">1</Option>
|
|
|
</PolicyRuleOptions>
|
|
|
</PolicyRule>
|
|
|
- <RuleSetOptions/>
|
|
|
+ <RuleSetOptions>
|
|
|
+ <Option name="mangle_only_rule_set">False</Option>
|
|
|
+ </RuleSetOptions>
|
|
|
+ </Policy>
|
|
|
+ <Policy id="id13633X2190" name="Policy_IPv6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
|
|
|
+ <PolicyRule id="id13705X2190" disabled="True" group="Firewall" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
|
|
|
+ <Src neg="False">
|
|
|
+ <ObjectRef ref="id8899X28426"/>
|
|
|
+ <ObjectRef ref="id11367X65696"/>
|
|
|
+ </Src>
|
|
|
+ <Dst neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Dst>
|
|
|
+ <Srv neg="False">
|
|
|
+ <ServiceRef ref="sysid1"/>
|
|
|
+ </Srv>
|
|
|
+ <Itf neg="False">
|
|
|
+ <ObjectRef ref="id8907X28426"/>
|
|
|
+ </Itf>
|
|
|
+ <When neg="False">
|
|
|
+ <IntervalRef ref="sysid2"/>
|
|
|
+ </When>
|
|
|
+ <PolicyRuleOptions>
|
|
|
+ <Option name="color">#C86E6E</Option>
|
|
|
+ <Option name="connlimit_above_not">False</Option>
|
|
|
+ <Option name="connlimit_masklen">0</Option>
|
|
|
+ <Option name="connlimit_value">0</Option>
|
|
|
+ <Option name="firewall_is_part_of_any_and_networks"/>
|
|
|
+ <Option name="hashlimit_burst">0</Option>
|
|
|
+ <Option name="hashlimit_dstlimit">False</Option>
|
|
|
+ <Option name="hashlimit_expire">0</Option>
|
|
|
+ <Option name="hashlimit_gcinterval">0</Option>
|
|
|
+ <Option name="hashlimit_max">0</Option>
|
|
|
+ <Option name="hashlimit_mode_dstip">False</Option>
|
|
|
+ <Option name="hashlimit_mode_dstport">False</Option>
|
|
|
+ <Option name="hashlimit_mode_srcip">False</Option>
|
|
|
+ <Option name="hashlimit_mode_srcport">False</Option>
|
|
|
+ <Option name="hashlimit_name"/>
|
|
|
+ <Option name="hashlimit_size">0</Option>
|
|
|
+ <Option name="hashlimit_suffix"/>
|
|
|
+ <Option name="hashlimit_value">0</Option>
|
|
|
+ <Option name="limit_burst">0</Option>
|
|
|
+ <Option name="limit_suffix"/>
|
|
|
+ <Option name="limit_value">0</Option>
|
|
|
+ <Option name="limit_value_not">False</Option>
|
|
|
+ <Option name="log_level"/>
|
|
|
+ <Option name="log_prefix"/>
|
|
|
+ <Option name="stateless">True</Option>
|
|
|
+ <Option name="ulog_nlgroup">1</Option>
|
|
|
+ </PolicyRuleOptions>
|
|
|
+ </PolicyRule>
|
|
|
+ <PolicyRule id="id13768X2190" disabled="True" group="Firewall" log="False" position="1" action="Accept" direction="Both" comment="Internal Networks are allowed to ping the Firewall. ipv6 ping has to be stateless.">
|
|
|
+ <Src neg="False">
|
|
|
+ <ObjectRef ref="id3850X6649"/>
|
|
|
+ <ObjectRef ref="id11367X65696"/>
|
|
|
+ </Src>
|
|
|
+ <Dst neg="False">
|
|
|
+ <ObjectRef ref="id8899X28426"/>
|
|
|
+ </Dst>
|
|
|
+ <Srv neg="False">
|
|
|
+ <ServiceRef ref="ipv6-icmp-ping_reply"/>
|
|
|
+ <ServiceRef ref="ipv6-icmp-ping_request"/>
|
|
|
+ <ServiceRef ref="icmp-ping_reply"/>
|
|
|
+ <ServiceRef ref="icmp-ping_request"/>
|
|
|
+ </Srv>
|
|
|
+ <Itf neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Itf>
|
|
|
+ <When neg="False">
|
|
|
+ <IntervalRef ref="sysid2"/>
|
|
|
+ </When>
|
|
|
+ <PolicyRuleOptions>
|
|
|
+ <Option name="classification">False</Option>
|
|
|
+ <Option name="classify_str"/>
|
|
|
+ <Option name="connlimit_above_not">False</Option>
|
|
|
+ <Option name="connlimit_masklen">0</Option>
|
|
|
+ <Option name="connlimit_value">0</Option>
|
|
|
+ <Option name="firewall_is_part_of_any_and_networks"/>
|
|
|
+ <Option name="hashlimit_burst">0</Option>
|
|
|
+ <Option name="hashlimit_dstlimit">False</Option>
|
|
|
+ <Option name="hashlimit_expire">0</Option>
|
|
|
+ <Option name="hashlimit_gcinterval">0</Option>
|
|
|
+ <Option name="hashlimit_max">0</Option>
|
|
|
+ <Option name="hashlimit_mode_dstip">False</Option>
|
|
|
+ <Option name="hashlimit_mode_dstport">False</Option>
|
|
|
+ <Option name="hashlimit_mode_srcip">False</Option>
|
|
|
+ <Option name="hashlimit_mode_srcport">False</Option>
|
|
|
+ <Option name="hashlimit_name"/>
|
|
|
+ <Option name="hashlimit_size">0</Option>
|
|
|
+ <Option name="hashlimit_suffix"/>
|
|
|
+ <Option name="hashlimit_value">0</Option>
|
|
|
+ <Option name="ipt_continue">False</Option>
|
|
|
+ <Option name="ipt_gw"/>
|
|
|
+ <Option name="ipt_iif"/>
|
|
|
+ <Option name="ipt_mark_connections">False</Option>
|
|
|
+ <Option name="ipt_oif"/>
|
|
|
+ <Option name="ipt_tee">False</Option>
|
|
|
+ <Option name="limit_burst">0</Option>
|
|
|
+ <Option name="limit_suffix"/>
|
|
|
+ <Option name="limit_value">0</Option>
|
|
|
+ <Option name="limit_value_not">False</Option>
|
|
|
+ <Option name="log_level"/>
|
|
|
+ <Option name="log_prefix"/>
|
|
|
+ <Option name="routing">False</Option>
|
|
|
+ <Option name="stateless">True</Option>
|
|
|
+ <Option name="tagging">False</Option>
|
|
|
+ <Option name="tagobject_id"/>
|
|
|
+ <Option name="ulog_nlgroup">1</Option>
|
|
|
+ </PolicyRuleOptions>
|
|
|
+ </PolicyRule>
|
|
|
+ <PolicyRule id="id14089X2190" disabled="True" group="Firewall" log="True" position="2" action="Accept" direction="Both" comment="make ipv6 work. ">
|
|
|
+ <Src neg="False">
|
|
|
+ <ObjectRef ref="id4660X39728"/>
|
|
|
+ </Src>
|
|
|
+ <Dst neg="False">
|
|
|
+ <ObjectRef ref="id8899X28426"/>
|
|
|
+ </Dst>
|
|
|
+ <Srv neg="False">
|
|
|
+ <ServiceRef ref="sg-Useful_ICMP"/>
|
|
|
+ </Srv>
|
|
|
+ <Itf neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Itf>
|
|
|
+ <When neg="False">
|
|
|
+ <IntervalRef ref="sysid2"/>
|
|
|
+ </When>
|
|
|
+ <PolicyRuleOptions>
|
|
|
+ <Option name="stateless">False</Option>
|
|
|
+ </PolicyRuleOptions>
|
|
|
+ </PolicyRule>
|
|
|
+ <PolicyRule id="id14027X2190" disabled="True" group="VMs" log="True" position="3" action="Accept" direction="Both" comment="">
|
|
|
+ <Src neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Src>
|
|
|
+ <Dst neg="False">
|
|
|
+ <ObjectRef ref="id8526X5690"/>
|
|
|
+ </Dst>
|
|
|
+ <Srv neg="False">
|
|
|
+ <ServiceRef ref="tcp-SMTP"/>
|
|
|
+ <ServiceRef ref="id3B4FF04C"/>
|
|
|
+ <ServiceRef ref="id3AECF776"/>
|
|
|
+ <ServiceRef ref="id3B4FED9F"/>
|
|
|
+ <ServiceRef ref="id4212X62874"/>
|
|
|
+ <ServiceRef ref="id3B4FEE1D"/>
|
|
|
+ <ServiceRef ref="id3E7553BA"/>
|
|
|
+ </Srv>
|
|
|
+ <Itf neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Itf>
|
|
|
+ <When neg="False">
|
|
|
+ <IntervalRef ref="sysid2"/>
|
|
|
+ </When>
|
|
|
+ <PolicyRuleOptions>
|
|
|
+ <Option name="color">#C86E6E</Option>
|
|
|
+ <Option name="stateless">False</Option>
|
|
|
+ </PolicyRuleOptions>
|
|
|
+ </PolicyRule>
|
|
|
+ <PolicyRule id="id13885X2190" disabled="True" group="" log="True" position="4" action="Accept" direction="Outbound" comment="allow outgining ipv6 traffic from internal ipv6 Network.">
|
|
|
+ <Src neg="False">
|
|
|
+ <ObjectRef ref="id11367X65696"/>
|
|
|
+ </Src>
|
|
|
+ <Dst neg="False">
|
|
|
+ <ObjectRef ref="sysid0"/>
|
|
|
+ </Dst>
|
|
|
+ <Srv neg="False">
|
|
|
+ <ServiceRef ref="sysid1"/>
|
|
|
+ </Srv>
|
|
|
+ <Itf neg="False">
|
|
|
+ <ObjectRef ref="id8907X28426"/>
|
|
|
+ </Itf>
|
|
|
+ <When neg="False">
|
|
|
+ <IntervalRef ref="sysid2"/>
|
|
|
+ </When>
|
|
|
+ <PolicyRuleOptions>
|
|
|
+ <Option name="color">#8BC065</Option>
|
|
|
+ <Option name="stateless">False</Option>
|
|
|
+ </PolicyRuleOptions>
|
|
|
+ </PolicyRule>
|
|
|
+ <RuleSetOptions>
|
|
|
+ <Option name="mangle_only_rule_set">False</Option>
|
|
|
+ </RuleSetOptions>
|
|
|
</Policy>
|
|
|
- <Routing id="id8905X28426" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|
|
|
+ <Routing id="id8905X28426" name="Routing" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
|
|
|
<RoutingRule id="id13373X354" disabled="False" group="" metric="0" position="0" comment="">
|
|
|
<RDst neg="False">
|
|
|
<ObjectRef ref="id11552X65696"/>
|
