This page viewed best in a version 5 browser (Mozilla tested).
XML Config File documentation
Perl Data Structure documentation
Change Log
The XML Config file is defined as follows:
<config> <networks> <reserved> <zones> <services> <paths>
The following tags are available to configure what subsystems are used and the
values to use for limits when logging and accepting different types of traffic.
<internal enabled="boolean"/>
<ipsec enabled="boolean"/>
<dmz enabled="boolean"/>
<dialin enabled="boolean"/>
<networkCommand command="ip or ifconfig"/>
<mangleRules enabled="boolean"/>
<ecn enabled="boolean"/>
<log prefix="" level=""/>
<logRate taint="" reserved="" policy="" reject="" normal=""/>
<limitRate icmp=""/>
<moduleSupport kernel="modular or monolithic">
<module name="iptables module to load"/> - you can have multiple <module /> tags defined, as long as they are unique and do not have the same name as a <conntracker /> entry.
<conntracker name="iptables conntracker name - ftp, irc, tftp, amanda, etc." params="" active="boolean"/> - you can have multiple <conntracker /> tags defined, as long as they are unique and do not have the same name as a <module /> entry.
</moduleSupport>
<validityChecks unclean="boolean" tcpFlags="boolean"/>
<bridgeSupport enabled="boolean"/> - see the Perl Data structure for more details.
<snortInlineSupport enabled="boolean"/> - Enable support for snort-inline QUEUE'ing of ESTABLISHED,RELATED traffic.
<dynamicInterfaces mode="lookupIP|ignoreIP"/> - Allow dynamic interfaces to not lookup and use their IP's, when mode = 'ignoreIP' so that laptops don't have issues when they move between networks. This means you don't have to restart the firewall rules everytime your IP changes or you change a network. If this option not set, it defaults to 'lookupIP' which implements the old behaviour.
If <log>, <logRate> and/or <limitRate> are not specified, then the defaults will
be used. If you specify a value of 0 for any <logRate> or <limitRate>
tag then the logging rules generated will not be limited for that part of the firewall.
If <mangleRules> is not specified, then it defaults to true.
boolean = true or false.
The following tags are available to define all networks or hosts that are allowed to come into
the firewall through a specific interface or that we want to limit traffic coming from or going
to for specific services.
<addr value="" index="" type="" active="boolean"comment=""/>
You can repeat the <addr> tag as many times as needed. Make sure that the index
value is unique since that will be what is used to select the network or host to limit incoming
or outgoing traffic by.
type can be normal (default) or mac to indicate a MAC address. When type
= mac then the code to generate will use the mac address matching feature instead of source or
destination matching. You do not need to specify the type attribute unless you are
specifying a MAC address as it will default to normal.
comment allows you to specify a user friendly string that describes the network entry being made.
active allows you to specify whether or not the network index is available.
boolean = true or false.
The following tags are available to define all networks that should be treated as never being valid
coming in the external interfaces (from the internet).
<addr value="" limitTo="" active="boolean" comment=""/>
You can repeat the <addr> tag as many times as needed.
comment allows you to specify a user friendly string that describes the reserved network entry being made.
limitTo specifies a comma seperated list of external interfaces this entry will be blocked from entering.
If none are specified then it applies to all external interfaces that are not disabled.
active allows you to specify whether or not this reserved network entry will be used.
boolean = true or false.
The following zones are used when defining the interfaces the system should use:
<external>
<internal>
<ipsec>
<dmz>
<dialin>
The following tags are available to define the network interface(s) to be used in this zone.
<interface name="" alias="" ip="" ipsec="boolean" ipsecLimitFrom="" network="" proxyarp="boolean" active="boolean" comment=""/>
You can repeat the <interface> tag as many times as needed. You must specify unique interfaces
that will exist on the system and they must have valid IP Addresses specified for them. Make sure
that you specify the network(s) (comma seperated list) that the interface is a part of (they come from the <networks> section).
Currently the network is not used in the generated rules for external interfaces, but this
may change in the future. boolean = true or false.
Use the ipsecLimitFrom attribute to specify a comma seperated list of network entries that you only want to allow
to make IPSec connections to the firewall through the specified interface.
If the ip="dynamic" then the interface is treated as getting it's IP Address from a DHCP
server and we will use MASQUERADE instead of SNAT when traffic goes out it.
It is up to the server (dhcp client) to restart the firewall rules (and possibly IPSec) when the
IP Address changes as the rules being generated rely on the IP Address of the External Interface
to help limit the traffic we respond to. (Note: The External Zone is the only zone that
we support Dynamic Interfaces in.)
alias is the interface name that will be used in all paths to specify the incoming
or outgoing interface. This way you don't have to go through every single rule and
fixup the interfaces when you add/remove network cards or go to a machine with a different layout.
comment allows you to specify a user friendly string that describes the interface being configured.
proxyarp allows you to specify if proxy arp support needs to be enabled for this interface. By default it is disabled.
The following tags are available to define the network interface(s) to be used in this zone.
<interface name="" alias="" ip="" ipsec="boolean" ipsecLimitFrom="" network="" proxyarp="boolean" active="boolean" comment=""/>
You can repeat the <interface> tag as many times as needed. You must specify unique interfaces
that will exist on the system and they must have valid IP Addresses specified for them. Make sure
that you specify the network(s) (comma seperated list) that the interface is a part of (they come from the <networks> section).
boolean = true or false.
Use the ipsecLimitFrom attribute to specify a comma seperated list of network entries that you only want to allow
to make IPSec connections to the firewall through the specified interface.
alias is the interface name that will be used in all paths to specify the incoming
or outgoing interface. This way you don't have to go through every single rule and
fixup the interfaces when you add/remove network cards or go to a machine with a different layout.
comment allows you to specify a user friendly string that describes the interface being configured.
proxyarp allows you to specify if proxy arp support needs to be enabled for this interface. By default it is disabled.
The following tags are available to define the network interface(s) to be used in this zone.
<interface name="" alias="" boundTo="" network="" proxyarp="boolean" active="boolean" comment=""/>
You can repeat the <interface> tag as many times as needed. You must specify unique interfaces
that will exist on the system and must specify aliases of the interfaces to bind to via boundTo that
are defined in the other <interfaces> sections. Make sure
that you specify the network(s) that the interface will allow traffic from in a
comma seperated list (they come from the <networks> section).
alias is the interface name that will be used in all paths to specify the incoming
or outgoing interface. This way you don't have to go through every single rule and
fixup the interfaces when you add/remove network cards or go to a machine with a different layout.
comment allows you to specify a user friendly string that describes the interface being configured.
proxyarp allows you to specify if proxy arp support needs to be enabled for this interface. By default it is disabled.
The following tags are available to define the network interface(s) to be used in this zone.
<interface name="" alias="" ip="" ipsec="boolean" ipsecLimitFrom="" network="" proxyarp="boolean" active="boolean" comment=""/>
You can repeat the <interface> tag as many times as needed. You must specify unique interfaces
that will exist on the system and they must have valid IP Addresses specified for them. Make sure
that you specify the network(s) (comma seperated list) that the interface is a part of (they come from the <networks> section).
boolean = true or false.
Use the ipsecLimitFrom attribute to specify a comma seperated list of network entries that you only want to allow
to make IPSec connections to the firewall through the specified interface.
alias is the interface name that will be used in all paths to specify the incoming
or outgoing interface. This way you don't have to go through every single rule and
fixup the interfaces when you add/remove network cards or go to a machine with a different layout.
comment allows you to specify a user friendly string that describes the interface being configured.
proxyarp allows you to specify if proxy arp support needs to be enabled for this interface. By default it is disabled.
The following tags are available to define the network interface(s) to be used in this zone.
<interface name="" alias="" ip="" ipsec="boolean" ipsecLimitFrom="" network="" proxyarp="boolean" active="boolean" comment=""/>
You can repeat the <interface> tag as many times as needed. You must specify unique interfaces
that will exist on the system and they must have valid IP Addresses specified for them. Make sure
that you specify the network(s) (comma seperated list) that the interface is a part of (they come from the <networks> section).
boolean = true or false.
Use the ipsecLimitFrom attribute to specify a comma seperated list of network entries that you only want to allow
to make IPSec connections to the firewall through the specified interface.
alias is the interface name that will be used in all paths to specify the incoming
or outgoing interface. This way you don't have to go through every single rule and
fixup the interfaces when you add/remove network cards or go to a machine with a different layout.
comment allows you to specify a user friendly string that describes the interface being configured.
proxyarp allows you to specify if proxy arp support needs to be enabled for this interface. By default it is disabled.
The services section is made up of 1 or more <service> tags. Each service defined must be unique.
The following tags are available to define what protocols, ports, etc. this service is composed of.
These tags may be defined multiple times.
<info proto="" dport="" sport="" icmpType=""/>
If you leave proto empty then this service will match on all types of traffic.
dport and sport should be empty when dealing with a non-tcp or non-udp protocol or
when the port is not required.
icmpType should be empty when dealing with a non-icmp protocol or when we want to
match all icmp types.
The paths section is made up of 1 or more <serviceGroup> tags that define the name of the service to be defined. Each service defined must be unique.
The following tag types are available to define what pathways this service may take into, out and through
the firewall. These tags may be defined multiple times as long as no duplicates are created.
<firewallToInternal>
<firewallToExternal>
<firewallToIPSec>
<firewallToDMZ>
<firewallToDialin>
<firewallToFirewall>
<internalBroadcast>
<externalBroadcast>
<ipsecBroadcast>
<dmzBroadcast>
<dialinBroadcast>
<internalToFirewall>
<internalToInternal>
<internalToExternal>
<internalToIPSec>
<internalToDMZ>
<internalToDialin>
<externalToExternal>
<externalToFirewall>
<externalToInternal>
<externalToIPSec>
<externalToDMZ>
<externalToDialin>
<ipsecToFirewall>
<ipsecToInternal>
<ipsecToExternal>
<ipsecToIPSec>
<ipsecToDMZ>
<ipsecToDialin>
<dmzToFirewall>
<dmzToInternal>
<dmzToExternal>
<dmzToIPSec>
<dmzToDMZ>
<dmzToDialin>
<dialinToFirewall>
<dialinToInternal>
<dialinToExternal>
<dialinToIPSec>
<dialinToDMZ>
<dialinToDialin>
boolean - true or false
Note: If you want to temporarily disable a serviceGroup entry or path, add active="false"
to the serviceGroup or path tag and it will not be processed.
comment allows you to specify a user friendly string that describes the serviceGroup being configured.
<path type="firewallToInternal" o="" limitTo="" active="boolean" comment="">
o must be assigned an interface that the packet is leaving the firewall from (internal zone) as defined
in the <internal> <interfaces> section. limitTo is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to go to. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the outgoing traffic to.
The interface specified in o will
be used to determine the IP Address that the traffic has to be coming from for it to be accepted.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="firewallToExternal" o="" limitTo="" active="boolean" comment="">
o must be assigned an interface that the packet is leaving the firewall from (external zone) as defined
in the <external> <interfaces> section. limitTo is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to go to. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the outgoing traffic to.
The interface specified in o will
be used to determine the IP Address that the traffic has to be coming from for it to be accepted.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="firewallToIPSec" o="" limitTo="" active="boolean" comment="">
o must be assigned an interface that the packet is leaving the firewall from (ipsec zone) as defined
in the <ipsec> <interfaces> section. limitTo is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to go to. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the outgoing traffic to.
The interface specified in o will
be used to determine the IP Address that the traffic has to be coming from for it to be accepted.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="firewallToDMZ" o="" limitTo="" active="boolean" comment="">
o must be assigned an interface that the packet is leaving the firewall from (dmz zone) as defined
in the <dmz> <interfaces> section. limitTo is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to go to. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the outgoing traffic to.
The interface specified in o will
be used to determine the IP Address that the traffic has to be coming from for it to be accepted.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="firewallToDialin" o="" limitTo="" active="boolean" comment="">
o must be assigned an interface that the packet is leaving the firewall from (dialin zone) as defined
in the <dialin> <interfaces> section. limitTo is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to go to. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the outgoing traffic to.
The interface specified in o will
be used to determine the IP Address that the traffic has to be coming from for it to be accepted.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="firewallToFirewall" o="" active="boolean" comment="">
This requires the newNAT and localNAT patches in your kernel.
o must be assigned an interface that the packet is headed to on the firewall from the loopback interface lo.
The interface specified in o will
be used to determine the IP Address that the traffic is going to.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="internalBroadcast" i="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <internal> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
If i="*" then all interfaces in the internal zone will be used.
This tag allows you to catch traffic that is coming from the internal network doing
a broadcast (destination 255.255.255.255) and do something with it.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="externalBroadcast" i="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <external> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
If i="*" then all interfaces in the external zone will be used.
This tag allows you to catch traffic that is coming from the external network doing
a broadcast (destination 255.255.255.255) and do something with it.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="ipsecBroadcast" i="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <ipsec> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
If i="*" then all interfaces in the ipsec zone will be used.
This tag allows you to catch traffic that is coming from the ipsec network doing
a broadcast (destination 255.255.255.255) and do something with it.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dmzBroadcast" i="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dmz> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
If i="*" then all interfaces in the dmz zone will be used.
This tag allows you to catch traffic that is coming from the dmz network doing
a broadcast (destination 255.255.255.255) and do something with it.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dialinBroadcast" i="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dialin> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
If i="*" then all interfaces in the dialin zone will be used.
This tag allows you to catch traffic that is coming from the dialin network doing
a broadcast (destination 255.255.255.255) and do something with it.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="internalToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <internal> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine the IP Address that the traffic has to be going to for it to be accepted.
If i="*" then all interfaces in the internal zone will be used.
If ip is specified, then it should have a network entry that represents the IP Address on the firewall
that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the internal network but destined for
a different IP address of the firewall (say the external IP address) that you want to do something special with.
Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="internalToInternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
Note: This path is designed to allow a machine acting as a router for internal
networks to let the routed packets get back into the internal network. This will create
a rule in the FORWARD chain which lets the specified packets enter and leave the firewall, but
only for the internal zone(s).
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <internal> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the internal zone will be used.
o must be assigned an interface that the packet will leave the firewall from (internal zone)
and must be defined in the <internal> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Intranet that the o interface has a network
entry created for.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="internalToExternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <internal> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the internal zone will be used.
o must be assigned an interface that the packet will leave the firewall from (external zone)
and must be defined in the <external> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere on the Internet.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="internalToIPSec" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <internal> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the internal zone will be used.
o must be assigned an interface that the packet will leave the firewall from (ipsec zone)
and must be defined in the <ipsec> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the VPN.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="internalToDMZ" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <internal> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the internal zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dmz zone)
and must be defined in the <dmz> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the DMZ.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="internalToDialin" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <internal> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the internal zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dialin zone)
and must be defined in the <dialin> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the dialed in network.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="externalToExternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
Note: This path is designed to allow a machine acting as a router for external
networks to let the routed packets get back into the external network. This will create
a rule in the FORWARD chain which lets the specified packets enter and leave the firewall, but
only for the external zone(s).
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <external> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the external zone will be used.
o must be assigned an interface that the packet will leave the firewall from (external zone)
and must be defined in the <external> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Internet that the o interface has a network
entry created for.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="externalToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <external> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine the IP Address that the traffic has to be going to for it to be accepted.
If i="*" then all interfaces in the external zone will be used.
If ip is specified, then it should have a network entry that represents the IP Address on the firewall
that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the external network but destined for
a different IP address of the firewall (say the internal IP address) that you want to do something special with.
Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="externalToInternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <external> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the external zone will be used.
o must be assigned an interface that the packet will leave the firewall from (internal zone)
and must be defined in the <internal> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Intranet.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="externalToIPSec" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <external> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the external zone will be used.
o must be assigned an interface that the packet will leave the firewall from (ipsec zone)
and must be defined in the <ipsec> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the VPN.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="externalToDMZ" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <external> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the external zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dmz zone)
and must be defined in the <dmz> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the DMZ.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="externalToDialin" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <external> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the external zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dialin zone)
and must be defined in the <dialin> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Dialed in network.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="ipsecToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <ipsec> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the ipsec zone will be used.
If ip is specified, then it should have a network entry that represents the IP Address on the firewall
that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the ipsec network but destined for
a different IP address of the firewall (say the internal IP address) that you want to do something special with.
Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="ipsecToInternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <ipsec> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the ipsec zone will be used.
o must be assigned an interface that the packet will leave the firewall from (internal zone)
and must be defined in the <internal> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Intranet.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="ipsecToExternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <ipsec> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the ipsec zone will be used.
o must be assigned an interface that the packet will leave the firewall from (external zone)
and must be defined in the <external> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Internet.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="ipsecToIPSec" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
Note: This path is designed to allow a machine acting as a router for ipsec
networks to let the routed packets get back into the ipsec network. This will create
a rule in the FORWARD chain which lets the specified packets enter and leave the firewall, but
only for the ipsec zone(s).
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <ipsec> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the ipsec zone will be used.
o must be assigned an interface that the packet will leave the firewall from (ipsec zone)
and must be defined in the <ipsec> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the VPN that the o interface has a network
entry created for.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="ipsecToDMZ" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <ipsec> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the ipsec zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dmz zone)
and must be defined in the <dmz> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the DMZ.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="ipsecToDialin" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <ipsec> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the ipsec zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dialin zone)
and must be defined in the <dialin> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Dialed in network.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dmzToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dmz> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dmz zone will be used.
If ip is specified, then it should have a network entry that represents the IP Address on the firewall
that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the dmz network but destined for
a different IP address of the firewall (say the external IP address) that you want to do something special with.
Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dmzToInternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dmz> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dmz zone will be used.
o must be assigned an interface that the packet will leave the firewall from (internal zone)
and must be defined in the <internal> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Intranet.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dmzToExternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dmz> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dmz zone will be used.
o must be assigned an interface that the packet will leave the firewall from (external zone)
and must be defined in the <external> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Internet.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dmzToIPSec" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dmz> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dmz zone will be used.
o must be assigned an interface that the packet will leave the firewall from (ipsec zone)
and must be defined in the <ipsec> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the VPN.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dmzToDMZ" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
Note: This path is designed to allow a machine acting as a router for dmz
networks to let the routed packets get back into the dmz network. This will create
a rule in the FORWARD chain which lets the specified packets enter and leave the firewall, but
only for the dmz zone(s).
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dmz> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dmz zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dmz zone)
and must be defined in the <dmz> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the DMZ that the o interface has a network
entry created for.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dmzToDialin" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dmz> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dmz zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dialin zone)
and must be defined in the <dialin> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Dialed in network.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dialinToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dialin> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dialin zone will be used.
If ip is specified, then it should have a network entry that represents the IP Address on the firewall
that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the dialin network but destined for
a different IP address of the firewall (say the external IP address) that you want to do something special with.
Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dialinToInternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dialin> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dialin zone will be used.
o must be assigned an interface that the packet will leave the firewall from (internal zone)
and must be defined in the <internal> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Intranet.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dialinToExternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dialin> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dialin zone will be used.
o must be assigned an interface that the packet will leave the firewall from (external zone)
and must be defined in the <external> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Internet.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dialinToIPSec" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dialin> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dialin zone will be used.
o must be assigned an interface that the packet will leave the firewall from (ipsec zone)
and must be defined in the <ipsec> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the VPN.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dialinToDMZ" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dialin> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dialin zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dmz zone)
and must be defined in the <dmz> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the DMZ.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
<path type="dialinToDialin" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">
Note: This path is designed to allow a machine acting as a router for dialin
networks to let the routed packets get back into the dialin network. This will create
a rule in the FORWARD chain which lets the specified packets enter and leave the firewall, but
only for the dialin zone(s).
i must be assigned an interface that the packet is coming into the firewall with as defined
in the <dialin> <interfaces> section. limitFrom is a comma seperated list
(which can be empty) of networks and/or hosts as defined in the <networks> section which you
want to only allow this traffic to originate from. If no networks are defined then the
network(s) that the interface is a member of will be used to limit the incoming traffic from.
The interface specified in i will
be used to determine where the traffic has to be coming from for it to be accepted.
If i="*" then all interfaces in the dialin zone will be used.
o must be assigned an interface that the packet will leave the firewall from (dialin zone)
and must be defined in the <dialin> <interfaces> section. limitTo is a
comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks>
section which you want to only allow this traffic to go to. If no networks are defined then the
traffic is allowed to go to anywhere in the Dialin network that the o interface has a network
entry created for.
comment allows you to specify a user friendly string that describes the pathway being configured.
<service name=""/> - Defines what the properties of this service are.
The following tags are optional and are mutually exclusive except for the <log/> tag it can
co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified
host as defined in the <networks> section. zone can be one of internal,
dmz, dialin or ipsec and is used to determine the location of the destination
machine. interface is used to know which interface the traffic will be going out and must be a
valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the
dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.
The Perl Data Structure is defined as follows:
module => "VeryTight" - or VeryTight2
version => "2.1"
confFile => "" - The file name or the XML data if a string was passed in.
All <config>, <networks>, <reserved>, and <interfaces> entries go here and any other flags that are related to making the generated rules do what you want.
internal => 0 or 1 - Indicates if we are to support the internal (intranet) zone. Defaults to 1.
ipsec => 0 or 1 - Indicates if we are to support the ipsec (VPN) zone.
dmz => 0 or 1 - Indicates if we are to support the dmz zone.
dialin => 0 or 1 - Indicates if we are to support the dialin zone.
unclean => 0 or 1 - Do we do the unclean match? Defaults to 1.
tcpFlags => 0 or 1 - Do we do the tcp flag checks? Defaults to 1.
modular => 0 or 1, - Is the kernel modular? Defaults to 0.
moduleName => { - ftp, irc, tftp, amanda, etc.
active => 0 or 1,
params => "" - Any parameters to insmod with.
}
prefix => "FW: " - The default log message to use if nothing is specified.
level => "warning" - The syslog level to mark default log rules at. Will be used
for any <log> tags that do not specify a level.
This defines whether the section in question is to be limited or not.
taint => 1, - Invalid packets that get Logged and then DROPped.
reserved => 1, - Packets coming in the external interface that are not allowed on the Internet!
policy => 1, - Packets DROPped because they fell off the main chain.
reject => 1, - Packets REJECTed by the user.
normal => 1, - Packets asked to be LOGged by the user.
Any limits go here (logging, accepting, etc.) They will only be used if the limit value for them is 1.
taint => "20/m", - Invalid packets that get Logged and then DROPped.
reserved => "20/m", - Packets coming in the external interface that are not allowed on the Internet!
policy => "30/m", - Packets DROPped because they fell off the main chain.
reject => "30/m", - Packets REJECTed by the user.
normal => "30/m", - Packets asked to be LOGged by the user.
The network <addr> entries that the user specified go here, stored
by the index value with the hostname, IP Address or MAC Address in a hash of host, type, used, active
and comment entries.
Example:
"0" => { host => "0.0.0.0/0", type => "normal", used => "1", active => "1", comment => "" },
"1" => { host => "192.168.0.0/24", type => "normal", used => "0", active => "1", comment => "" },
"2" => { host => "192.168.1.0/24", type => "normal", used => "5", active => "1", comment => "" },
"3" => { host => "192.168.2.0/24", type => "normal", used => "2", active => "0", comment => "" },
"4" => { host => "192.168.10.0/24", type => "normal", used => "1", active => "1", comment => "" },
"5" => { host => "00:AF:12:34:BC:DE", type => "mac", used => "0", active => "1", comment => "" }
The used entry indicates how many paths are referencing this network entry.
The reserved <addr> entries that the user specified go here, stored
in the order specified. This is an array of hashes with the reserved entry stored as host, active, limitTo and comment values.
limitTo consists of an array of external aliases or is empty for all external interfaces.
Example:
[0] = { host => "10.0.0.0/8", active => "1", limitTo => [ "external" ], comment => "" },
[1] = { host => "192.168.0.0/16", active => "1", limitTo => [], comment => "" }
The interfaces are grouped under the zone that they are a member of. There should
not be any duplicates and they should not exist in more than one zone.
The aliasLookup hash will provide a quick alias to interface name lookup for the calling
program to figure out what the actual interface to work with should be.
"alias" => { name => "", ip => "IP Address or dynamic", network => [ "#" ], ipsec => "0 or 1", ipsecLimitFrom => [ "#" ], active => "0 or 1", comment => "" },
Here network is an array of the network index values specified by the user.
Here ipsecLimitFrom is an array of the network index values specified by the user.
If ip = "dynamic" then the interface is treated as a Dynamic interface.
Example:
"external" => { name => "eth0", ip => "1.1.1.1", network => [ "1" ], ipsec => "1", ipsecLimitFrom => [ "" ], active => "1", comment => "" },
This would configure interface eth0 (alias = external) to have an IP Address of 1.1.1.1, have an external network of 192.168.0.0/24 and allow ipsec connections to be established to it from anywhere.
"alias" => { name => "", ip => "IP Address", network => [ "#" ], ipsec => "0 or 1", ipsecLimitFrom => [ "#" ], active => "0 or 1", comment => "" },
Here network is an array of the network index values specified by the user.
Here ipsecLimitFrom is an array of the network index values specified by the user.
Example:
"internal" => { name => "eth1", ip => "192.168.0.254", network => [ "1" ], ipsec => "0", ipsecLimitFrom => [ "" ], active => "1", comment => "" },
This would configure interface eth1 (alias = internal) to have an IP Address of 192.168.0.254, have an external network of 192.168.0.0/24 and not allow ipsec connections to be established to it.
"alias" => { name => "", boundTo => "interface", network => [ "#" ], active => "0 or 1", comment => "" },
Here network is an array of the network index values specified by the user.
The boundTo attribute specifies the interface that we are going to get our IP Address from (it must be a defined
interface and have ipsec = 1).
Example:
"vpn" => { name => "ipsec0", boundTo => "eth1", network => [ "4" ], active => "1", comment => "" },
This would configure interface ipsec0 (alias = vpn) to have the same IP Address as interface eth1 (192.168.0.254), and allow traffic from network(s) 192.168.10.0/24.
"alias" => { name => "", ip => "IP Address", network => [ "#" ], ipsec => "0 or 1", ipsecLimitFrom => [ "#" ], active => "0 or 1", comment => "" },
Here network is an array of the network index values specified by the user.
Here ipsecLimitFrom is an array of the network index values specified by the user.
Example:
"dmz" => { name => "eth2", ip => "192.168.1.254", network => [ "2" ], ipsec => "0", ipsecLimitFrom => [ "" ], active => "1", comment => "" },
This would configure interface eth2 (alias = dmz) to have an IP Address of 192.168.1.254, have an external network of 192.168.1.0/24 and not allow ipsec connections to be established to it.
"alias" => { name => "", ip => "IP Address", network => [ "#" ], ipsec => "0 or 1", ipsecLimitFrom => [ "#" ], active => "0 or 1", comment => "" },
Here network is an array of the network index values specified by the user.
Here ipsecLimitFrom is an array of the network index values specified by the user.
Example:
"dialin" => { name => "ppp0", ip => "192.168.2.254", network => [ "3" ], ipsec => "0", ipsecLimitFrom => [ "" ], active => "1", comment => "" },
This would configure interface ppp0 (alias = dialin) to have an IP Address of 192.168.2.254, have an external network of 192.168.2.0/24 and not allow ipsec connections to be established to it.
The service definitions are grouped here by name (there can not be duplicates in
the XML Config file).
To keep track of the order that the services were encountered in, the following entry will store
an array which indicates the order to process the services in.
servicesOrder => [ ],
Under the service is all the info tags that were defined in the XML
Config file. They are stored in the infos array.
Each index in the array will contain a hash that represents that tags
configuration.
comment => "",
infos => array of <info/> tag hashes
The structure of the <info/> tag hash is as follows:
{ proto => "", dport => "",
sport => "", icmpType => "" }
The serviceGroups are grouped here by name (there can not be duplicates in
the XML Config file).
To keep track of the order that the services were encountered in, the following entry will store
an array which indicates the order to process the services in.
serviceGroupsOrder => [ ],
Under the serviceGroup is all the zone paths that were defined in the XML
Config file. They are stored in an array so that if there were more than 1
unique pathway defined (for the same zone path) we would have the information
available to implement them in the order specified (encountered in the XML).
Each index in the array will contain a hash that represents that tags
configuration.
To keep track of the order that zone paths were encountered in, the following entry will store
an array which indicates the order to process the zone paths in.
zonePathOrder => [ ],
comment => "",
active => 0 or 1,
The structure of the zone path data hash is as follows:
{ i => [], ip => "", o => [], limitFrom => "",
limitTo => "", reject => 0 or 1, queue => 0 or 1, dropNoLog => 0 or 1, dnat => 0 or 1,
dnatDestination => "network number", dnatZone => "internal, dmz, dialin, or ipsec",
dnatInterface => "interface", dnatPort => "",
redirect => 0 or 1, redirectPort => "", log => 0 or 1, logComment => "", logLevel => "",
service => ["service name"], active => 0 or 1, comment => "" }
All restrictions as specified in the XML Design documentation for the
<service/> <info> tags and the zone path tags must be met.
Version 1.1