-- ****************************************************************************
-- ****************************************************************************
--             Copyright(c) 2004 Mediatrix Telecom, Inc.
--  NOTICE:
--   This document contains information that is confidential and proprietary
--   to Mediatrix Telecom, Inc.
--   Mediatrix Telecom, Inc. reserves all rights to this document as well as
--   to the Intellectual Property of the document and the technology and
--   know-how that it includes and represents.
--   This publication cannot be reproduced, neither in whole nor in part in
--   any form whatsoever without written prior approval by
--   Mediatrix Telecom, Inc.
--   Mediatrix Telecom, Inc. reserves the right to revise this publication
--   and make changes at any time and without the obligation to notify any
--   person and/or entity of such revisions and/or changes.
-- ****************************************************************************
-- ****************************************************************************

MX-LFW-MIB
DEFINITIONS ::= BEGIN

IMPORTS
        MODULE-IDENTITY,
        OBJECT-TYPE,
        Unsigned32,
        Integer32
    FROM SNMPv2-SMI
        MODULE-COMPLIANCE,
        OBJECT-GROUP
    FROM SNMPv2-CONF
        MxEnableState,
        MxActivationState,
        MxIpHostName,
        MxIpAddress,
        MxIpPort,
        MxAdvancedIpPort,
        MxIpSubnetMask,
        MxDigitMap
    FROM MX-TC
        MxUInt64,
        MxFloat32,
        MxIpHostNamePort,
        MxIpAddr,
        MxIpAddrPort,
        MxIpAddrMask,
        MxUri,
        MxUrl
    FROM MX-TC2
        mediatrixServices
    FROM MX-SMI2;

lfwMIB MODULE-IDENTITY
 LAST-UPDATED   "1910210000Z"
 ORGANIZATION " Mediatrix Telecom, Inc. "
 CONTACT-INFO " Mediatrix Telecom, Inc.
                4229, Garlock Street
                Sherbrooke (Quebec)
                Canada
                Phone: (819) 829-8749
                "
 DESCRIPTION  " Local Firewall

                The Local Firewall (LFW) service allows the administrator to
                filter the network with the unit as final destination.
                "
 ::= { mediatrixServices 2200 }

lfwMIBObjects OBJECT IDENTIFIER ::= { lfwMIB 1 }

-- Scalar:Configuration Modified Status

configModifiedStatus OBJECT-TYPE
 SYNTAX        INTEGER { yes(100) , no(200) }
 MAX-ACCESS    read-only
 STATUS        current
 DESCRIPTION " Configuration Modified Status

               Shows whether or not the Local Firewall configuration has been
               modified without being applied.

                1. Yes: The configuration has been modified but it has not been
                   applied.
                2. No: The Local Firewall service uses the configured rules.

               Use the Lfw.ApplyConfig command to apply the configuration.

               "
 ::= { lfwMIBObjects 100 }

-- *****************************************************************************

-- Table:Local Rules Status

-- *****************************************************************************

localRulesStatusTable OBJECT-TYPE
 SYNTAX           SEQUENCE OF LocalRulesStatusEntry
 MAX-ACCESS       not-accessible
 STATUS           current
 DESCRIPTION    " Local Rules Status

                  This table shows the local rules applied in the firewall.
                  "
 ::= { lfwMIBObjects 200 }
 localRulesStatusEntry OBJECT-TYPE
  SYNTAX        LocalRulesStatusEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION " A row in table Local Rules Status. "
  INDEX         {
                  localRulesStatusPriority
                }

  ::= { localRulesStatusTable 1 }

 LocalRulesStatusEntry ::= SEQUENCE
 {
   localRulesStatusPriority            Unsigned32,
   localRulesStatusSourceAddress       OCTET STRING,
   localRulesStatusSourcePort          OCTET STRING,
   localRulesStatusDestinationAddress  OCTET STRING,
   localRulesStatusDestinationPort     OCTET STRING,
   localRulesStatusProtocol            INTEGER,
   localRulesStatusBlacklistEnable     MxEnableState,
   localRulesStatusRateLimitValue      Unsigned32,
   localRulesStatusRateLimitTimePeriod Unsigned32,
   localRulesStatusAction              INTEGER
 }

 -- Index:Rule priority

 localRulesStatusPriority OBJECT-TYPE
  SYNTAX        Unsigned32
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Rule priority

                Unique identifier of the row in the table.
                "
  ::= { localRulesStatusEntry 100 }

 -- Columnar:Source Address

 localRulesStatusSourceAddress OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Source Address

                Source address[/mask] criteria an incoming packet must have to
                match this rule.

                An empty string matches any address.

                "
  ::= { localRulesStatusEntry 200 }

 -- Columnar:Source Port

 localRulesStatusSourcePort OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Source Port

                Source port[-port] criteria an incoming packet must have to
                match this rule.

                MinPort-MaxPort specifies a port range.

                An empty string means that no filtering is applied on the
                source port thus matching any port.

                This parameter is only effective when the
                LocalRulesStatus.Protocol parameter is set to Tcp or Udp.

                "
  ::= { localRulesStatusEntry 300 }

 -- Columnar:Destination Address

 localRulesStatusDestinationAddress OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Destination Address

                Destination address[/mask] criteria an incoming packet must
                have to match this rule.

                An empty string matches any address.

                "
  ::= { localRulesStatusEntry 400 }

 -- Columnar:Destination Port

 localRulesStatusDestinationPort OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Destination Port

                Destination port[-port] criteria an incoming packet must have
                to match this rule.

                MinPort-MaxPort specifies a port range.

                An empty string means that no filtering is applied on the
                destination port thus matching any port.

                This parameter is only effective when the
                LocalRulesStatus.Protocol parameter is set to Tcp or Udp.

                "
  ::= { localRulesStatusEntry 500 }

 -- Columnar:Protocol

 localRulesStatusProtocol OBJECT-TYPE
  SYNTAX        INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Protocol

                Protocol criteria an incoming packet must have to match this
                rule.

                The protocol can be one of the following:

                  * All: Match packets using any protocols.
                  * Tcp: Only match TCP packets.
                  * Udp: Only match UDP packets.
                  * Icmp: Only match ICMP packets.

                "
  DEFVAL        { all }
  ::= { localRulesStatusEntry 600 }

 -- Columnar:Blacklist Enable

 localRulesStatusBlacklistEnable OBJECT-TYPE
  SYNTAX        MxEnableState
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Blacklist Enable

                Indicates if blacklisting is enabled for this rule.

                  * Enable: When a packet establishing a connection matches
                    this rule, the action is executed and the source IP address
                    is added to the blacklist.
                  * Disable: When a packet establishing a connection matches
                    this rule, the action is executed but the source IP address
                    is not added to the blacklist.

                Note: If rate limiting is enabled for this rule, blacklisted IP
                addresses are added to the rate limit blacklist.
                "
  ::= { localRulesStatusEntry 620 }

 -- Columnar:Rate Limit Value

 localRulesStatusRateLimitValue OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..5000 )
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Rate Limit Value

                Number of new connections allowed to match this rule from a
                single source IP address within a certain time period.
                "
  ::= { localRulesStatusEntry 650 }

 -- Columnar:Rate Limit Time Period

 localRulesStatusRateLimitTimePeriod OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..86400 )
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Rate Limit Time Period

                The time period on which to base the rate limit. This period is
                expressed in seconds.

                Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60
                means a limit of 10 new connections per minute.

                "
  ::= { localRulesStatusEntry 680 }

 -- Columnar:Action

 localRulesStatusAction OBJECT-TYPE
  SYNTAX        INTEGER { accept(100) , reject(200) , drop(300) ,
                rateLimitPerSource(400) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Action

                Action taken when this rule matches a packet.

                Action can be one of the following:

                  * Accept: Let the packet through.
                  * Reject: Send back an ICMP port unreachable in response to
                    the matched packet, the packet is then dropped.
                  * Drop: The packet is dropped without any notification.
                  * RateLimitPerSource: Drop the packets received from a given
                    source IP address when it exceeds a configurable rate. The
                    rate is set using the RateLimitValue and
                    RateLimitTimePeriod parameters.

                    Note: This action is only allowed when the ConnectionState
                    parameter is set to 'New'.

                "
  ::= { localRulesStatusEntry 700 }

-- End of table:Local Rules Status

-- Scalar:Local Firewall Default Policy

defaultPolicy OBJECT-TYPE
 SYNTAX        INTEGER { accept(100) , drop(300) }
 MAX-ACCESS    read-write
 STATUS        current
 DESCRIPTION " Local Firewall Default Policy

               Action taken when a packet does not match any rule.

               Default policy can be one of the following:

                 * Accept: Let the packet through.
                 * Drop: The packet is dropped without any notification.

               Make sure that there are some rules with Action set to 'Accept'
               in the local firewall BEFORE applying changes that will set the
               default policy to 'Drop'. Failing to comply with this warning
               results in losing contact with the unit and a partial or factory
               reset is required.

               To have no filtering applied to incoming packets, set the
               default policy to 'Accept' and remove all rules from the local
               firewall.

               "
 DEFVAL        { accept }
 ::= { lfwMIBObjects 550 }

-- *****************************************************************************

-- Table:Local Rules

-- *****************************************************************************

localRulesTable OBJECT-TYPE
 SYNTAX               SEQUENCE OF LocalRulesEntry
 MAX-ACCESS           not-accessible
 STATUS               current
 DESCRIPTION        " Local Rules

                      This table shows the configured local rules for the
                      firewall.
                      "
 ::= { lfwMIBObjects 600 }
 localRulesEntry OBJECT-TYPE
  SYNTAX        LocalRulesEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION " A row in table Local Rules. "
  INDEX         {
                  localRulesPriority
                }

  ::= { localRulesTable 1 }

 LocalRulesEntry ::= SEQUENCE
 {
   localRulesPriority            Unsigned32,
   localRulesActivation          MxEnableState,
   localRulesSourceAddress       OCTET STRING,
   localRulesSourcePort          OCTET STRING,
   localRulesDestinationAddress  OCTET STRING,
   localRulesDestinationPort     OCTET STRING,
   localRulesProtocol            INTEGER,
   localRulesBlacklistEnable     MxEnableState,
   localRulesRateLimitValue      Unsigned32,
   localRulesRateLimitTimePeriod Unsigned32,
   localRulesAction              INTEGER,
   localRulesUp                  INTEGER,
   localRulesDown                INTEGER,
   localRulesInsert              INTEGER,
   localRulesDelete              INTEGER
 }

 -- Index:Rule Priority

 localRulesPriority OBJECT-TYPE
  SYNTAX        Unsigned32
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Rule Priority

                Unique identifier of the row in the table.
                "
  ::= { localRulesEntry 100 }

 -- Row command:Down

 localRulesDown OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), down(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Down

                Moves the current row downwards.
                "
  DEFVAL        { noOp }
  ::= { localRulesEntry 1000 }

 -- Row command:Insert

 localRulesInsert OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), insert(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Insert

                Inserts a new row before this row.
                "
  DEFVAL        { noOp }
  ::= { localRulesEntry 1100 }

 -- Row command:Delete

 localRulesDelete OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), delete(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Delete

                Deletes this row.
                "
  DEFVAL        { noOp }
  ::= { localRulesEntry 1200 }

 -- Columnar:Activation

 localRulesActivation OBJECT-TYPE
  SYNTAX        MxEnableState
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Activation

                Current activation state for this rule.

                  * Enable: This rule is active in the firewall.
                  * Disable: This rule is not in the firewall.

                "
  DEFVAL        { disable }
  ::= { localRulesEntry 200 }

 -- Columnar:Source Address

 localRulesSourceAddress OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..51) )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Source Address

                Source address of the incoming packet using the following
                format: address[/mask] or network interface name/.

                The address can either be a network IP address (using /mask) or
                one of the host IP addresses.

                When specifying a network interface name, it is mandatory to
                use the suffix '/'. Doing so indicates that the network address
                of this interface is used instead of the host address. Also, it
                must match one of the values in the
                networkInterfacesStatusTable.InterfaceName parameter from the
                Basic Network Interface (BNI) service. Note that if the
                specified network interface is disabled or removed, the rule is
                automatically disabled thus removed from the firewall. When the
                network interface is enabled or added back, the rule is
                automatically enabled and applied in the firewall.

                Mask must be a plain number specifying the number of binary 1s
                at the left side of the network mask. E.g.: a mask of 24
                specifies a network mask of 255.255.255.0.

                Leaving the default empty string matches any address.

                "
  DEFVAL        { "" }
  ::= { localRulesEntry 300 }

 -- Columnar:Source Port

 localRulesSourcePort OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..11) )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Source Port

                Source port of the incoming packet using the following format:
                port[-port].

                MinPort-MaxPort specifies a port range.

                The default empty string means that no filtering is applied on
                the source port thus matching any port.

                This parameter is only effective when the LocalRules.Protocol
                parameter is set to Tcp or Udp.

                "
  DEFVAL        { "" }
  ::= { localRulesEntry 400 }

 -- Columnar:Destination Address

 localRulesDestinationAddress OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..51) )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Destination Address

                Destination address of the incoming packet using the following
                format: address or network interface name.

                The address must be one of the host IP addresses. Specifying a
                network address here is invalid since this is a local firewall.

                When specifying a network interface name, the host address of
                this interface is used. Also, it must match one of the values
                in the networkInterfacesStatusTable.InterfaceName parameter
                from the Basic Network Interface (BNI) service. Note that if
                the specified network interface is disabled or removed, the
                rule is automatically disabled thus removed from the firewall.
                When the network interface is enabled or added back, the rule
                is automatically enabled and applied in the firewall.

                Leaving the default empty string matches any address.

                "
  DEFVAL        { "" }
  ::= { localRulesEntry 500 }

 -- Columnar:Destination Port

 localRulesDestinationPort OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..11) )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Destination Port

                Destination port of the incoming packet using the following
                format: port[-port].

                MinPort-MaxPort specifies a port range.

                The default empty string means that no filtering is applied on
                the destination port thus matching any port.

                This parameter is only effective when the LocalRules.Protocol
                parameter is set to Tcp or Udp.

                "
  DEFVAL        { "" }
  ::= { localRulesEntry 600 }

 -- Columnar:Protocol

 localRulesProtocol OBJECT-TYPE
  SYNTAX        INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Protocol

                Protocol of the incoming packet.

                The protocol can be one of the following:

                  * All: Match packets using any protocols.
                  * Tcp: Only match TCP packets.
                  * Udp: Only match UDP packets.
                  * Icmp: Only match ICMP packets.

                "
  DEFVAL        { all }
  ::= { localRulesEntry 700 }

 -- Columnar:Blacklist Enable

 localRulesBlacklistEnable OBJECT-TYPE
  SYNTAX        MxEnableState
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Blacklist Enable

                Indicates if blacklisting is enabled for this rule.

                  * Enable: When a packet establishing a connection matches
                    this rule, the action is executed and the source IP address
                    is added to the blacklist.
                  * Disable: When a packet establishing a connection matches
                    this rule, the action is executed but the source IP address
                    is not added to the blacklist.

                Note: If rate limiting is enabled for this rule, blacklisted IP
                addresses are added to the rate limit blacklist.
                "
  DEFVAL        { disable }
  ::= { localRulesEntry 720 }

 -- Columnar:Rate Limit Value

 localRulesRateLimitValue OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..5000 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Rate Limit Value

                Number of new connections allowed to match this rule from a
                single source IP address within a certain time period.
                "
  DEFVAL        { 10 }
  ::= { localRulesEntry 750 }

 -- Columnar:Rate Limit Time Period

 localRulesRateLimitTimePeriod OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..86400 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Rate Limit Time Period

                The time period on which to base the rate limit. This period is
                expressed in seconds.

                Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60
                means a limit of 10 new connections per minute.

                "
  DEFVAL        { 60 }
  ::= { localRulesEntry 780 }

 -- Columnar:Action

 localRulesAction OBJECT-TYPE
  SYNTAX        INTEGER { accept(100) , reject(200) , drop(300) ,
                rateLimitPerSource(400) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Action

                Action taken when this rule matches a packet.

                Action can be one of the following:

                  * Accept: Let the packet through.
                  * Reject: Send back an ICMP port unreachable in response to
                    the matched packet, the packet is then dropped.
                  * Drop: The packet is dropped without any notification.
                  * RateLimitPerSource: Drop the packets received from a given
                    source IP address when it exceeds a configurable rate. The
                    rate is set using the RateLimitValue and
                    RateLimitTimePeriod parameters.

                    Note: This action is only allowed when the ConnectionState
                    parameter is set to 'New'.

                "
  DEFVAL        { accept }
  ::= { localRulesEntry 800 }

 -- Row command:Up

 localRulesUp OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), up(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Up

                Moves the current row upwards.
                "
  DEFVAL        { noOp }
  ::= { localRulesEntry 900 }

-- End of table:Local Rules

-- ****************************************************************************

-- Group:Blacklist

-- ****************************************************************************

blacklistGroup OBJECT IDENTIFIER
 ::= { lfwMIBObjects 700 }
 -- Scalar:Blacklist Timeout

 blacklistTimeout OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..86400 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Blacklist Timeout

                The time an address stays in the blacklist. If Lfw receives a
                packet from a blacklisted source, the packet is dropped and
                the remaining blacklist time is reset to this value.

                The time units are seconds.

                "
  DEFVAL        { 60 }
  ::= { blacklistGroup 100 }

 -- Scalar:Blacklist Rate Limit Timeout

 blacklistRateLimitTimeout OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..86400 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Blacklist Rate Limit Timeout

                The time an address stays in the 'rate limit' blacklist. If
                Lfw receives a packet from a 'rate limit' blacklisted source,
                the packet is dropped but the remaining blacklist time is not
                reset.

                The time units are seconds.

                "
  DEFVAL        { 60 }
  ::= { blacklistGroup 200 }

-- End of group:Blacklist

-- ****************************************************************************

-- Group:Notification Messages Configuration

-- ****************************************************************************

notificationsGroup OBJECT IDENTIFIER
 ::= { lfwMIBObjects 60010 }
 -- Scalar:Minimal Severity of Notification

 minSeverity OBJECT-TYPE
  SYNTAX        INTEGER { disable(0) , debug(100) , info(200) , warning(300) ,
                error(400) , critical (500) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Minimal Severity of Notification

                Sets the minimal severity to issue a notification message
                incoming from this service.

                  * Disable: No notification is issued.
                  * Debug: All notification messages are issued.
                  * Info: Notification messages with a 'Informational' and
                    higher severity are issued.
                  * Warning: Notification messages with a 'Warning' and higher
                    severity are issued.
                  * Error: Notification messages with an 'Error' and higher
                    severity are issued.
                  * Critical: Notification messages with a 'Critical' severity
                    are issued.

                "
  DEFVAL        { warning }
  ::= { notificationsGroup 100 }

-- End of group:Notification Messages Configuration

-- ****************************************************************************

-- Group:Configuration Settings

-- ****************************************************************************

configurationGroup OBJECT IDENTIFIER
 ::= { lfwMIBObjects 60020 }
 -- Scalar:Need Restart

 needRestartInfo OBJECT-TYPE
  SYNTAX        INTEGER { no(0) , yes(100) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Need Restart

                Indicates if the service needs to be restarted for the
                configuration to fully take effect.

                  * Yes: Service needs to be restarted.
                  * No: Service does not need to be restarted.

                Services can be restarted by using the
                Scm.ServiceCommands.Restart command.

                "
  ::= { configurationGroup 100 }

-- End of group:Configuration Settings

END
