-- ****************************************************************************
-- ****************************************************************************
--             Copyright(c) 2004 Mediatrix Telecom, Inc.
--  NOTICE:
--   This document contains information that is confidential and proprietary
--   to Mediatrix Telecom, Inc.
--   Mediatrix Telecom, Inc. reserves all rights to this document as well as
--   to the Intellectual Property of the document and the technology and
--   know-how that it includes and represents.
--   This publication cannot be reproduced, neither in whole nor in part in
--   any form whatsoever without written prior approval by
--   Mediatrix Telecom, Inc.
--   Mediatrix Telecom, Inc. reserves the right to revise this publication
--   and make changes at any time and without the obligation to notify any
--   person and/or entity of such revisions and/or changes.
-- ****************************************************************************
-- ****************************************************************************

MX-NFW-MIB
DEFINITIONS ::= BEGIN

IMPORTS
        MODULE-IDENTITY,
        OBJECT-TYPE,
        Unsigned32,
        Integer32
    FROM SNMPv2-SMI
        MODULE-COMPLIANCE,
        OBJECT-GROUP
    FROM SNMPv2-CONF
        MxEnableState,
        MxActivationState,
        MxIpHostName,
        MxIpAddress,
        MxIpPort,
        MxAdvancedIpPort,
        MxIpSubnetMask,
        MxDigitMap
    FROM MX-TC
        MxUInt64,
        MxFloat32,
        MxIpHostNamePort,
        MxIpAddr,
        MxIpAddrPort,
        MxIpAddrMask,
        MxUri,
        MxUrl
    FROM MX-TC2
        mediatrixServices
    FROM MX-SMI2;

nfwMIB MODULE-IDENTITY
 LAST-UPDATED   "1910210000Z"
 ORGANIZATION " Mediatrix Telecom, Inc. "
 CONTACT-INFO " Mediatrix Telecom, Inc.
                4229, Garlock Street
                Sherbrooke (Quebec)
                Canada
                Phone: (819) 829-8749
                "
 DESCRIPTION  " Network Firewall

                The Network Firewall (NFW) service allows the administrator to
                filter traffic that is routed between networks.
                "
 ::= { mediatrixServices 2250 }

nfwMIBObjects OBJECT IDENTIFIER ::= { nfwMIB 1 }

-- Scalar:Configuration Modified Status

configModifiedStatus OBJECT-TYPE
 SYNTAX        INTEGER { yes(100) , no(200) }
 MAX-ACCESS    read-only
 STATUS        current
 DESCRIPTION " Configuration Modified Status

               Shows whether or not the Network Firewall configuration has been
               modified without being applied.

                1. Yes: The configuration has been modified but it has not been
                   applied.
                2. No: The Network Firewall service uses the configured rules.

               Use the Nfw.ApplyConfig command to apply the configuration.

               "
 ::= { nfwMIBObjects 100 }

-- *****************************************************************************

-- Table:Network Rules Status

-- *****************************************************************************

networkRulesStatusTable OBJECT-TYPE
 SYNTAX         SEQUENCE OF NetworkRulesStatusEntry
 MAX-ACCESS     not-accessible
 STATUS         current
 DESCRIPTION  " Network Rules Status

                This table shows the network rules applied in the firewall.
                "
 ::= { nfwMIBObjects 200 }
 networkRulesStatusEntry OBJECT-TYPE
  SYNTAX        NetworkRulesStatusEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION " A row in table Network Rules Status. "
  INDEX         {
                  networkRulesStatusPriority
                }

  ::= { networkRulesStatusTable 1 }

 NetworkRulesStatusEntry ::= SEQUENCE
 {
   networkRulesStatusPriority            Unsigned32,
   networkRulesStatusSourceAddress       OCTET STRING,
   networkRulesStatusSourcePort          OCTET STRING,
   networkRulesStatusDestinationAddress  OCTET STRING,
   networkRulesStatusDestinationPort     OCTET STRING,
   networkRulesStatusProtocol            INTEGER,
   networkRulesStatusConnectionState     INTEGER,
   networkRulesStatusBlacklistEnable     MxEnableState,
   networkRulesStatusRateLimitValue      Unsigned32,
   networkRulesStatusRateLimitTimePeriod Unsigned32,
   networkRulesStatusAction              INTEGER
 }

 -- Index:Rule Priority

 networkRulesStatusPriority OBJECT-TYPE
  SYNTAX        Unsigned32
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Rule Priority

                Unique identifier of the row in the table.
                "
  ::= { networkRulesStatusEntry 100 }

 -- Columnar:Source Address

 networkRulesStatusSourceAddress OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Source Address

                Source address[/mask] criteria an incoming packet must have to
                match this rule.

                An empty string matches any address.

                "
  ::= { networkRulesStatusEntry 200 }

 -- Columnar:Source Port

 networkRulesStatusSourcePort OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Source Port

                Source port[-port] criteria an incoming packet must have to
                match this rule.

                MinPort-MaxPort specifies a port range.

                An empty string means that no filtering is applied on the
                source port thus matching any port.

                This parameter is only effective when the
                NetworkRulesStatus.Protocol parameter is set to Tcp or Udp.

                "
  ::= { networkRulesStatusEntry 300 }

 -- Columnar:Destination Address

 networkRulesStatusDestinationAddress OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Destination Address

                Destination address[/mask] criteria an incoming packet must
                have to match this rule.

                An empty string matches any address.

                "
  ::= { networkRulesStatusEntry 400 }

 -- Columnar:Destination Port

 networkRulesStatusDestinationPort OBJECT-TYPE
  SYNTAX        OCTET STRING
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Destination Port

                Destination port[-port] criteria an incoming packet must have
                to match this rule.

                MinPort-MaxPort specifies a port range.

                An empty string means that no filtering is applied on the
                destination port thus matching any port.

                This parameter is only effective when the
                NetworkRulesStatus.Protocol parameter is set to Tcp or Udp.

                "
  ::= { networkRulesStatusEntry 500 }

 -- Columnar:Protocol

 networkRulesStatusProtocol OBJECT-TYPE
  SYNTAX        INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Protocol

                Protocol criteria an incoming packet must have to match this
                rule.

                The protocol can be one of the following:

                  * All: Match packets using any protocols.
                  * Tcp: Only match TCP packets.
                  * Udp: Only match UDP packets.
                  * Icmp: Only match ICMP packets.

                "
  ::= { networkRulesStatusEntry 600 }

 -- Columnar:Connection State

 networkRulesStatusConnectionState OBJECT-TYPE
  SYNTAX        INTEGER { all(100) , new(200) , establishedOrRelated(300) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Connection State

                Connection state associated with the incoming packet.

                The connection state can be one of the following:

                  * All: Match packets in any state.
                  * New: Match packets that are not part of an existing
                    connection.
                  * EstablishedOrRelated: Match packets that are part of an
                    existing connection.

                "
  DEFVAL        { all }
  ::= { networkRulesStatusEntry 650 }

 -- Columnar:Blacklist Enable

 networkRulesStatusBlacklistEnable OBJECT-TYPE
  SYNTAX        MxEnableState
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Blacklist Enable

                Indicates if blacklisting is enabled for this rule.

                  * Enable: When a packet establishing a connection matches
                    this rule, the action is executed and the source IP address
                    is added to the blacklist.
                  * Disable: When a packet establishing a connection matches
                    this rule, the action is executed but the source IP address
                    is not added to the blacklist.

                Note: If rate limiting is enabled for this rule, blacklisted IP
                addresses are added to the rate limit blacklist.
                "
  ::= { networkRulesStatusEntry 660 }

 -- Columnar:Rate Limit Value

 networkRulesStatusRateLimitValue OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..5000 )
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Rate Limit Value

                Number of packets allowed to match this rule from a single
                source IP address within a certain time period.
                "
  ::= { networkRulesStatusEntry 670 }

 -- Columnar:Rate Limit Time Period

 networkRulesStatusRateLimitTimePeriod OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..86400 )
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Rate Limit Time Period

                The time period on which to base the rate limit. This period is
                expressed in seconds.

                Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60
                means a limit of 10 new connections per minute.

                "
  ::= { networkRulesStatusEntry 680 }

 -- Columnar:Action

 networkRulesStatusAction OBJECT-TYPE
  SYNTAX        INTEGER { accept(100) , reject(200) , drop(300) ,
                rateLimitPerSource(400) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Action

                Action taken when this rule matches a packet.

                Action can be one of the following:

                  * Accept: Let the packet through.
                  * Reject: Send back an ICMP port unreachable in response to
                    the matched packet, the packet is then dropped.
                  * Drop: The packet is dropped without any notification.

                "
  ::= { networkRulesStatusEntry 700 }

-- End of table:Network Rules Status

-- Scalar:Network Firewall Default Policy

defaultPolicy OBJECT-TYPE
 SYNTAX        INTEGER { accept(100) , drop(300) }
 MAX-ACCESS    read-write
 STATUS        current
 DESCRIPTION " Network Firewall Default Policy

               Action taken when a packet does not match any rule.

               Default policy can be one of the following:

                 * Accept: Let the packet through.
                 * Drop: The packet is dropped without any notification.

               To have no filtering applied to forwarded packets, set the
               default policy to 'Accept' and remove all rules from the network
               firewall.

               "
 DEFVAL        { drop }
 ::= { nfwMIBObjects 550 }

-- *****************************************************************************

-- Table:Network Rules

-- *****************************************************************************

networkRulesTable OBJECT-TYPE
 SYNTAX              SEQUENCE OF NetworkRulesEntry
 MAX-ACCESS          not-accessible
 STATUS              current
 DESCRIPTION       " Network Rules

                     This table shows the configured network rules for the
                     firewall.
                     "
 ::= { nfwMIBObjects 600 }
 networkRulesEntry OBJECT-TYPE
  SYNTAX        NetworkRulesEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION " A row in table Network Rules. "
  INDEX         {
                  networkRulesPriority
                }

  ::= { networkRulesTable 1 }

 NetworkRulesEntry ::= SEQUENCE
 {
   networkRulesPriority            Unsigned32,
   networkRulesActivation          MxEnableState,
   networkRulesSourceAddress       OCTET STRING,
   networkRulesSourcePort          OCTET STRING,
   networkRulesDestinationAddress  OCTET STRING,
   networkRulesDestinationPort     OCTET STRING,
   networkRulesProtocol            INTEGER,
   networkRulesBlacklistEnable     MxEnableState,
   networkRulesRateLimitValue      Unsigned32,
   networkRulesRateLimitTimePeriod Unsigned32,
   networkRulesConnectionState     INTEGER,
   networkRulesAction              INTEGER,
   networkRulesUp                  INTEGER,
   networkRulesDown                INTEGER,
   networkRulesInsert              INTEGER,
   networkRulesDelete              INTEGER
 }

 -- Index:Rule Priority

 networkRulesPriority OBJECT-TYPE
  SYNTAX        Unsigned32
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Rule Priority

                Unique identifier of the row in the table.
                "
  ::= { networkRulesEntry 100 }

 -- Row command:Down

 networkRulesDown OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), down(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Down

                Moves the current row downwards.
                "
  DEFVAL        { noOp }
  ::= { networkRulesEntry 1000 }

 -- Row command:Insert

 networkRulesInsert OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), insert(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Insert

                Inserts a new row before this row.
                "
  DEFVAL        { noOp }
  ::= { networkRulesEntry 1100 }

 -- Row command:Delete

 networkRulesDelete OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), delete(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Delete

                Deletes this row.
                "
  DEFVAL        { noOp }
  ::= { networkRulesEntry 1200 }

 -- Columnar:Activation

 networkRulesActivation OBJECT-TYPE
  SYNTAX        MxEnableState
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Activation

                Activates this rule.

                  * Enable: This rule is active in the firewall.
                  * Disable: This rule is not in the firewall.

                "
  DEFVAL        { disable }
  ::= { networkRulesEntry 200 }

 -- Columnar:Source Address

 networkRulesSourceAddress OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..51) )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Source Address

                Source address of the incoming packet using the following
                format: address[/mask] or network interface name/.

                Address can be either a network IP address (using /mask) or one
                of the host IP addresses.

                When specifying a network interface name, it is mandatory to
                use the suffix '/'. Doing so indicates that the network address
                of this interface is used instead of the host address. Also, it
                must match one of the values in the
                networkInterfacesStatusTable.InterfaceName parameter from the
                Basic Network Interface (BNI) service. Note that if the
                specified network interface is disabled or removed, the rule is
                automatically disabled thus removed from the firewall. When the
                network interface is enabled or added back, the rule is
                automatically enabled and applied in the firewall.

                Mask must be a plain number specifying the number of binary 1s
                at the left side of the network mask. E.g.: a mask of 24
                specifies a network mask of 255.255.255.0.

                Leaving the default empty string matches any address.

                "
  DEFVAL        { "" }
  ::= { networkRulesEntry 300 }

 -- Columnar:Source Port

 networkRulesSourcePort OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..11) )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Source Port

                Source port of the incoming packet using the following format:
                port[-port].

                MinPort-MaxPort specifies a port range.

                The default empty string means that no filtering is applied on
                the source port thus matching any port.

                This parameter is only effective when the NetworkRules.Protocol
                parameter is set to Tcp or Udp.

                "
  DEFVAL        { "" }
  ::= { networkRulesEntry 400 }

 -- Columnar:Destination Address

 networkRulesDestinationAddress OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..51) )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Destination Address

                Destination address of the incoming packet using the following
                format: address[/mask] or network interface name/.

                The address can either be a network IP address (using /mask) or
                one of the host IP addresses.

                When specifying a network interface name, it is mandatory to
                use the suffix '/'. Doing so indicates that the network address
                of this interface is used instead of the host address. Also, it
                must match one of the values in the
                networkInterfacesStatusTable.InterfaceName parameter from the
                Basic Network Interface (BNI) service. Note that if the
                specified network interface is disabled or removed, the rule is
                automatically disabled thus removed from the firewall. When the
                network interface is enabled or added back, the rule is
                automatically enabled and applied in the firewall.

                Mask must be a plain number specifying the number of binary 1s
                at the left side of the network mask. E.g.: a mask of 24
                specifies a network mask of 255.255.255.0.

                Leaving the default empty string matches any address.

                "
  DEFVAL        { "" }
  ::= { networkRulesEntry 500 }

 -- Columnar:Destination Port

 networkRulesDestinationPort OBJECT-TYPE
  SYNTAX        OCTET STRING ( SIZE(0..11) )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Destination Port

                Destination port of the incoming packet using the following
                format: port[-port].

                MinPort-MaxPort specifies a port range.

                The default empty string means that no filtering is applied on
                the destination port thus matching any port.

                This parameter is only effective when the NetworkRules.Protocol
                parameter is set to Tcp or Udp.

                "
  DEFVAL        { "" }
  ::= { networkRulesEntry 600 }

 -- Columnar:Protocol

 networkRulesProtocol OBJECT-TYPE
  SYNTAX        INTEGER { all(100) , tcp(200) , udp(300) , icmp(400) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Protocol

                Protocol of the incoming packet.

                The protocol can be one of the following:

                  * All: Match packets using any protocols.
                  * Tcp: Only match TCP packets.
                  * Udp: Only match UDP packets.
                  * Icmp: Only match ICMP packets.

                "
  DEFVAL        { all }
  ::= { networkRulesEntry 700 }

 -- Columnar:Blacklist Enable

 networkRulesBlacklistEnable OBJECT-TYPE
  SYNTAX        MxEnableState
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Blacklist Enable

                Indicates if blacklisting is enabled for this rule.

                  * Enable: When a packet establishing a connection matches
                    this rule, the action is executed and the source IP address
                    is added to the blacklist.
                  * Disable: When a packet establishing a connection matches
                    this rule, the action is executed but the source IP address
                    is not added to the blacklist.

                Note: If rate limiting is enabled for this rule, blacklisted IP
                addresses are added to the rate limit blacklist.
                "
  DEFVAL        { disable }
  ::= { networkRulesEntry 720 }

 -- Columnar:Rate Limit Value

 networkRulesRateLimitValue OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..5000 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Rate Limit Value

                Number of packets allowed to match this rule from a single
                source IP address within a certain time period.
                "
  DEFVAL        { 10 }
  ::= { networkRulesEntry 730 }

 -- Columnar:Rate Limit Time Period

 networkRulesRateLimitTimePeriod OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..86400 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Rate Limit Time Period

                The time period on which to base the rate limit. This period is
                expressed in seconds.

                Ex.: a RateLimitValue of 10 and a RateLimitTimePeriod of 60
                means a limit of 10 packets per minute.

                "
  DEFVAL        { 60 }
  ::= { networkRulesEntry 740 }

 -- Columnar:Connection State

 networkRulesConnectionState OBJECT-TYPE
  SYNTAX        INTEGER { all(100) , new(200) , establishedOrRelated(300) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Connection State

                Connection state associated with the incoming packet.

                The connection state can be one of the following:

                  * All: Match packets in any state.
                  * New: Match packets that are not part of an existing
                    connection.
                  * EstablishedOrRelated: Match packets that are part of an
                    existing connection.

                "
  DEFVAL        { all }
  ::= { networkRulesEntry 750 }

 -- Columnar:Action

 networkRulesAction OBJECT-TYPE
  SYNTAX        INTEGER { accept(100) , reject(200) , drop(300) ,
                rateLimitPerSource(400) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Action

                Action taken when this rule matches a packet.

                Action can be one of the following:

                  * Accept: Let the packet through.
                  * Reject: Send back an ICMP port unreachable in response to
                    the matched packet, the packet is then dropped.
                  * Drop: The packet is dropped without any notification.
                  * RateLimitPerSource: Drop the packets received from a given
                    source IP address when it exceeds a configurable rate. The
                    rate is set using the RateLimitValue and
                    RateLimitTimePeriod parameters.

                    Note: This action is only allowed when the ConnectionState
                    parameter is set to 'New'.

                "
  DEFVAL        { accept }
  ::= { networkRulesEntry 800 }

 -- Row command:Up

 networkRulesUp OBJECT-TYPE
  SYNTAX        INTEGER { noOp(0), up(10) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Up

                Moves the current row upwards.
                "
  DEFVAL        { noOp }
  ::= { networkRulesEntry 900 }

-- End of table:Network Rules

-- ****************************************************************************

-- Group:Blacklist

-- ****************************************************************************

blacklistGroup OBJECT IDENTIFIER
 ::= { nfwMIBObjects 700 }
 -- Scalar:Blacklist Timeout

 blacklistTimeout OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..86400 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Blacklist Timeout

                The time an address stays in the blacklist. If Nfw receives a
                packet from a blacklisted source, the packet is dropped and
                the remaining blacklist time is reset to this value.

                The time units are seconds.

                "
  DEFVAL        { 60 }
  ::= { blacklistGroup 100 }

 -- Scalar:Blacklist Rate Limit Timeout

 blacklistRateLimitTimeout OBJECT-TYPE
  SYNTAX        Unsigned32 ( 1..86400 )
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Blacklist Rate Limit Timeout

                The time an address stays in the 'rate limit' blacklist. If
                Nfw receives a packet from a 'rate limit' blacklisted source,
                the packet is dropped and the remaining blacklist time stays
                the same.

                The time units are seconds.

                "
  DEFVAL        { 60 }
  ::= { blacklistGroup 200 }

-- End of group:Blacklist

-- ****************************************************************************

-- Group:Notification Messages Configuration

-- ****************************************************************************

notificationsGroup OBJECT IDENTIFIER
 ::= { nfwMIBObjects 60010 }
 -- Scalar:Minimal Severity of Notification

 minSeverity OBJECT-TYPE
  SYNTAX        INTEGER { disable(0) , debug(100) , info(200) , warning(300) ,
                error(400) , critical (500) }
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION " Minimal Severity of Notification

                Sets the minimal severity to issue a notification message
                incoming from this service.

                  * Disable: No notification is issued.
                  * Debug: All notification messages are issued.
                  * Info: Notification messages with a 'Informational' and
                    higher severity are issued.
                  * Warning: Notification messages with a 'Warning' and higher
                    severity are issued.
                  * Error: Notification messages with an 'Error' and higher
                    severity are issued.
                  * Critical: Notification messages with a 'Critical' severity
                    are issued.

                "
  DEFVAL        { warning }
  ::= { notificationsGroup 100 }

-- End of group:Notification Messages Configuration

-- ****************************************************************************

-- Group:Configuration Settings

-- ****************************************************************************

configurationGroup OBJECT IDENTIFIER
 ::= { nfwMIBObjects 60020 }
 -- Scalar:Need Restart

 needRestartInfo OBJECT-TYPE
  SYNTAX        INTEGER { no(0) , yes(100) }
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION " Need Restart

                Indicates if the service needs to be restarted for the
                configuration to fully take effect.

                  * Yes: Service needs to be restarted.
                  * No: Service does not need to be restarted.

                Services can be restarted by using the
                Scm.ServiceCommands.Restart command.

                "
  ::= { configurationGroup 100 }

-- End of group:Configuration Settings

END
