CABH-SEC-MIB DEFINITIONS ::= BEGIN
IMPORTS
    MODULE-IDENTITY,
    Unsigned32,
    zeroDotZero,
    Counter32,
    OBJECT-TYPE                FROM SNMPv2-SMI  -- RFC2578

    DateAndTime,
    TruthValue,
    TimeStamp,
    RowStatus,
    VariablePointer            FROM SNMPv2-TC  -- RFC2579
    
    OBJECT-GROUP,
    MODULE-COMPLIANCE          FROM SNMPv2-CONF -- RFC2580
    InetPortNumber,
    InetAddress                FROM INET-ADDRESS-MIB --RFC3291
     
    SnmpAdminString            FROM SNMP-FRAMEWORK-MIB --RFC2571

    X509Certificate            FROM DOCS-BPI2-MIB

    ZeroBasedCounter32         FROM RMON2-MIB
    docsDevFilterIpEntry       FROM DOCS-CABLE-DEVICE-MIB
    InterfaceIndexOrZero       FROM IF-MIB
    
    clabProjCableHome          FROM CLAB-DEF-MIB;
    
    cabhSecMib MODULE-IDENTITY
    LAST-UPDATED    "200408060000Z" -- August 6, 2004
    ORGANIZATION    "CableLabs Broadband Access Department"
    CONTACT-INFO
            "Kevin Luehrs
            Postal: Cable Television Laboratories, Inc.
            858 Coal Creek Circle
            Louisville, Colorado 80027
            U.S.A.
            Phone:  +1 303-661-9100
            Fax:    +1 303-661-9199
            E-mail: k.luehrs@cablelabs.com; mibs@cablelabs.com"
    DESCRIPTION
            "This MIB module supplies the basic management
            objects for the Security Portal Services."
    ::=  { clabProjCableHome 2 }


-- Textual conventions

   cabhSecMibObjects  OBJECT IDENTIFIER ::= { cabhSecMib 5 }
   cabhSecFwObjects   OBJECT IDENTIFIER ::= { cabhSecMib 1 }
   cabhSecFwBase      OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 }
   cabhSecFwLogCtl    OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 }

   cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMib 2 }
   cabhSecKerbObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 3 }
   cabhSecKerbBase    OBJECT IDENTIFIER ::= { cabhSecKerbObjects 1 }

   cabhSec2FwObjects  OBJECT IDENTIFIER ::= { cabhSecMibObjects 4 }
   cabhSec2FwBase     OBJECT IDENTIFIER ::= { cabhSec2FwObjects 1 }
   cabhSec2FwEvent    OBJECT IDENTIFIER ::= { cabhSec2FwObjects 2 }
   cabhSec2FwLog      OBJECT IDENTIFIER ::= { cabhSec2FwObjects 3 }
   cabhSec2FwFilter   OBJECT IDENTIFIER ::= { cabhSec2FwObjects 4 }

--
--    CableHome 1.0 Base Firewall Functions
--

cabhSecFwPolicyFileEnable OBJECT-TYPE
    SYNTAX      INTEGER {
                    enable (1),
                    disable(2)
                }
    MAX-ACCESS  read-write
    STATUS      deprecated
    DESCRIPTION
            "This parameter indicates whether or not to enable
            the firewall functionality."
    DEFVAL { enable }
    ::= { cabhSecFwBase 1 }

cabhSecFwPolicyFileURL OBJECT-TYPE
    SYNTAX      SnmpAdminString
    MAX-ACCESS  read-write
    STATUS      deprecated
    DESCRIPTION
            "A policy rule set file download is triggered when the
            value used to SET this object is different than the value
            in the cabhSecFwPolicySuccessfulFileURL object."
    REFERENCE
            "CableHome 1.0 Specification, CH-SP-CH1.0-I05-030801,
            11.3.5.2 Firewall Rule Set Management Parameters."
    DEFVAL { "" }
    ::= { cabhSecFwBase 2 }

cabhSecFwPolicyFileHash OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0|20))
    MAX-ACCESS  read-write
    STATUS      deprecated
    DESCRIPTION
            "Hash of the contents of the rules set file,
            calculated and sent to the PS prior to sending
            the rules set file. For the SHA-1 authentication
            algorithm the length of the hash is 160 bits.
            This hash value is encoded in binary format."
    DEFVAL { ''h }
    ::= { cabhSecFwBase 3 }

cabhSecFwPolicyFileOperStatus OBJECT-TYPE
    SYNTAX      INTEGER {
                    inProgress(1),
                    complete(2),
                 -- completeFromMgt(3), deprecated
                    failed(4)
                }
    MAX-ACCESS  read-only
    STATUS      deprecated
    DESCRIPTION
            "inProgress(1) indicates a firewall configuration
            file download is underway.
            complete (2) indicates the firewall configuration
            file downloaded and configured successfully.
            completeFromMgt(3) This state is deprecated.
            failed(4) indicates the last attempted firewall
            configuration file download or processing
            failed ordinarily due to TFTP timeout."
    ::= { cabhSecFwBase 4 }

cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE
    SYNTAX      SnmpAdminString
    MAX-ACCESS  read-only
    STATUS      deprecated
    DESCRIPTION
            "The rule set version currently operating in the
            PS device. This object should be in the syntax
            used by the individual vendor to identify software
            versions. Any PS element MUST return a string
            descriptive of the current rule set file load.
            If this is not applicable, this object MUST
            contain an empty string."
    ::= { cabhSecFwBase 5 }

cabhSecFwPolicySuccessfulFileURL OBJECT-TYPE
    SYNTAX      SnmpAdminString
    MAX-ACCESS  read-only
    STATUS      deprecated
    DESCRIPTION
            "Contains the location of the last successful downloaded
            policy rule set file in the format pointed in the
            reference. If a successful download has never occurred,
            this MIB object MUST report empty string."
    REFERENCE
            "CableHome 1.0 Specification, CH-SP-CH1.0-I05-030801,
            11.3.5.2 Firewall Rule Set Management Parameters."
    DEFVAL { "" }
    ::= { cabhSecFwBase 6 }

--
-- CableHome 1.0 Firewall Event MIBs
--

cabhSecFwEventType1Enable OBJECT-TYPE
    SYNTAX      INTEGER {
                    enable(1), -- log event
                    disable(2) -- do not log event
                }
    MAX-ACCESS  read-write
    STATUS      deprecated
    DESCRIPTION
            "This object enables or disables logging of type 1
            firewall event messages. Type 1 event messages report
            attempts from both private and public clients to
            traverse the firewall that violate the Security
            Policy."
    DEFVAL { disable }
    ::= { cabhSecFwLogCtl 1 }

cabhSecFwEventType2Enable OBJECT-TYPE
    SYNTAX      INTEGER {
                    enable(1), -- log event
                    disable(2) -- do not log event
                }
    MAX-ACCESS  read-write
    STATUS      deprecated
    DESCRIPTION
            "This object enables or disables logging of
            type 2 firewall event messages. Type 2 event
            messages report identified Denial of Service
            attack attempts."
    DEFVAL { disable }
    ::= { cabhSecFwLogCtl 2 }

cabhSecFwEventType3Enable OBJECT-TYPE
    SYNTAX      INTEGER {
                    enable(1), -- log event
                    disable(2) -- do not log event
                }
    MAX-ACCESS  read-write
    STATUS      deprecated
    DESCRIPTION
            "Enables or disables logging of type 3 firewall
            event messages. Type 3 event messages report
            changes made to the following firewall management
            parameters: cabhSecFwPolicyFileURL,
            cabhSecFwPolicyFileCurrentVersion,
            cabhSecFwPolicyFileEnable"
    DEFVAL { disable }
    ::= { cabhSecFwLogCtl 3 }

cabhSecFwEventAttackAlertThreshold OBJECT-TYPE
    SYNTAX      INTEGER (0..65535)
    MAX-ACCESS  read-write
    STATUS      deprecated
    DESCRIPTION
            "If the number of type 1 or 2 hacker attacks
            exceeds this threshold in the period define
            by cabhSecFwEventAttackAlertPeriod, a firewall
            message event MUST be logged with priority
            level 4."
    DEFVAL { 65535 }
    ::= { cabhSecFwLogCtl 4 }

cabhSecFwEventAttackAlertPeriod OBJECT-TYPE
    SYNTAX      INTEGER (0..65535)
    MAX-ACCESS  read-write
    STATUS      deprecated
    DESCRIPTION
            "Indicates the period to be used (in hours) for
            the cabhSecFwEventAttackAlertThreshold. This MIB
            variable should always keep track of the last x
            hours of events meaning that if the variable is
            set to track events for 10 hours then when the
            11th hour is reached, the 1st hour of events is
            deleted from the tracking log. A default value
            is set to zero, meaning zero time, so that this
            MIB variable will not track any events unless
            configured."
    DEFVAL { 0 }
    ::= { cabhSecFwLogCtl 5 }

--
-- CableHome PS device certificate
-- 

    cabhSecCertPsCert OBJECT-TYPE
    SYNTAX      X509Certificate
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The X509 DER-encoded PS certificate."
    ::= { cabhSecCertObjects 1 }

--
--  CableHome 1.1 Firewall Management MIBs 
--

cabhSec2FwEnable OBJECT-TYPE
    SYNTAX      INTEGER    {
                    enabled(1),
                    disabled(2)
                }
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "This parameter indicates whether to enable or disable the
            firewall."
    DEFVAL { enabled }
    ::= { cabhSec2FwBase 1 }

cabhSec2FwPolicyFileURL OBJECT-TYPE
    SYNTAX      SnmpAdminString 
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "A policy rule set file download is triggered when the
            value used to SET this object is different than the value 
            in the cabhSec2FwPolicySuccessfulFileURL object."
    REFERENCE
            "CableHome 1.1 Specification, CH-SP-CH1.1-I05-040806,
            11.6.4.8.1 Firewall Rule Set Management MIB Objects."
    DEFVAL { "" }
    ::= { cabhSec2FwBase 2 }

cabhSec2FwPolicyFileHash OBJECT-TYPE
    SYNTAX      OCTET STRING (SIZE(0|20))
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "Hash of the contents of the firewall
            configuration file. For the SHA-1 authentication
            algorithm the length of the hash is 160 bits.
            This hash value is encoded in binary format."
    DEFVAL { ''h }
    ::= { cabhSec2FwBase 3 }

cabhSec2FwPolicyFileOperStatus OBJECT-TYPE
    SYNTAX      INTEGER {
                    inProgress(1),
                    complete(2),
                    failed(3)
                }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "InProgress(1) indicates a firewall configuration
            file download is underway. Complete(2) indicates
            the firewall configuration file was downloaded
            and processed successfully. Failed(3) indicates
            that the last attempted firewall configuration
            file download or processing failed."
    ::= { cabhSec2FwBase 4 }

cabhSec2FwPolicyFileCurrentVersion OBJECT-TYPE
    SYNTAX      SnmpAdminString
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "A label set by the cable operator that can be 
            used to track various versions of configured 
            rulesets. Once the label is set and configured
            rules are changed, it may not accurately reflect 
            the version of configured rules running on the box.
            If this object has never been configured, it MUST 
            contain an empty string."
    DEFVAL { "" }
    ::= { cabhSec2FwBase 5 }

cabhSec2FwClearPreviousRuleset OBJECT-TYPE
    SYNTAX      TruthValue
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "If set to 'true', the PS MUST clear all entries in the
            docsDevFilterIpTable. Reading this value always returns
            false."
    REFERENCE
            "CableHome specification  Security section"
    DEFVAL { false }
    ::= { cabhSec2FwBase 6 }

cabhSec2FwPolicySelection OBJECT-TYPE
    SYNTAX      INTEGER {
                    factoryDefault(1),
                    configuredRulesetBoth(2),
                    factoryDefaultAndConfiguredRulesetBoth(3),
                    configuredRulesetDocsDevFilterIpTable(4),
                    configuredRulesetCabhSec2FwLocalFilterIpTable (5),
                    factoryDefaultAndDocsDevFilterIpTable (6),
                    factoryDefaultAndCabhSec2FwLocalFilterIpTable (7)
                }
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "This object allows for selection of the filtering policy
            as defined by the following options:

            factoryDefault (1) The firewall filters against the Factory
            Default Ruleset in the cabhSec2FwFactoryDefaultFilterTable.

            configuredRulesetBoth (2) The firewall filters against the
            Configured Ruleset defined by both the 
            docsDevFilterIpTable and the cabhSec2FwLocalFilterIpTable.
 
            factoryDefaultAndConfiguredRulesetBoth (3) The firewall
            filters against the CableHome specified Factory Default
            Ruleset in the cabhSec2FwFactoryDefaultFilterTable and
            the Configured Ruleset in the docsDevFilterIpTable and
            the cabhSec2FwLocalFilterIpTable.

            configuredRulesetDocsDevFilterIpTable(4) The firewall
            filters against the Configured Ruleset defined by the
            docsDevFilterIpTable.
            
            configuredRulesetCabhSec2FwLocalFilterIpTable (5) The 
            firewall filters against the Configured Ruleset defined by
            the cabhSec2FwLocalFilterIpTable.

            factoryDefaultAndDocsDevFilterIpTable (6) The firewall
            filters against the Factory Default Ruleset and the
            Configured Ruleset defined by the DocsDevFilterIpTable. 

            factoryDefaultAndCabhSec2FwLocalFilterIpTable (7) The
            firewall filters against the Factory Default Ruleset and
            the Configured Ruleset defined by the
            cabhSec2FwLocalFilterIpTable."
    REFERENCE
            "CableHome specification  Security section."
    DEFVAL { factoryDefault }
    ::= { cabhSec2FwBase 7 }
    
cabhSec2FwEventSetToFactory OBJECT-TYPE
    SYNTAX      TruthValue
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "If set to 'true', entries in cabhSec2FwEventControlEntry
            are set to their default values. 
            Reading this value always returns false."
    DEFVAL { false }
    ::= { cabhSec2FwBase 8 }

cabhSec2FwEventLastSetToFactory OBJECT-TYPE
    SYNTAX      TimeStamp
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The value of sysUpTime when cabhSec2FwEventSetToFactory
            was Last set to true. Zero if never reset."
    ::= { cabhSec2FwBase 9 }

cabhSec2FwPolicySuccessfulFileURL OBJECT-TYPE
    SYNTAX      SnmpAdminString
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "Contains the location of the last successful downloaded 
            policy rule set file in the format pointed in the 
            reference. If a successful download has not yet 
            occurred, this MIB object should report empty string."
    REFERENCE
            "CableHome 1.1 Specification, CH-SP-CH1.1-I05-040806,
            11.6.4.8.1 Firewall Rule Set Management MIB Objects."
    DEFVAL { "" }
    ::= { cabhSec2FwBase 10 }

cabhSec2FwConfiguredRulesetPriority OBJECT-TYPE
    SYNTAX      INTEGER {
                    docsDevFilterIpTable (1),
                    cabhSec2FwLocalFilterIpTable (2)
                }
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "This object defines which Configured Ruleset filter rule 
             has priority when a conflict exists between a filter rule 
             in the docsDevFilterIpTable and a filter rule in the 
             cabhSec2FwLocalFilterIpTable as indicated by the following
             options:

             docsDevFilterIpTable (1)  indicates that filter rules in 
             the docsDevFilterIpTable have priority over any
             conflicting filters that may exist in the
             cabhSec2FwLocalFilterIpTable.

             cabhSec2FwLocalFilterIpTable (2)  indicates that filter
             rules in the cabhSec2FwLocalFilterIpTable have priority
             over any conflicting filters that may exist in the
             docsDevFilterIpTable."
    REFERENCE
             "CableHome specification  Security section."
    DEFVAL { cabhSec2FwLocalFilterIpTable }
    ::= { cabhSec2FwBase 11 }

cabhSec2FwClearLocalRuleset OBJECT-TYPE
    SYNTAX      TruthValue
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "If set to 'true', the PS MUST clear all entries in the
            cabhSec2FwLocalFilterIpTable. Reading this value always
            returns false."
    REFERENCE
            "CableHome specification  Security section"
    DEFVAL { false }
    ::= { cabhSec2FwBase 12 }

-- +++++++++++

--
-- CableHome 1.1 Firewall Event MIBS
--


cabhSec2FwEventControlTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF CabhSec2FwEventControlEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "This table controls the reporting of the
            Firewall Attacks events"
    ::= { cabhSec2FwEvent 1 }

cabhSec2FwEventControlEntry OBJECT-TYPE
    SYNTAX      CabhSec2FwEventControlEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Allows configuration of the reporting mechanisms
            for a particular type of attack."
    INDEX { cabhSec2FwEventType }
    ::= { cabhSec2FwEventControlTable 1 }

CabhSec2FwEventControlEntry ::= SEQUENCE {
    cabhSec2FwEventType         INTEGER,
    cabhSec2FwEventEnable       INTEGER,
    cabhSec2FwEventThreshold    Unsigned32,
    cabhSec2FwEventInterval     Unsigned32,
    cabhSec2FwEventCount        ZeroBasedCounter32,
    cabhSec2FwEventLogReset     TruthValue,
    cabhSec2FwEventLogLastReset TimeStamp  
    }

cabhSec2FwEventType OBJECT-TYPE
    SYNTAX      INTEGER     {
                    type1(1),
                    type2(2),
                    type3(3),
                    type4(4),
                    type5(5),
                    type6(6)
                }
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Classification of the different types of
            attacks. 
            Type 1  logs all attempts from both LAN and WAN
            clients to traverse the Firewall that violate the
            Security Policy. 
            Type 2 logs identified Denial of Service attack
            attempts. 
            Type 3 logs all changes made to the
            cabhSec2FwPolicyFileURL, 
            cabhSec2FwPolicyFileCurrentVersion or 
            cabhSec2FwPolicyFileEnable objects. 
            Type 4 logs all failed attempts to modify 
            cabhSec2FwPolicyFileURL and
            cabhSec2FwPolicyFileEnable objects. 
            Type 5 logs allowed inbound packets from the WAN. 
            Type 6 logs allowed outbound packets from the
            LAN."
    ::= { cabhSec2FwEventControlEntry 1 }

cabhSec2FwEventEnable OBJECT-TYPE
    SYNTAX      INTEGER    {
                    enabled(1),
                    disabled(2)
                }
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "Enables or disables counting and logging of
            firewall events by type as assigned by
            cabhSec2FwEventType."
    DEFVAL { disabled } 
    ::= { cabhSec2FwEventControlEntry 2 }

cabhSec2FwEventThreshold OBJECT-TYPE
    SYNTAX       Unsigned32 (0..65535)
    MAX-ACCESS   read-write
    STATUS       current
    DESCRIPTION
            "Number of attacks to count before sending the
            appropriate event by type as assigned by
            cabhSec2FwEventType."
    DEFVAL { 0 } 
    ::= { cabhSec2FwEventControlEntry 3 }

cabhSec2FwEventInterval OBJECT-TYPE 
    SYNTAX      Unsigned32 (0..744) 
    UNITS       "hours"
    MAX-ACCESS  read-write 
    STATUS      current
    DESCRIPTION 
            "Indicates the time interval in hours to count and log
            occurrences of a firewall event type as assigned in 
            cabhSec2FwEventType. If this MIB has a value of zero 
            then there is no interval assigned and the PS will not
            count or log events." 
    DEFVAL { 0 }
    ::= { cabhSec2FwEventControlEntry 4 }

cabhSec2FwEventCount OBJECT-TYPE
    SYNTAX       ZeroBasedCounter32
    MAX-ACCESS   read-only
    STATUS       current
    DESCRIPTION
           "Indicates the current count up to the 
            cabhSec2FwEventThreshold value by type as
            assigned by cabhSec2FwEventType."
    ::= { cabhSec2FwEventControlEntry 5 }

cabhSec2FwEventLogReset OBJECT-TYPE
    SYNTAX       TruthValue
    MAX-ACCESS   read-write
    STATUS       current
    DESCRIPTION
            "Setting this object to true clears the log table
            for the specified event type. Reading this object
            always returns false."
    DEFVAL { false }
    ::= { cabhSec2FwEventControlEntry 6 }

cabhSec2FwEventLogLastReset OBJECT-TYPE
    SYNTAX       TimeStamp
    MAX-ACCESS   read-only
    STATUS       current
    DESCRIPTION
            "The value of sysUpTime when cabhSec2FwEventLogReset was 
            last set to true. Zero if never reset."
    ::= { cabhSec2FwEventControlEntry 7 }

--
-- CableHome 1.1 Firewall Log Tables
--
 
cabhSec2FwLogTable OBJECT-TYPE
    SYNTAX      SEQUENCE OF CabhSec2FwLogEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Contains a log of packet information as related
            to events enabled by the cable operator. The types
            are defined in the CableHome 1.1 specification and
            require various objects to be included in the log.
            The following is a description for what is
            expected in the log for each type Type 1, Type 2,
            Type 5 and Type 6 table MUST include
            cabhSec2FwEventType, cabhSec2FwEventPriority,
            cabhSec2FwEventId, cabhSec2FwLogTime,
            cabhSec2FwIpProtocol, cabhSec2FwIpSourceAddr,
            cabhSec2FwIpDestAddr, cabhSec2FwIpSourcePort,
            cabhSec2FwIpDestPort, cabhSec2Fw,
            cabhSec2FwReplayCount.  The other values not used
            by Types 1, 2, 5 and 6 are default values. Type 3 
            and Type 4 MUST include cabhSec2FwEventType,
            cabhSec2FwEventPriority, cabhSec2FwEventId,
            cabhSec2FwLogTime, cabhSec2FwIpSourceAddr,
            cabhSec2FwLogMIBPointer.  The other values not used
            by type 3 and 4 are default values. When applicable, 
            Type 1, Type 5,and Type 6 MUST also include 
            cabhSec2FwLogMatchingFilterTableName,
            cabhSec2FwLogMatchingFilterTableIndex,
            cabhSec2FwLogMatchingFilterDescr."
    ::= { cabhSec2FwLog 1 }

cabhSec2FwLogEntry OBJECT-TYPE
    SYNTAX      CabhSec2FwLogEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Each entry contains the log of firewall events"
    INDEX {cabhSec2FwLogIndex}            
    ::= { cabhSec2FwLogTable 1 }

CabhSec2FwLogEntry ::= SEQUENCE {
    cabhSec2FwLogIndex                     Unsigned32,
    cabhSec2FwLogEventType                 INTEGER,
    cabhSec2FwLogEventPriority             INTEGER,
    cabhSec2FwLogEventId                   Unsigned32,
    cabhSec2FwLogTime                      DateAndTime,
    cabhSec2FwLogIpProtocol                Unsigned32,
    cabhSec2FwLogIpSourceAddr              InetAddress,
    cabhSec2FwLogIpDestAddr                InetAddress,
    cabhSec2FwLogIpSourcePort              InetPortNumber,
    cabhSec2FwLogIpDestPort                InetPortNumber,
    cabhSec2FwLogMessageType               Unsigned32,
    cabhSec2FwLogReplayCount               Unsigned32,
    cabhSec2FwLogMIBPointer                VariablePointer,
    cabhSec2FwLogMatchingFilterTableName   INTEGER,
    cabhSec2FwLogMatchingFilterTableIndex  Unsigned32,
    cabhSec2FwLogMatchingFilterDescr       SnmpAdminString
    }

cabhSec2FwLogIndex OBJECT-TYPE
    SYNTAX      Unsigned32 (1..2147483647)
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "A sequence number for the specific events
            under a cabhSec2FwEventType." 
    ::= { cabhSec2FwLogEntry 1 }

cabhSec2FwLogEventType OBJECT-TYPE
    SYNTAX INTEGER     {
               type1(1),
               type2(2),
               type3(3),
               type4(4),
               type5(5),
               type6(6)
           }
    MAX-ACCESS  read-only 
    STATUS      current
    DESCRIPTION
            "Classification of the different types of
            attacks.
            Type 1 logs all attempts from both LAN and WAN
            clients to traverse the Firewall that violate
            the Security Policy.
            Type 2 logs identified Denial of Service attack
            attempts.
            Type 3 logs all changes made to the
            cabhSec2FwPolicyFileURL,
            cabhSec2FwPolicyFileCurrentVersion or
            cabhSec2FwPolicyFileEnable objects.
            Type 4 logs all failed attempts to modify
            cabhSec2FwPolicyFileURL and
            cabhSec2FwPolicyFileEnable objects.
            Type 5 logs allowed inbound packets from the WAN.
            Type 6 logs allowed outbound packets from the
            LAN."
    ::= { cabhSec2FwLogEntry 2 }

cabhSec2FwLogEventPriority OBJECT-TYPE
    SYNTAX     INTEGER     {
                   emergency(1),
                   alert(2),
                   critical(3),
                   error(4),
                   warning(5),
                   notice(6),
                   information(7),
                   debug(8)
               }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The priority level of this event as defined
            by CableHome Specification. If a priority is
            not assigned in the CableHome specification for
            a particular event then the vendor or cable
            operator may assign priorities. These are
            ordered from most serious (emergency)to least
            serious (debug)."
    ::= { cabhSec2FwLogEntry 3 }

cabhSec2FwLogEventId  OBJECT-TYPE
    SYNTAX      Unsigned32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The assigned event ID."
    ::= { cabhSec2FwLogEntry 4 }

cabhSec2FwLogTime OBJECT-TYPE
    SYNTAX      DateAndTime
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The time that this entry was created by the PS."
    ::= { cabhSec2FwLogEntry 5 }

cabhSec2FwLogIpProtocol OBJECT-TYPE
    SYNTAX      Unsigned32 (0..256)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The IP Protocol."
    ::= { cabhSec2FwLogEntry 6 }

cabhSec2FwLogIpSourceAddr OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The Source IP Address of the packet logged."
    ::= { cabhSec2FwLogEntry 7 }

cabhSec2FwLogIpDestAddr OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The Destination IP Address of the packet logged."
    ::= { cabhSec2FwLogEntry 8 }

cabhSec2FwLogIpSourcePort OBJECT-TYPE
    SYNTAX      InetPortNumber
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The Source IP Port of the packet logged."
    ::= { cabhSec2FwLogEntry 9 }

cabhSec2FwLogIpDestPort OBJECT-TYPE
    SYNTAX      InetPortNumber
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The Source IP Port of the packet logged."
    ::= { cabhSec2FwLogEntry 10 }

cabhSec2FwLogMessageType OBJECT-TYPE
    SYNTAX      Unsigned32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The ICMP defined types."
    ::= { cabhSec2FwLogEntry 11}

cabhSec2FwLogReplayCount OBJECT-TYPE
    SYNTAX      Unsigned32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The number of identical attack packets that
            were seen by the firewall based on
            cabhSec2FwLogIpProtocol, cabhSec2FwLogIpSourceAddr,
            cabhSec2FwLogIpDestAddr, cabhSec2FwLogIpSourcePort,
            cabhSec2FwLogIpDestPort and cabhSec2FwLogMessageType."
    DEFVAL { 0 }
    ::= { cabhSec2FwLogEntry 12 }

cabhSec2FwLogMIBPointer OBJECT-TYPE
    SYNTAX      VariablePointer 
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "Identifies if the cabhSec2FwPolicyFileURL or the 
            cabhSec2FwEnable MIB object changed or an attempt
            was made to change it."
    DEFVAL { zeroDotZero }
    ::= { cabhSec2FwLogEntry 13 }

cabhSec2FwLogMatchingFilterTableName OBJECT-TYPE
    SYNTAX      INTEGER     {
                   cabhSec2FwFactoryDefaultFilterTable(1),
                   docsDevFilterIpTable(2),
                   cabhSec2FwLocalFilterIpTable(3),
                   none(4)
                }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "When applicable, cabhSec2FwLogMatchingFilterTableName 
            indicates the filter table name containing the last filter
            rule matched that caused the event to be generated."
    DEFVAL { none }
    ::= { cabhSec2FwLogEntry 14 }

cabhSec2FwLogMatchingFilterTableIndex OBJECT-TYPE
    SYNTAX      Unsigned32 (0..2147483647)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "When applicable, cabhSec2FwLogMatchingFilterTableIndex 
            indicates the filter table index if the last filter 
            rule matched that caused the event to be generated. If
            the value is 0, the event was not caused by a filter 
            rule match. "
    DEFVAL { 0 }
    ::= { cabhSec2FwLogEntry 15 }

cabhSec2FwLogMatchingFilterDescr OBJECT-TYPE
    SYNTAX      SnmpAdminString (SIZE(0..32))
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "When applicable, cabhSec2FwLogMatchingFilterDesc 
            contains the description value found in the 
            cabhSec2FwFilterScheduleDesc MIB object or the 
            cabhSec2FwLocalFilterIpDesc MIB object of the last 
            filter rule matched that caused the event to be 
            generated."
    DEFVAL { "" }
    ::= { cabhSec2FwLogEntry 16 }

-- ============================================================
--
--  CableHome 1.1 PS IP Filter Scheduling Table
--
--  The cabhSec2FwFilterScheduleTable contains the firewall
--  policy identification and links that policy as defined
--  in RFC 2669 to specific time of day restrictions.
--
-- =============================================================

cabhSec2FwFilterScheduleTable OBJECT-TYPE
    SYNTAX SEQUENCE OF CabhSec2FwFilterScheduleEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION 
            "Extends the filtering matching parameters of 
            docsDevFilterIpTable defined in RFC 2669 for CableHome 
            Residential Gateways to include time day intervals and days
            of the week."
    ::= { cabhSec2FwFilter 1 }


cabhSec2FwFilterScheduleEntry OBJECT-TYPE
    SYNTAX      CabhSec2FwFilterScheduleEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Extended values for entries of docsDevFilterIpTable.
            If the PS has not aqcuire ToD the entire
            docsDevFilterIpEntry rule set is ignored.
            Note: A filter time period may include two days
            (e.g from 10 PM to 4 AM).  A filter time period that
            includes two days is identified by the absolute value
            of the cabhSec2FwFilterScheduleEndTime being less than the
            absolute value of the cabhSec2FwFilterScheduleStartTime.
            The cabhSec2FwFilterScheduleDOW setting and the 
            cabhSec2FwFilterScheduleStartTime value indicate what day
            and time the filter becomes active. The
            cabhSec2FwFilterScheduleEndTime indicates when the filter
            becomes inactive on the second day. The maximum filter
            time period that includes two days is 24 hours.  
            If cabhSec2FwFilterScheduleStartTime is less than or
            equal to the cabhSec2FwFilterScheduleEndTime the time
            period of the filter falls in the same day."
    AUGMENTS { docsDevFilterIpEntry }
    ::= { cabhSec2FwFilterScheduleTable 1 }

CabhSec2FwFilterScheduleEntry ::= SEQUENCE {
    cabhSec2FwFilterScheduleStartTime    Unsigned32,
    cabhSec2FwFilterScheduleEndTime      Unsigned32,
    cabhSec2FwFilterScheduleDOW          BITS,
    cabhSec2FwFilterScheduleDescr        SnmpAdminString
    }

cabhSec2FwFilterScheduleStartTime OBJECT-TYPE
    SYNTAX      Unsigned32 (0..2359)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The start time for matching the filter ruleset in the
            specified days indicated in cabhSec2FwFilterScheduleDOW.
            Time is represented in Military Time, e.g., 8:30 AM is 
            represented as 830 and 11:45 PM as 2345. An attempt to set
            this object to an invalid military time value, e.g., 1182,
            returns 'wrongValue' error."
    DEFVAL { 0 }
    ::= { cabhSec2FwFilterScheduleEntry 1 }

cabhSec2FwFilterScheduleEndTime OBJECT-TYPE
    SYNTAX      Unsigned32 (0..2359)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The end time for matching the filter rule for the
            days indicated in cabhSec2FwFilterScheduleDOW. The filter
            rule associated with this end time MUST not be disabled
            until the minute following the time indicated by this
            MIB object. If the time period is for two days, 
            identified by cabhSec2FwFilterScheduleEndTime being
            less than cabhSec2FwFilterScheduleStartTime, then 
            the cabhSec2FwFilterScheduleDOW settings 
            do not apply to this MIB object.  
            Time is represented in the same manner as in 
            cabhSec2FwFilterScheduleStartTime. An attempt to set
            this object to an invalid military time value, e.g., 1182,
            returns 'wrongValue' error."
    DEFVAL { 2359 }
    ::= { cabhSec2FwFilterScheduleEntry 2 }

cabhSec2FwFilterScheduleDOW OBJECT-TYPE
    SYNTAX BITS {
                    sunday(0),
                    monday(1),
                    tuesday(2),
                    wednesday(3),
                    thursday(4),
                    friday(5),
                    saturday(6)
                }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If the day of week bit associated with the PS given day
            is '1', this object criteria matches."
    DEFVAL { 'fe'h }  -- 11111110 Sun-Sat
    ::= { cabhSec2FwFilterScheduleEntry 3 }

cabhSec2FwFilterScheduleDescr OBJECT-TYPE
    SYNTAX      SnmpAdminString (SIZE(0..32))
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "A filter rule description configured by the
            cable operator or subscriber."
    DEFVAL { "" }
    ::= { cabhSec2FwFilterScheduleEntry 4 }

-- ============================================================
--
--  CableHome 1.1 PS Firewall Factory Default Filter Table
--
--  The cabhSec2FwFactoryDefaultFilterTable contains the 
--  firewall factory default ruleset in a read only table as 
--  defined by the CableLabs CableHome 1.1 Specification.
--
-- =============================================================

cabhSec2FwFactoryDefaultFilterTable OBJECT-TYPE
    SYNTAX SEQUENCE OF CabhSec2FwFactoryDefaultFilterEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION 
            "Contains the firewall factory default ruleset as 
            defined by the CableLabs CableHome 1.1 Specification."
    ::= { cabhSec2FwFilter 2 }

cabhSec2FwFactoryDefaultFilterEntry OBJECT-TYPE
    SYNTAX      CabhSec2FwFactoryDefaultFilterEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Contains the firewall factory default ruleset."
    INDEX {cabhSec2FwFactoryDefaultFilterIndex }
    ::= { cabhSec2FwFactoryDefaultFilterTable 1 }

CabhSec2FwFactoryDefaultFilterEntry ::= SEQUENCE {
    cabhSec2FwFactoryDefaultFilterIndex           Unsigned32,
    cabhSec2FwFactoryDefaultFilterControl         INTEGER,
    cabhSec2FwFactoryDefaultFilterIfIndex         InterfaceIndexOrZero,
    cabhSec2FwFactoryDefaultFilterDirection       INTEGER,
    cabhSec2FwFactoryDefaultFilterSaddr           InetAddress,
    cabhSec2FwFactoryDefaultFilterSmask           InetAddress,
    cabhSec2FwFactoryDefaultFilterDaddr           InetAddress,
    cabhSec2FwFactoryDefaultFilterDmask           InetAddress,
    cabhSec2FwFactoryDefaultFilterProtocol        Unsigned32,
    cabhSec2FwFactoryDefaultFilterSourcePortLow   Unsigned32,
    cabhSec2FwFactoryDefaultFilterSourcePortHigh  Unsigned32,
    cabhSec2FwFactoryDefaultFilterDestPortLow     Unsigned32,
    cabhSec2FwFactoryDefaultFilterDestPortHigh    Unsigned32,
    cabhSec2FwFactoryDefaultFilterContinue        TruthValue
}

cabhSec2FwFactoryDefaultFilterIndex OBJECT-TYPE
    SYNTAX      Unsigned32 (1..2147483647)
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Index used to order the application of filters.
            The filter with the lowest index is always applied
            first."
    ::= { cabhSec2FwFactoryDefaultFilterEntry 1 }

cabhSec2FwFactoryDefaultFilterControl OBJECT-TYPE
    SYNTAX      INTEGER {
                    deny(1),
                    allow(2)
                }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "If set to deny(1), all packets matching this filter
            will be discarded. If set to allow(2), all
            packets matching this filter will be accepted. 
            The cabhSec2FwFactoryDefaultFilterContinue object is 
            Set to true, and therefore the PS MUST continue to
            scan the table for other matches to apply the match
            with the highest cabhSec2FwFactoryDefaultFilterIndex 
            value."
    ::= { cabhSec2FwFactoryDefaultFilterEntry 2 }

cabhSec2FwFactoryDefaultFilterIfIndex OBJECT-TYPE
    SYNTAX      InterfaceIndexOrZero
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The index number assigned to this object MUST 
            match to the IfIndex numbering assigned in the 
            ifTable from the Interfaces Group MIB [RFC 2863],
            and as specified in CH 1.1 Spec, Table 6-16 
            Numbering Interfaces in the ifTable. If the value
            is zero, the filter applies to all interfaces. 
            This object MUST be specified to create a row in
            this table."
    ::= { cabhSec2FwFactoryDefaultFilterEntry 3 }

cabhSec2FwFactoryDefaultFilterDirection OBJECT-TYPE
    SYNTAX      INTEGER {
                    inbound(1),
                    outbound(2),
                    both(3)
                }
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "This value represents direction in relationship
            to the assigned 
            cabhSec2FwFactoryDefaultFilterIfIndex
            in this particular rule, meaning that the PS 
            MUST represent traffic direction as follows: 
            inbound(1)traffic, outbound(2) traffic, or
            both(3)inbound and outbound traffic."
    ::= { cabhSec2FwFactoryDefaultFilterEntry 4 }

cabhSec2FwFactoryDefaultFilterSaddr OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The source IP address, or portion thereof, that is
            to be matched for this filter. The source address
            is first masked (and'ed) against 
            cabhSec2FwFactoryDefaultFilterSmask
            before being compared  to this value. A value of 0 
            for this object and 0 for the mask matches all IP 
            addresses."
    DEFVAL { '00000000'h }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 5 }

cabhSec2FwFactoryDefaultFilterSmask OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "A bit mask that is to be applied to the source 
            address prior to matching. This mask is not 
            necessarily the same as a subnet mask, but 1's 
            bits must be leftmost and contiguous."
    DEFVAL { '00000000'h }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 6 }

cabhSec2FwFactoryDefaultFilterDaddr OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The destination IP address, or portion thereof, that
            is to be matched for this filter. The destination 
            address is first masked (and'ed) against 
            cabhSec2FwFactoryDefaultFilterDmask
            before being compared  to this value. A value of 0 
            for this object and 0 for the mask matches all 
            IP addresses."
    DEFVAL { '00000000'h }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 7 }

cabhSec2FwFactoryDefaultFilterDmask OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "A bit mask that is to be applied to the destination
            address prior to matching. This mask is not necessarily
            the same as a subnet mask, but 1's bits must be leftmost
            and contiguous."
    DEFVAL { '00000000'h }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 8 }

cabhSec2FwFactoryDefaultFilterProtocol OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "The protocol value that is to be matched. For example:
            icmp is 1, tcp is 6, udp is 17. A value of 65535 matches
            ANY protocol."
    DEFVAL { 65535 }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 9 }

cabhSec2FwFactoryDefaultFilterSourcePortLow OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "If cabhSec2FwFactoryDefaultFilterProtocol is udp 
            or tcp, this is the inclusive lower bound of the
            transport-layer source port range that is to be
            matched, otherwise it is ignored during matching."
    DEFVAL { 0 }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 10 }

cabhSec2FwFactoryDefaultFilterSourcePortHigh OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "If cabhSec2FwFactoryDefaultFilterProtocol is 
            udp or tcp, this is the inclusive upper bound
            of the transport-layer source port range that 
            is to be matched, otherwise it is ignored
            during matching."
    DEFVAL { 65535 }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 11 }

cabhSec2FwFactoryDefaultFilterDestPortLow OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "If cabhSec2FwFactoryDefaultFilterProtocol is 
            udp or tcp, this is the inclusive lower bound
            of the transport-layer destination port range
            that is to be matched, otherwise it is ignored
            during matching."
    DEFVAL { 0 }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 12 }

cabhSec2FwFactoryDefaultFilterDestPortHigh OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "If cabhSec2FwFactoryDefaultFilterProtocol is 
            udp or tcp, this is the inclusive upper bound
            of the transport-layer destination port range
            that is to be matched, otherwise it is ignored
            during matching."
    DEFVAL { 65535 }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 13 }

cabhSec2FwFactoryDefaultFilterContinue OBJECT-TYPE
    SYNTAX      TruthValue
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "This value is always set to true so the PS MUST continue
            scanning and applying rules."
    DEFVAL { true }
    ::= { cabhSec2FwFactoryDefaultFilterEntry 14 }

-- ============================================================
--
--  CableHome 1.1 PS Firewall Local Filter Table
--
--  The cabhSec2FwLocalFilterIpTable can be configured to contain  
--  a filtering Ruleset for the PS firewall.  It can be used to
--  support subscriber specific or local filtering rules that
--  are separate from general filtering rules that may be 
--  be configured in the docsDevFilterIpTable.
-- =============================================================

cabhSec2FwLocalFilterIpTable OBJECT-TYPE
    SYNTAX SEQUENCE OF CabhSec2FwLocalFilterIpEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION 
            "Contains a configured filtering Ruleset for the 
            PS firewall."
    ::= { cabhSec2FwFilter 3 }

cabhSec2FwLocalFilterIpEntry OBJECT-TYPE
    SYNTAX      CabhSec2FwLocalFilterIpEntry
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Contains a configured filter rule for the PS
            firewall.

            If the PS has not aqcuired ToD, entries that do not have
            default time settings are ignored.  

            Note, that a filter time period may include two days
            (e.g from 10 PM to 4 AM).  A filter time period that
            includes two days is identified by the absolute value of
            the cabhSec2FwLocalFilterIpEndTime being less then the
            absolute value of the cabhSec2FwLocalFilterIpStartTime.
            The cabhSec2FwLocalFilterIpDOW setting and the 
            cabhSec2FwLocalFilterIpStartTime value indicate what day
            and time the filter becomes active.  The
            cabhSec2FwLocalFilterIpEndTime indicates when the filter
            becomes inactive on the second day. The maximum filter time
            period that includes two days is 24 hours.  
  
            If cabhSec2FwLocalFilterIpStartTime is less than or equal
            to the cabhSec2FwLocalFilterIpEndTime the time period 
            of the filter falls in the same day."

    INDEX { cabhSec2FwLocalFilterIpIndex }
    ::= { cabhSec2FwLocalFilterIpTable 1 }

CabhSec2FwLocalFilterIpEntry ::= SEQUENCE {
    cabhSec2FwLocalFilterIpIndex           Unsigned32,
    cabhSec2FwLocalFilterIpStatus          RowStatus,
    cabhSec2FwLocalFilterIpControl         INTEGER,
    cabhSec2FwLocalFilterIpIfIndex         InterfaceIndexOrZero,
    cabhSec2FwLocalFilterIpDirection       INTEGER,
    cabhSec2FwLocalFilterIpSaddr           InetAddress,
    cabhSec2FwLocalFilterIpSmask           InetAddress,
    cabhSec2FwLocalFilterIpDaddr           InetAddress,
    cabhSec2FwLocalFilterIpDmask           InetAddress,
    cabhSec2FwLocalFilterIpProtocol        Unsigned32,
    cabhSec2FwLocalFilterIpSourcePortLow   Unsigned32,
    cabhSec2FwLocalFilterIpSourcePortHigh  Unsigned32,
    cabhSec2FwLocalFilterIpDestPortLow     Unsigned32,
    cabhSec2FwLocalFilterIpDestPortHigh    Unsigned32,
    cabhSec2FwLocalFilterIpMatches         Counter32,
    cabhSec2FwLocalFilterIpContinue        TruthValue,
    cabhSec2FwLocalFilterIpStartTime       Unsigned32,
    cabhSec2FwLocalFilterIpEndTime         Unsigned32,
    cabhSec2FwLocalFilterIpDOW             BITS,
    cabhSec2FwLocalFilterIpDescr           SnmpAdminString
}

cabhSec2FwLocalFilterIpIndex OBJECT-TYPE
    SYNTAX      Unsigned32 (1..2147483647)
    MAX-ACCESS  not-accessible
    STATUS      current
    DESCRIPTION
            "Index used to order the application of filters.
            The filter with the lowest index is always applied
            first."
    ::= { cabhSec2FwLocalFilterIpEntry 1 }

cabhSec2FwLocalFilterIpStatus OBJECT-TYPE
    SYNTAX      RowStatus
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "Controls and reflects the status of rows in this
             table.  Creation of the
             rows may be done via either create-and-wait or
             create-and-go, but the filter is not applied until this
             object is set to (or changes to) active. There is no
             restriction in changing any object in a row while this
             object is set to active."
    ::= { cabhSec2FwLocalFilterIpEntry 2 }

cabhSec2FwLocalFilterIpControl OBJECT-TYPE
    SYNTAX      INTEGER {
                    deny(1),
                    allow(2)
                }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If set to deny(1), all packets matching this filter
            will be discarded. If set to allow(2), all
            packets matching this filter will be accepted. 
            The cabhSec2FwLocalFilterIpContinue object is 
            Set to true, and therefore the PS MUST continue to
            scan the table for other matches to apply the match
            with the highest cabhSec2FwLocalFilterIpIndex 
            value."
    ::= { cabhSec2FwLocalFilterIpEntry 3 }

cabhSec2FwLocalFilterIpIfIndex OBJECT-TYPE
    SYNTAX      InterfaceIndexOrZero
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The index number assigned to this object MUST 
            match to the IfIndex numbering assigned in the 
            ifTable from the Interfaces Group MIB [RFC 2863],
            and as specified in CH 1.1 Spec, Table 6-16 
            Numbering Interfaces in the ifTable."
    DEFVAL { 255 }
    ::= { cabhSec2FwLocalFilterIpEntry 4 }

cabhSec2FwLocalFilterIpDirection OBJECT-TYPE
    SYNTAX      INTEGER {
                    inbound(1),
                    outbound(2),
                    both(3)
                }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "This value represents direction in relationship
            to the assigned cabhSec2FwLocalFilterIpIfIndex
            in this particular rule, meaning that the PS 
            MUST represent traffic direction as follows: 
            inbound(1)traffic, outbound(2) traffic, or
            both(3)inbound and outbound traffic."
    ::= { cabhSec2FwLocalFilterIpEntry 5 }

cabhSec2FwLocalFilterIpSaddr OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The source IP address, or portion thereof, that is
            to be matched for this filter. The source address
            is first masked (and'ed) against
            cabhSec2FwLocalFilterIpSmask before being compared to this
            value. A value of 0 for this object and 0 for the mask
            matches all IP addresses."
    DEFVAL { '00000000'h }
    ::= { cabhSec2FwLocalFilterIpEntry 6 }

cabhSec2FwLocalFilterIpSmask OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "A bit mask that is to be applied to the source 
            address prior to matching. This mask is not 
            necessarily the same as a subnet mask, but 1's 
            bits must be leftmost and contiguous."
    DEFVAL { '00000000'h }
    ::= { cabhSec2FwLocalFilterIpEntry 7 }

cabhSec2FwLocalFilterIpDaddr OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The destination IP address, or portion thereof, that
            is to be matched for this filter. The destination 
            address is first masked (and'ed) against 
            cabhSec2FwLocalFilterIpDmask
            before being compared  to this value. A value of 0 
            for this object and 0 for the mask matches all 
            IP addresses."
    DEFVAL { '00000000'h }
    ::= { cabhSec2FwLocalFilterIpEntry 8 }

cabhSec2FwLocalFilterIpDmask OBJECT-TYPE
    SYNTAX      InetAddress
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "A bit mask that is to be applied to the destination
            address prior to matching. This mask is not necessarily
            the same as a subnet mask, but 1's bits must be leftmost
            and contiguous."
    DEFVAL { '00000000'h }
    ::= { cabhSec2FwLocalFilterIpEntry 9 }

cabhSec2FwLocalFilterIpProtocol OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The protocol value that is to be matched. For example:
            icmp is 1, tcp is 6, udp is 17. A value of 65535 matches
            ANY protocol."
    DEFVAL { 65535 }
    ::= { cabhSec2FwLocalFilterIpEntry 10 }

cabhSec2FwLocalFilterIpSourcePortLow OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If cabhSec2FwLocalFilterIpProtocol is udp 
            or tcp, this is the inclusive lower bound of the
            transport-layer source port range that is to be
            matched, otherwise it is ignored during matching."
    DEFVAL { 0 }
    ::= { cabhSec2FwLocalFilterIpEntry 11 }

cabhSec2FwLocalFilterIpSourcePortHigh OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If cabhSec2FwLocalFilterIpProtocol is 
            udp or tcp, this is the inclusive upper bound
            of the transport-layer source port range that 
            is to be matched, otherwise it is ignored
            during matching."
    DEFVAL { 65535 }
    ::= { cabhSec2FwLocalFilterIpEntry 12 }

cabhSec2FwLocalFilterIpDestPortLow OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If cabhSec2FwLocalFilterIpProtocol is 
            udp or tcp, this is the inclusive lower bound
            of the transport-layer destination port range
            that is to be matched, otherwise it is ignored
            during matching."
    DEFVAL { 0 }
    ::= { cabhSec2FwLocalFilterIpEntry 13 }

cabhSec2FwLocalFilterIpDestPortHigh OBJECT-TYPE
    SYNTAX      Unsigned32 (0..65535)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If cabhSec2FwLocalFilterIpProtocol is 
            udp or tcp, this is the inclusive upper bound
            of the transport-layer destination port range
            that is to be matched, otherwise it is ignored
            during matching."
    DEFVAL { 65535 }
    ::= { cabhSec2FwLocalFilterIpEntry 14 }

cabhSec2FwLocalFilterIpMatches OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "Counts the number of times this filter was matched.
             This object is initialized to 0 at boot, or at row
             creation, and is reset only upon reboot."
    ::= { cabhSec2FwLocalFilterIpEntry 15 }

cabhSec2FwLocalFilterIpContinue OBJECT-TYPE
    SYNTAX      TruthValue
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION
            "This value is always set to true so the PS MUST continue
            scanning and applying rules."
    DEFVAL { true }
    ::= { cabhSec2FwLocalFilterIpEntry 16 }

cabhSec2FwLocalFilterIpStartTime OBJECT-TYPE
    SYNTAX      Unsigned32 (0..2359)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The start time for matching the filter ruleset in the
            specified days indicated in cabhSec2FwLocalFilterIpDOW.
            Time is represented in Military Time, e.g., 8:30 AM is 
            represented as 830 and 11:45 PM as 2345. An attempt to set
            this object to an invalid military time value, e.g., 1182,
            returns 'wrongValue' error."
    DEFVAL { 0 }
    ::= { cabhSec2FwLocalFilterIpEntry 17 }

cabhSec2FwLocalFilterIpEndTime OBJECT-TYPE
    SYNTAX      Unsigned32 (0..2359)
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "The end time for matching the filter ruleset for the
            days indicated in cabhSec2FwLocalFilterIpDOW.  The filter
            rule associated with this end time MUST not be disabled
            until the minute following the time indicated by this
            MIB object.  If the time period is for two days, identified
            by cabhSec2FwLocalFilterIpEndTime being less than 
            cabhSec2FwLocalFilterIpStartTime, then the 
            cabhSec2FwLocalFilterIpDOW settings do not apply to this
            MIB object. Time is represented in the same manner as in 
            cabhSec2FwLocalFilterIpStartTime. An attempt to set
            this object to an invalid military time value, e.g., 1182,
            returns 'wrongValue' error."
    DEFVAL { 2359 }
    ::= { cabhSec2FwLocalFilterIpEntry 18 }

cabhSec2FwLocalFilterIpDOW OBJECT-TYPE
    SYNTAX BITS {
                    sunday(0),
                    monday(1),
                    tuesday(2),
                    wednesday(3),
                    thursday(4),
                    friday(5),
                    saturday(6)
                }
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "If the day of week bit associated with the PS given day
            is '1', this object criteria matches."
    DEFVAL { 'fe'h }  -- 11111110 Sun-Sat
    ::= { cabhSec2FwLocalFilterIpEntry 19 }

cabhSec2FwLocalFilterIpDescr OBJECT-TYPE
    SYNTAX      SnmpAdminString (SIZE(0..32))
    MAX-ACCESS  read-create
    STATUS      current
    DESCRIPTION
            "A filter rule description configured by the
            cable operator or subscriber."
    DEFVAL { "" }
    ::= { cabhSec2FwLocalFilterIpEntry 20 }

--
-- Kerberos MIBs
--

cabhSecKerbPKINITGracePeriod OBJECT-TYPE
    SYNTAX      Unsigned32 (15..600)
    UNITS       "minutes"
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "The PKINIT Grace Period is needed by the PS
            to know when it should start retrying to get
            a new ticket. The PS MUST obtain a new Kerberos
            ticket (with a PKINIT exchange)this many minutes
            before the old ticket expires."
    DEFVAL { 30 }
    ::= { cabhSecKerbBase 1}

cabhSecKerbTGSGracePeriod OBJECT-TYPE
    SYNTAX      Unsigned32 (1..600)
    UNITS       "minutes"
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "The TGS Grace Period is needed by the PS to
            know when it should start retrying to get a new
            ticket. The PS MUST obtain a new Kerberos ticket
            (with a TGS Request) this many minutes before the
            old ticket expires."
    DEFVAL { 10 }
    ::= { cabhSecKerbBase 2 }

cabhSecKerbUnsolicitedKeyMaxTimeout OBJECT-TYPE
    SYNTAX      Unsigned32 (15..600)
    UNITS       "seconds"
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "This timeout applies to PS initiated AP-REQ/REP
            key management exchange with NMS. The maximum
            timeout is the value which may not be exceeded in
            the exponential backoff algorithm."
    DEFVAL { 600 }
    ::= { cabhSecKerbBase 3 }

cabhSecKerbUnsolicitedKeyMaxRetries OBJECT-TYPE
    SYNTAX      Unsigned32 (1..32)
    MAX-ACCESS  read-write
    STATUS      current
    DESCRIPTION
            "The number of retries the PS is allowed for
            AP-REQ/REP key management exchange initiation
            with the NMS. This is the maximum number of
            retries before the PS gives up attempting to
            establish an SNMPv3 security association 
            with NMS."
    DEFVAL { 8 }
    ::= { cabhSecKerbBase 4 }

cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 3 }
cabhSecConformance  OBJECT IDENTIFIER ::= { cabhSecMib 4 }
cabhSecCompliances  OBJECT IDENTIFIER ::= { cabhSecConformance 1 }
cabhSecGroups       OBJECT IDENTIFIER ::= { cabhSecConformance 2 }

--
--    Notification Group for future extension
--

-- compliance statements

cabhSecCompliance MODULE-COMPLIANCE
    STATUS      deprecated
    DESCRIPTION
            "The compliance statement for CableHome Security."
    MODULE   --cabhSecMib

-- unconditionally mandatory groups

    MANDATORY-GROUPS {
        cabhSecCertGroup,
        cabhSecKerbGroup
        }

-- conditional mandatory groups

    GROUP cabhSecGroup
    DESCRIPTION
            "This group is implemented only for CH 1.0 gateways."
    ::= { cabhSecCompliances 1 }

    cabhSec2Compliance MODULE-COMPLIANCE
    STATUS      current
    DESCRIPTION
            "The compliance statement for CableHome 1.1 Security."
    MODULE   --cabhSecMib

-- unconditionally mandatory groups

    MANDATORY-GROUPS {
        cabhSecCertGroup,
        cabhSecKerbGroup,
        cabhSec2Group
        }
    ::= { cabhSecCompliances 2 }

cabhSecGroup OBJECT-GROUP
    OBJECTS {
        cabhSecFwPolicyFileEnable,
        cabhSecFwPolicyFileURL,
        cabhSecFwPolicyFileHash,
        cabhSecFwPolicyFileOperStatus,
        cabhSecFwPolicyFileCurrentVersion,
        cabhSecFwPolicySuccessfulFileURL,
        cabhSecFwEventType1Enable,
        cabhSecFwEventType2Enable,
        cabhSecFwEventType3Enable,
        cabhSecFwEventAttackAlertThreshold,
        cabhSecFwEventAttackAlertPeriod
        }
    STATUS      deprecated
    DESCRIPTION
            "Group of objects in CableHome 1.0 Firewall MIB."
    ::= { cabhSecGroups 1 }

cabhSecCertGroup OBJECT-GROUP
    OBJECTS { 
        cabhSecCertPsCert
        }
    STATUS      current
    DESCRIPTION
            "Group of objects in CableHome gateway for PS
            Certificate."
    ::= { cabhSecGroups 2 } 

cabhSecKerbGroup OBJECT-GROUP
    OBJECTS {
        cabhSecKerbPKINITGracePeriod,
        cabhSecKerbTGSGracePeriod,
        cabhSecKerbUnsolicitedKeyMaxTimeout,
        cabhSecKerbUnsolicitedKeyMaxRetries
        }
    STATUS      current
    DESCRIPTION
            "Group of objects in CableHome gateway for Kerberos."
    ::= { cabhSecGroups 3 }

cabhSec2Group OBJECT-GROUP
    OBJECTS {
        cabhSec2FwEnable,
        cabhSec2FwPolicyFileURL,
        cabhSec2FwPolicyFileHash,
        cabhSec2FwPolicyFileOperStatus,
        cabhSec2FwPolicyFileCurrentVersion,
        cabhSec2FwClearPreviousRuleset,
        cabhSec2FwPolicySelection,
        cabhSec2FwEventSetToFactory,
        cabhSec2FwEventLastSetToFactory,
        cabhSec2FwPolicySuccessfulFileURL,
        cabhSec2FwEventEnable,
        cabhSec2FwEventThreshold,
        cabhSec2FwEventInterval,
        cabhSec2FwEventCount,
        cabhSec2FwEventLogReset,
        cabhSec2FwEventLogLastReset,
        cabhSec2FwLogEventType,
        cabhSec2FwLogEventPriority,
        cabhSec2FwLogEventId,
        cabhSec2FwLogTime,
        cabhSec2FwLogIpProtocol,
        cabhSec2FwLogIpSourceAddr,
        cabhSec2FwLogIpDestAddr,
        cabhSec2FwLogIpSourcePort,
        cabhSec2FwLogIpDestPort,
        cabhSec2FwLogMessageType,
        cabhSec2FwLogReplayCount,
        cabhSec2FwLogMIBPointer,
        cabhSec2FwFilterScheduleStartTime,
        cabhSec2FwFilterScheduleEndTime,
        cabhSec2FwFilterScheduleDOW,
        cabhSec2FwFactoryDefaultFilterControl,
        cabhSec2FwFactoryDefaultFilterIfIndex,
        cabhSec2FwFactoryDefaultFilterDirection,
        cabhSec2FwFactoryDefaultFilterSaddr,
        cabhSec2FwFactoryDefaultFilterSmask,
        cabhSec2FwFactoryDefaultFilterDaddr,
        cabhSec2FwFactoryDefaultFilterDmask,
        cabhSec2FwFactoryDefaultFilterProtocol,
        cabhSec2FwFactoryDefaultFilterSourcePortLow,
        cabhSec2FwFactoryDefaultFilterSourcePortHigh,
        cabhSec2FwFactoryDefaultFilterDestPortLow,
        cabhSec2FwFactoryDefaultFilterDestPortHigh,
        cabhSec2FwFactoryDefaultFilterContinue
        }
    STATUS      current
    DESCRIPTION
            "Group of objects in CableHome 1.1 Firewall MIB."
    ::= { cabhSecGroups 4 } 

END
