-- *****************************************************************
-- WESTERMO-SW6-FIREWALL-MIB :
-- SNMP feature configuration of Westermo devices with SW6.
--
-- Copyright (c) 2018 by Westermo Teleindustri AB
-- All rights reserved.
-- *****************************************************************

-- *****************************************************************
-- This script has been tested using the SMI checker smilint
-- the tool can be downloaded at
-- http://www.ibr.cs.tu-bs.de/projects/libsmi/smilint.html
-- or use alternatively the online version at:
-- http://www.simpleweb.org/ietf/mibs/validate/
--
-- smilint -m -s -l 6 -i nameLength-32 ./WESTERMO-SW6-FIREWALL-MIB
-- Ensure that all needed MIBS are located in the SMIPATH.
-- *****************************************************************

-- **********************************************************************
-- * FIREWALL MIB
-- **********************************************************************

WESTERMO-SW6-FIREWALL-MIB DEFINITIONS ::= BEGIN

    IMPORTS
        MODULE-IDENTITY, OBJECT-TYPE,
        IpAddress, Integer32                   FROM SNMPv2-SMI
        DisplayString                          FROM SNMPv2-TC
        MODULE-COMPLIANCE, OBJECT-GROUP        FROM SNMPv2-CONF
    ;

-- **********************************************************************
-- *  MODULE IDENTITY
-- **********************************************************************
firewall MODULE-IDENTITY
    LAST-UPDATED "201909060000Z"

    ORGANIZATION "Westermo Teleindustri AB"
    CONTACT-INFO "E-mail: info@westermo.com"
    DESCRIPTION  "MIB Module for the Westermo RT-300 Radio Modem Device - Firewall definitions"

    REVISION     "201909060000Z"
    DESCRIPTION  "Release 6.9.0-RC0"

    ::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1)
          westermo(16177) products(1) rt(400) feature(2) 1 }

-- **********************************************************************
-- *  Begin Major sections
-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

--  Configuration
--  =============

    configuration     OBJECT IDENTIFIER ::= { firewall 1 }

--  Conformance Information
--  =======================

    conformance           OBJECT IDENTIFIER ::= { firewall 10000 }
     groups               OBJECT IDENTIFIER ::= { conformance 1 }
      groupConfiguration  OBJECT IDENTIFIER ::= { groups 1 }

     compliances          OBJECT IDENTIFIER ::= { conformance 2 }

-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- *  End Major Sections
-- **********************************************************************



-- **********************************************************************
-- *  Begin Object Types
-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

    cfgFwEnabled OBJECT-TYPE
        SYNTAX INTEGER { disabled(0), enabled(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Firewall disabled or enabled.

             Applies to AP and STA."
        ::= { configuration 1 }

-- =============================================================================

    cfgFwNat         OBJECT IDENTIFIER ::= { configuration 2 }

    cfgFwNatPortForwardTable OBJECT-TYPE
        SYNTAX SEQUENCE OF CfgFwNatPrtFwdTableSeq
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Firewall port forward rules table."
        ::= { cfgFwNat 1 }

    cfgFwNatPortForwardTableEntry OBJECT-TYPE
        SYNTAX  CfgFwNatPrtFwdTableSeq
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Firewall port forward rules table entry."
        INDEX {cfgFwNatPrtFwdIndex}
        ::= { cfgFwNatPortForwardTable 1 }

    CfgFwNatPrtFwdTableSeq ::=
        SEQUENCE {  cfgFwNatPrtFwdIndex Integer32,
                    cfgFwNatPrtFwdEnabled INTEGER,
                    cfgFwNatPrtFwdInterface DisplayString,
                    cfgFwNatPrtFwdProtocol INTEGER,
                    cfgFwNatPrtFwdSourceAddress DisplayString,
                    cfgFwNatPrtFwdSourcePortStart DisplayString,
                    cfgFwNatPrtFwdSourcePortEnd Integer32,
                    cfgFwNatPrtFwdDestinationAddress DisplayString,
                    cfgFwNatPrtFwdDestinationPortStart DisplayString,
                    cfgFwNatPrtFwdDestinationPortEnd Integer32,
                    cfgFwNatPrtFwdRedirectDestinationAddress IpAddress,
                    cfgFwNatPrtFwdRedirectDestinationPort Integer32
                 }

    cfgFwNatPrtFwdIndex OBJECT-TYPE
        SYNTAX Integer32 (0..255)
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Entry index of port forward table."
        ::= { cfgFwNatPortForwardTableEntry 1 }

    cfgFwNatPrtFwdEnabled OBJECT-TYPE
        SYNTAX INTEGER { disabled(0), enabled(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Disable or enable the rule.

             Applies to AP and STA."
        ::= { cfgFwNatPortForwardTableEntry 2 }

     cfgFwNatPrtFwdInterface OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..255))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Name of the network interface on which the rule applies.

             Defines on which interface traffic is comming in. Groups of
             interfaces can be matched by adding the character '+' at the end.
             E.g. eth+ to match the interfaces eth0, eth1 and eth2. To match all
             interfaces use the character '+' alone.

             Applies to AP and STA."
        ::= { cfgFwNatPortForwardTableEntry 3 }

    cfgFwNatPrtFwdProtocol OBJECT-TYPE
        SYNTAX INTEGER { any(0), udp(1), tcp(2), udptcp(3) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Choose which IP protocol the rule matches.

             Allowed protocols are:

             * **any(0):** Any ip protocol.
             * **udp(1):** Only UDP protocol.
             * **tcp(2):** Only TCP protocol.
             * **udptcp(3):** UDP and TCP protocol.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 4 }

    cfgFwNatPrtFwdSourceAddress OBJECT-TYPE
        SYNTAX DisplayString (SIZE(9..19))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Source address to match.

             This can be a specific ip address or a range in CIDR notation. Set
             to 0.0.0.0/0 to match all inbound traffic. Set to 172.17.29.7/32 to
             match the specific IP 172.17.29.7 You can use ! to invert the sense
             of the rule: E.g. !192.168.0.0/24

             **Notice:** Usually you want 0.0.0.0/0.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 5 }

    cfgFwNatPrtFwdSourcePortStart OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..6))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Source start port to match.

             Specify the port or start of a port range from which a connection
             originates. Can only be used with TCP, UDP or TCP/UDP. Leave this
             on -1 to disable. You can use ! to invert the sense of the rule:
             E.g. !80. When used in a range, the inversion applies to the range.

             **Notice:** Usually you want this disabled.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 6 }

    cfgFwNatPrtFwdSourcePortEnd OBJECT-TYPE
        SYNTAX Integer32 (-1..65535)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination end port to match.

             When matching multiple port, this value is the end of the range.
             Set to -1 if no range is to be matched. Can only be used with TCP,
             UDP or TCP/UDP.

             **Notice:** Usually you want this disabled.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 7 }

    cfgFwNatPrtFwdDestinationAddress OBJECT-TYPE
        SYNTAX DisplayString (SIZE(9..19))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination address to redirect.

             This can be a specific ip address or a range in CIDR notation.
             Set to 0.0.0.0/0 to match all inbound traffic on the interface
             specified in cfgFwNatPrtFwdInterface. You can use ! to invert the
             sense of the rule: E.g. !192.168.0.0/24. When using static IPs set
             this to the configured address of the respective interface or alias
             you want to forward.

             Be aware, that setting 0.0.0.0/0 will redirect everything arriving
             on the configured interface, even if not sent to the device itself.

             **Notice:** Leave this on 0.0.0.0/0 when using DHCP.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 8 }

    cfgFwNatPrtFwdDestinationPortStart OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..20))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination start port to redirect.

             Specify the port or start of a port range for the destination.
             You can use ! to invert the sense of the rule: E.g. !80. When used
             in a range, the inversion applies to the range. Can only be used
             with TCP, UDP or TCP/UDP.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 9 }

    cfgFwNatPrtFwdDestinationPortEnd OBJECT-TYPE
        SYNTAX Integer32 (-1..65535)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination end port to redirect.

             When forwarding multiple port, this value is the end of the range.
             Set to -1 if no range is forwarded. Can only be used with TCP, UDP
             or TCP/UDP.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 10 }

    cfgFwNatPrtFwdRedirectDestinationAddress OBJECT-TYPE
        SYNTAX IpAddress
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Redirect traffic to this redirection destination address.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 11 }

    cfgFwNatPrtFwdRedirectDestinationPort OBJECT-TYPE
        SYNTAX Integer32 (-1..65535)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Redirect traffic to this destination port.

             Can only be used with TCP, UDP or TCP/UDP.

             Applies to AP and STA.
            "
        ::= { cfgFwNatPortForwardTableEntry 12 }

-- -----------------------------------------------------------------------------

    cfgFwNatOutboundTable OBJECT-TYPE
        SYNTAX SEQUENCE OF CfgFwNatOutTableSeq
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Firewall outbound NAT rules table."
        ::= { cfgFwNat 2 }

    cfgFwNatOutboundTableEntry OBJECT-TYPE
        SYNTAX  CfgFwNatOutTableSeq
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Firewall outbound NAT rules table entry."
        INDEX {cfgFwNatOutIndex}
        ::= { cfgFwNatOutboundTable 1 }

    CfgFwNatOutTableSeq ::=
        SEQUENCE {  cfgFwNatOutIndex Integer32,
                    cfgFwNatOutEnabled INTEGER,
                    cfgFwNatOutInterface DisplayString,
                    cfgFwNatOutProtocol INTEGER,
                    cfgFwNatOutSourceAddress DisplayString,
                    cfgFwNatOutSourcePortStart DisplayString,
                    cfgFwNatOutSourcePortEnd Integer32,
                    cfgFwNatOutDestinationAddress DisplayString,
                    cfgFwNatOutDestinationPortStart DisplayString,
                    cfgFwNatOutDestinationPortEnd Integer32,
                    cfgFwNatOutSourceRewriteAddress IpAddress,
                    cfgFwNatOutSourceRewritePort Integer32
                 }

    cfgFwNatOutIndex OBJECT-TYPE
        SYNTAX Integer32 (0..255)
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Entry index of Table."
        ::= { cfgFwNatOutboundTableEntry 1 }

    cfgFwNatOutEnabled OBJECT-TYPE
        SYNTAX INTEGER { disabled(0), enabled(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Disable or enable the rule.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 2 }

     cfgFwNatOutInterface OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..255))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Name of the network interface on which the rule applies.

             Matches traffic leaving on this interface. Needs to be set to an
             interface name if you are using DHCP. Set to -1 if you don't know
             on which interface traffic will be leaving. Match the traffic with
             cfgFwNatOutDestinationAddress instead. You can use ! to invert the
             sense of the rule. E.g. !wlan0.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 3 }

    cfgFwNatOutProtocol OBJECT-TYPE
        SYNTAX INTEGER { any(0), udp(1), tcp(2), udptcp(3) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Choose which IP protocol the rule matches.

             Allowed protocols are:

             * **any(0):** Any ip protocol.
             * **udp(1):** Only UDP protocol.
             * **tcp(2):** Only TCP protocol.
             * **udptcp(3):** UDP and TCP protocol.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 4 }

    cfgFwNatOutSourceAddress OBJECT-TYPE
        SYNTAX DisplayString (SIZE(9..19))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Source address to match.

             This can be a specific ip address or a range in CIDR notation. Set
             to 0.0.0.0/0 to match all inbound traffic. Set to 172.17.29.7/32 to
             match the specific IP 172.17.29.7. You can use ! to invert the
             sense of the rule: E.g. !192.168.0.0/24.

             **Note:** Usually you want 0.0.0.0/0.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 5 }

    cfgFwNatOutSourcePortStart OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..6))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Source start port to match.

             Specify the port or start of a port range from which a connection
             originates. Can only be used with TCP, UDP or TCP/UDP. Leave this
             on -1 to disable. You can use ! to invert the sense of the rule:
             E.g. !80. When used in a range, the inversion applies to the range.

             **Note:** Usually you want this disabled.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 6 }

    cfgFwNatOutSourcePortEnd OBJECT-TYPE
        SYNTAX Integer32 (-1..65535)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination end port to match.

             When matching multiple port, this value is the end of the range.
             Set to -1 if no range is to be matched. Can only be used with TCP,
             UDP or TCP/UDP.

             **Note:** Usually you want this disabled.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 7 }

    cfgFwNatOutDestinationAddress OBJECT-TYPE
        SYNTAX DisplayString (SIZE(9..19))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination address to match.

             This can be a specific ip address or a range in CIDR notation. Set
             to 0.0.0.0/0 to match all outbound traffic on the interface
             specified in cfgFwNatOutInterface. You can use ! to invert the
             sense of the rule: E.g. !192.168.0.0/24.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 8 }

    cfgFwNatOutDestinationPortStart OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..6))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination start port to match.

             Specify the port or start of a port range for the destination. Can
             only be used with TCP, UDP or TCP/UDP. You can use ! to invert the
             sense of the rule: E.g. !80. When used in a range, the inversion
             applies to the range.

             **Note:** Usually you want this disabled.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 9 }

    cfgFwNatOutDestinationPortEnd OBJECT-TYPE
        SYNTAX Integer32 (-1..65535)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination end port to match.

             When forwarding multiple port, this value is the end of the range.
             Set to -1 if no range is forwarded. Can only be used with TCP, UDP
             or TCP/UDP.

             **Note:** Usually you want this disabled.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 10 }

    cfgFwNatOutSourceRewriteAddress OBJECT-TYPE
        SYNTAX IpAddress
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Set the address with which outbound traffic shall be rewritten.

             In case you are using DHCP leave this on 0.0.0.0.

             **Note:** If you are not rewriting the source to a specific
             aliases you can set this to 0.0.0.0 to automatically rewrite
             to the configured primary (first) address of the interface.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 11 }

    cfgFwNatOutSourceRewritePort OBJECT-TYPE
        SYNTAX Integer32 (-1..65535)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Set the source-port with which outbound traffic shall be rewritten.

             Can only be used with TCP, UDP or TCP/UDP. Set to -1 to disable
             source port rewrite.

             **Note:** Usually you want this disabled.

             Applies to AP and STA."
        ::= { cfgFwNatOutboundTableEntry 12 }

-- =============================================================================

    cfgFwL2IpFilter  OBJECT IDENTIFIER ::= { configuration 3 }

    cfgFwL2IpFilterEnabled OBJECT-TYPE
        SYNTAX INTEGER { disabled(0), enabled(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Globally enable or disable the L2 IP Filter option of all Bridges.

             This filter will only apply on IP frames and will not touch anything else.

             Applies to AP and STA."
        ::= { cfgFwL2IpFilter 1 }

    cfgFwL2IpFilterDefaultAction OBJECT-TYPE
        SYNTAX INTEGER { accept(0), drop(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Set the default action of all bridges when filtering is enabled.

             Take care to not lock yourself out when the default action is 'drop'.

             Applies to AP and STA."
        ::= { cfgFwL2IpFilter 2 }

    cfgFwL2IpFilterTable OBJECT-TYPE
        SYNTAX  SEQUENCE OF CfgNetL2IpFilterTableSeq
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "L2 IP Filter"
        ::= { cfgFwL2IpFilter 3 }

    cfgFwL2IpFilterTableEntry OBJECT-TYPE
        SYNTAX  CfgNetL2IpFilterTableSeq
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "L2 IP Filter"
        INDEX {cfgFwL2IpFltrIndex}
        ::= { cfgFwL2IpFilterTable 1 }

    CfgNetL2IpFilterTableSeq ::=
        SEQUENCE {  cfgFwL2IpFltrIndex Integer32,
                    cfgFwL2IpFltrEnabled INTEGER,
                    cfgFwL2IpFltrBridge Integer32,
                    cfgFwL2IpFltrAction INTEGER,
                    cfgFwL2IpFltrPriority Integer32,
                    cfgFwL2IpFltrSource DisplayString,
                    cfgFwL2IpFltrDestination DisplayString
                 }

    cfgFwL2IpFltrIndex OBJECT-TYPE
        SYNTAX Integer32 (0..63)
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Entry index of Table"
        ::= { cfgFwL2IpFilterTableEntry 1 }

    cfgFwL2IpFltrEnabled OBJECT-TYPE
        SYNTAX INTEGER { disabled(0), enabled(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Rule disabled or enabled.

             Applies to AP and STA."
        ::= { cfgFwL2IpFilterTableEntry 2 }

    cfgFwL2IpFltrBridge OBJECT-TYPE
        SYNTAX Integer32 (-1..255)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Bridge on which the rule will be applied.

             Applies to AP and STA."
        ::= { cfgFwL2IpFilterTableEntry 3 }

    cfgFwL2IpFltrAction OBJECT-TYPE
        SYNTAX INTEGER { accept(0), drop(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Action to perform.

             Applies to AP and STA."
        ::= { cfgFwL2IpFilterTableEntry 4 }

    cfgFwL2IpFltrPriority OBJECT-TYPE
        SYNTAX Integer32
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Filter priority

             When multiple rules match, the rule with the highest priority will
             be applied.

             **NOTE:** When multiple matching rules with the same priority exist,
             the rule which was first created will be used. This may lead to
             unexpected behaviour.

             Applies to AP and STA."
        ::= { cfgFwL2IpFilterTableEntry 5 }

    cfgFwL2IpFltrSource OBJECT-TYPE
        SYNTAX DisplayString (SIZE(9..19))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Filter source

             The source network/IP on which the rule matches (CIDR notation).

             Applies to AP and STA."
        ::= { cfgFwL2IpFilterTableEntry 6 }

    cfgFwL2IpFltrDestination OBJECT-TYPE
        SYNTAX DisplayString (SIZE(9..19))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Filter destination

             The destination network/IP on which the rule matches (CIDR notation).

             Applies to AP and STA."
        ::= { cfgFwL2IpFilterTableEntry 7 }

-- =============================================================================

    cfgFwFilter         OBJECT IDENTIFIER ::= { configuration 4 }

    cfgFwFltDefaultPolicyInput OBJECT-TYPE
        SYNTAX INTEGER { drop(0), accept(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "The default filter policy on the input path.

             Applies to AP and STA."
        ::= { cfgFwFilter 1 }

    cfgFwFltDefaultPolicyForward OBJECT-TYPE
        SYNTAX INTEGER { drop(0), accept(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "The default filter policy on the forward path.

             Applies to AP and STA."
        ::= { cfgFwFilter 2 }

    cfgFwFltDefaultPolicyOutput OBJECT-TYPE
        SYNTAX INTEGER { drop(0), accept(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "The default filter policy on the output path.

             Applies to AP and STA."
        ::= { cfgFwFilter 3 }



    cfgFwFilterRulesTable OBJECT-TYPE
        SYNTAX SEQUENCE OF CfgFwFilterRulesTableSeq
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Firewall filter rules table."
        ::= { cfgFwFilter 10 }

    cfgFwFilterRulesTableEntry OBJECT-TYPE
        SYNTAX  CfgFwFilterRulesTableSeq
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Firewall filter rules table entry."
        INDEX {cfgFwNatOutIndex}
        ::= { cfgFwFilterRulesTable 1 }

    CfgFwFilterRulesTableSeq ::=
        SEQUENCE {  cfgFwFltRIndex Integer32,
                    cfgFwFltREnabled INTEGER,
                    cfgFwFltRChain INTEGER,
                    cfgFwFltRAction INTEGER,
                    cfgFwFltRInputInterface DisplayString,
                    cfgFwFltROutputInterface DisplayString,
                    cfgFwFltRProtocol Integer32,
                    cfgFwFltRSourceAddress DisplayString,
                    cfgFwFltRSourcePortStart DisplayString,
                    cfgFwFltRSourcePortEnd Integer32,
                    cfgFwFltRDestinationAddress DisplayString,
                    cfgFwFltRDestinationPortStart DisplayString,
                    cfgFwFltRDestinationPortEnd Integer32
                 }

    cfgFwFltRIndex OBJECT-TYPE
        SYNTAX Integer32 (0..255)
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "Entry index of Table."
        ::= { cfgFwFilterRulesTableEntry 1 }

    cfgFwFltREnabled OBJECT-TYPE
        SYNTAX INTEGER { disabled(0), enabled(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Disable or enable the rule.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 2 }

    cfgFwFltRChain OBJECT-TYPE
        SYNTAX INTEGER { none(0), input(1), forward(2), output(3) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Action to be performed.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 3 }

    cfgFwFltRAction OBJECT-TYPE
        SYNTAX INTEGER { drop(0), accept(1) }
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Action to be performed.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 4 }

    cfgFwFltRInputInterface OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..16))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Name of the input interface to match.

             Groups of interfaces can be matched by adding the character '+' at
             the end. E.g. eth+ to match the interfaces eth0, eth1 and eth2.
             To match all interfaces use the character '+' alone.
             Set to -1 to not use this parameter.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 5 }

    cfgFwFltROutputInterface OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..16))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Name of the output interface to match.

             Groups of interfaces can be matched by adding the character '+' at
             the end. E.g. eth+ to match the interfaces eth0, eth1 and eth2.
             To match all interfaces use the character '+' alone.

             Set to -1 to not use this parameter.

             This parameter is ignored for rules on the input chain.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 6 }

    cfgFwFltRProtocol OBJECT-TYPE
        SYNTAX Integer32 (0..255)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Choose which IP protocol the rule matches.

             For a list of the currently existing protocols see:
             https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
             Some examples are:

             * **any(0)**: Match any ip protocol
             * **icmp(1)**
             * **igmp(2)**
             * **tcp(6)**
             * **udp(17)**
             * **gre(47)**
             * **esp(50)**
             * **ah(51)**
             * **ospf(89)**
             * **vrrp / carp(112)**
             * **l2tp(115)**

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 7 }

    cfgFwFltRSourceAddress OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..20))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Source address to match.

             This can be a specific ip address or a range in CIDR notation.
             Set to 0.0.0.0/0 to match all sources.
             Set to 172.17.29.7/32 to match the specific IP 172.17.29.7.
             You can use ! to invert the sense of the rule: E.g. !192.168.0.0/24

             Set to -1 to not use this parameter.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 8 }

    cfgFwFltRSourcePortStart OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..20))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Source start port to match.

             Specify the port or start of a port range from which a connection
             originates.
             Can only be used with tcp or udp.
             You can use ! to invert the sense of the rule: E.g. !80.
             When used in a range, the inversion applies to the range.

             Set to -1 to not use this parameter.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 9 }

    cfgFwFltRSourcePortEnd OBJECT-TYPE
        SYNTAX Integer32 (-1..65535)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Source end port to match.

             When matching multiple ports, this value is the end of the range.
             Can only be used with tcp or udp.

             Set to -1 when no range is to be matched.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 10 }

    cfgFwFltRDestinationAddress OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..20))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination address to match.

             This can be a specific ip address or a range in CIDR notation.
             Set to 0.0.0.0/0 to match all destinations.
             Set to 172.17.29.7/32 to match the specific IP 172.17.29.7.
             You can use ! to invert the sense of the rule: E.g. !192.168.0.0/24

             Set to -1 to not use this parameter.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 11 }

    cfgFwFltRDestinationPortStart OBJECT-TYPE
        SYNTAX DisplayString (SIZE(1..20))
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination start port to match.

             Specify the port or start of a port range to which a connection is
             going.
             Can only be used with tcp or udp.
             You can use ! to invert the sense of the rule: E.g. !80.
             When used in a range, the inversion applies to the range.

             Set to -1 to not use this parameter.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 12 }

    cfgFwFltRDestinationPortEnd OBJECT-TYPE
        SYNTAX Integer32 (-1..65535)
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Destination end port to match.

             When matching multiple ports, this value is the end of the range.
             Can only be used with tcp or udp.

             Set to -1 when no range is to be matched.

             Applies to AP and STA."
        ::= { cfgFwFilterRulesTableEntry 13 }


-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- *  End of   Object Types
-- **********************************************************************

-- **********************************************************************
-- *  Begin GROUPS
-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

    groupCfgFirewall OBJECT-GROUP
        OBJECTS {
            cfgFwEnabled
             }
        STATUS current
        DESCRIPTION
            "Firewall settings."
        ::= { groupConfiguration 1 }

    groupCfgFirewallPortForward OBJECT-GROUP
        OBJECTS {
            cfgFwEnabled,
            cfgFwNatPrtFwdEnabled,
            cfgFwNatPrtFwdInterface,
            cfgFwNatPrtFwdProtocol,
            cfgFwNatPrtFwdSourceAddress,
            cfgFwNatPrtFwdSourcePortStart,
            cfgFwNatPrtFwdSourcePortEnd,
            cfgFwNatPrtFwdDestinationAddress,
            cfgFwNatPrtFwdDestinationPortStart,
            cfgFwNatPrtFwdDestinationPortEnd,
            cfgFwNatPrtFwdRedirectDestinationAddress,
            cfgFwNatPrtFwdRedirectDestinationPort
             }
        STATUS current
        DESCRIPTION
            "Firewall settings."
        ::= { groupConfiguration 2 }

    groupCfgFirewallOutboundNat OBJECT-GROUP
        OBJECTS {
            cfgFwNatOutEnabled,
            cfgFwNatOutInterface,
            cfgFwNatOutProtocol,
            cfgFwNatOutSourceAddress,
            cfgFwNatOutSourcePortStart,
            cfgFwNatOutSourcePortEnd,
            cfgFwNatOutDestinationAddress,
            cfgFwNatOutDestinationPortStart,
            cfgFwNatOutDestinationPortEnd,
            cfgFwNatOutSourceRewriteAddress,
            cfgFwNatOutSourceRewritePort
             }
        STATUS current
        DESCRIPTION
            "Firewall settings."
        ::= { groupConfiguration 3 }

    groupCfgFirewallL2IpFilter OBJECT-GROUP
        OBJECTS {
            cfgFwL2IpFilterEnabled,
            cfgFwL2IpFilterDefaultAction,
            cfgFwL2IpFltrEnabled,
            cfgFwL2IpFltrBridge,
            cfgFwL2IpFltrAction,
            cfgFwL2IpFltrPriority,
            cfgFwL2IpFltrSource,
            cfgFwL2IpFltrDestination
             }
        STATUS current
        DESCRIPTION
            "Firewall settings."
        ::= { groupConfiguration 4 }

    groupCfgFirewallFilter OBJECT-GROUP
        OBJECTS {
            cfgFwFltDefaultPolicyInput,
            cfgFwFltDefaultPolicyForward,
            cfgFwFltDefaultPolicyOutput,
            cfgFwFltREnabled,
            cfgFwFltRChain,
            cfgFwFltRAction,
            cfgFwFltRInputInterface,
            cfgFwFltROutputInterface,
            cfgFwFltRProtocol,
            cfgFwFltRSourceAddress,
            cfgFwFltRSourcePortStart,
            cfgFwFltRSourcePortEnd,
            cfgFwFltRDestinationAddress,
            cfgFwFltRDestinationPortStart,
            cfgFwFltRDestinationPortEnd
             }
        STATUS current
        DESCRIPTION
            "Firewall settings."
        ::= { groupConfiguration 5 }

-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- *  End GROUPS
-- **********************************************************************

-- **********************************************************************
-- *  Begin COMPLIANCE STATEMENTS
-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

    compliance MODULE-COMPLIANCE
    STATUS current
    DESCRIPTION
        "Implementation Requirements for DT50 bindings"
    MODULE  -- this module
        MANDATORY-GROUPS {
            groupCfgFirewall,
            groupCfgFirewallPortForward,
            groupCfgFirewallOutboundNat,
            groupCfgFirewallL2IpFilter,
            groupCfgFirewallFilter
        }
    ::= { compliances 1 }

-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- *  End COMPLIANCE STATEMENTS
-- **********************************************************************

-- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- *  End of MIB DEFINITION
-- **********************************************************************
END


-- **********************************************************************
-- **********************************************************************
