
-- Copyright (C) 2012 by Zhone Technologies.  All Rights Reserved.

-- ======================================================================
-- ==                                                                  ==
-- ==                    ZHNFIREWALL MIB                               ==
-- ==                                                                  ==
-- ==  Copyright (C) 2012 Zhone Technologies, Inc.                     ==
-- ==  Confidential, Unpublished Property of Zhone Technologies.       ==
-- ==  Rights Reserved Under the Copyright Laws of the United States.  ==
-- ==                                                                  ==
-- ======================================================================

ZHNFIREWALL DEFINITIONS ::= BEGIN

IMPORTS
    MODULE-IDENTITY , OBJECT-TYPE , enterprises,
    Integer32, Unsigned32, IpAddress, Gauge32
        FROM SNMPv2-SMI
    MODULE-COMPLIANCE, OBJECT-GROUP
        FROM SNMPv2-CONF
    TEXTUAL-CONVENTION, MacAddress, RowStatus, TruthValue
        FROM SNMPv2-TC
    ZhoneRowStatus
        FROM Zhone-TC
    zhoneWtn
        FROM Zhone
    lanDeviceIndex, lanEthernetIndex
        FROM ZHNLANDEVICE;

-- 1.3.6.1.4.1.5504.2.5.41
zhnFirewall  MODULE-IDENTITY
    LAST-UPDATED  "201204181200Z" -- Apr 18, 2012
    ORGANIZATION
        "Zhone Technologies, Inc."
    CONTACT-INFO 
        "Zhone Technologies, Inc.
         Florida Design Center
         8545 126th Avenue North
         Largo, FL 33773

	 Toll-Free: +1 877-ZHONE20 (+1 877-946-6320)
	 Tel: +1-510-777-7000
	 Fax: +1-510-777-7001
	 E-mail: support@zhone.com"


    DESCRIPTION
        "This file defines the private Enterprise MIB extensions
         that define LAN Management Access Service Filters and Port
	 Forwarding objects supported by the Zhone CPEs."


    REVISION "201204181200Z" -- Apr 18, 2012
    DESCRIPTION "Added https to FirewallMgmtAccessServiceValues"

    REVISION "201202031200Z"  -- Feb 03, 2012
    DESCRIPTION "First Draft"

::= { zhoneWtn 45 }



-- 1.3.6.1.4.1.5504.2.5.45.1
zhnFirewallObjects           OBJECT IDENTIFIER ::= { zhnFirewall 1 }

--
-- Textual Conventions
--
FirewallMgmtAccessServiceValues ::= TEXTUAL-CONVENTION
  STATUS        current
  DESCRIPTION   "LAN Management Access Services that can be blocked from the 
                 CPEs management network."
  SYNTAX INTEGER {
          http (1),
          https (2),
          ping (3),
          snmp (4),
          snmpTrap (5),
          ssh (6),
          telnet (7)
  }

FirewallMgmtAccessServiceActions ::= TEXTUAL-CONVENTION
  STATUS        current
  DESCRIPTION   "LAN Management Access Service actions to perform for the 
                 specified service."
  SYNTAX INTEGER {
          allow (1),
          deny (2),
          undefined (3)
  }


FirewallPortTypeValues ::= TEXTUAL-CONVENTION
  STATUS        current
  DESCRIPTION   "LAN Port Forwarding actions supported."
  SYNTAX INTEGER {
          portRange (1),  -- Range indicates that any traffic on those ports will be 
                          -- sent to the private IP address. 
          portRemap (2),  -- Remap indicates that any traffic on those ports will be 
                          -- sent to the private IP address at the private port.
          dmz (3)         -- When DMZ is chosen it is the only rule allowed on that
                          -- interface. A DMZ rule is effectively the same as a Range 
                          -- rule with all ports included. Range rules are more secure 
                          -- than setting a DMZ rule, because Range rules allow specific 
                          -- ports or groups of ports to be opened up. 
  }

FirewallPortProtocolValues  ::= TEXTUAL-CONVENTION
  STATUS        current
  DESCRIPTION   "LAN Port Forwarding protocols that can be filtered, per port."
  SYNTAX INTEGER {
          tcp (1),
          udp (2),
          tcpOrUdp (3),
          icmp (4),
	  icmpv4 (5),
          none (6)
  }



--
-- LAN Device Objects 
-- InternetGatewayDevice.LANDevice.{i}.LANHostConfigManagement.IPInterface.{i}.X_ZHONE_MgmtAccessCfg.{i}.
--
-- 1.3.6.1.4.1.5504.2.5.45.1.1
--
firewallMgmtAccessTable OBJECT-TYPE
  SYNTAX        SEQUENCE OF FirewallMgmtAccessEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION
    "Table of LAN Management Access Service Filters"
  ::= { zhnFirewallObjects 1}

firewallMgmtAccessEntry OBJECT-TYPE
  SYNTAX        FirewallMgmtAccessEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION
    "Table of entries of LAN Management Access service filters. This
     table is used to configure management access on the device. It
     is useful in making the device management network by blocking 
     protocols or services that are highly susceptible to external
     attacks."
  INDEX        { lanDeviceIndex, lanEthernetIndex, firewallMgmtServiceIndex }
  ::= { firewallMgmtAccessTable 1}

FirewallMgmtAccessEntry ::=
  SEQUENCE {
      firewallMgmtServiceIndex           FirewallMgmtAccessServiceValues,
      firewallMgmtService                OCTET STRING,
      firewallMgmtAction                 FirewallMgmtAccessServiceActions
  }

firewallMgmtServiceIndex OBJECT-TYPE
  SYNTAX        FirewallMgmtAccessServiceValues       
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION
    "LAN Management Access Services Table index. Enumerated values:
          Http (1),
          Https (2),
          Ping (3),
          Snmp (4),
          SnmpTrap (5),
          Ssh (6),
          Telnet (7)
     "
  ::= { firewallMgmtAccessEntry 1}

firewallMgmtService OBJECT-TYPE
  SYNTAX        OCTET STRING       
  MAX-ACCESS    read-only
  STATUS        current
  DESCRIPTION
    "LAN Management Access Service description."
  ::= { firewallMgmtAccessEntry 2}

firewallMgmtAction OBJECT-TYPE
  SYNTAX        FirewallMgmtAccessServiceActions
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION
    "LAN Management Access Service filtering action. Enumerated values:
          Allow (1),
          Deny (2),
          Undefined (3)
    "
  ::= { firewallMgmtAccessEntry 3}


--
-- LAN Device Objects 
-- InternetGatewayDevice.LANDevice.{i}.LANHostConfigManagement.IPInterface.{i}.X_ZHONE_PortForwardingCfg.{i}.
--
-- 1.3.6.1.4.1.5504.2.5.45.1.2
--
firewallPortForwardingTable OBJECT-TYPE
  SYNTAX        SEQUENCE OF FirewallPortForwardingEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION
    "Table of LAN Port Forwarding Rules. Note that the rules in this table
     have no effect until the global firewall object (sysFirewallEnable)
     is enabled."
  ::= { zhnFirewallObjects 2}

firewallPortForwardingEntry OBJECT-TYPE
  SYNTAX        FirewallPortForwardingEntry
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION
    "This table is used to configure port forwarding firewall rules for
     the device."
  INDEX        { lanDeviceIndex, lanEthernetIndex, firewallPortForwardingIndex }
  ::= { firewallPortForwardingTable 1}

FirewallPortForwardingEntry ::=
  SEQUENCE {
      firewallPortForwardingIndex           Unsigned32,
      firewallPortForwardingName            OCTET STRING,
      firewallPortType                      FirewallPortTypeValues,
      firewallPortProtocol                  FirewallPortProtocolValues,
      firewallPortPublicPortStart           Unsigned32,
      firewallPortPublicPortEnd             Unsigned32,
      firewallPortPrivatePort               Unsigned32, 
      firewallPortPrivateIPAddress          IpAddress,
      firewallPortForwardingRowStatus       ZhoneRowStatus
  }

firewallPortForwardingIndex OBJECT-TYPE
  SYNTAX        Unsigned32
  MAX-ACCESS    not-accessible
  STATUS        current
  DESCRIPTION
    "LAN Port Forwarding Rules index."
  ::= { firewallPortForwardingEntry 1}

firewallPortForwardingName OBJECT-TYPE
  SYNTAX        OCTET STRING       
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION
    "Descriptive name for a LAN Port Forwarding Rule."
  ::= { firewallPortForwardingEntry 2}

firewallPortType OBJECT-TYPE
  SYNTAX        FirewallPortTypeValues
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION
    "Enumerated value of:
          portRange (1),  -- Range indicates that any traffic on those ports will be 
                          -- sent to the private IP address. 
          portRemap (2),  -- Remap indicates that any traffic on those ports will be 
                          -- sent to the private IP address at the private port.
          dmz (3)         -- When DMZ is chosen it is the only rule allowed on that
                          -- interface. A DMZ rule is effectively the same as a Range 
                          -- rule with all ports included. Range rules are more secure 
                          -- than setting a DMZ rule, because Range rules allow specific 
                          -- ports or groups of ports to be opened up. 
    "
  ::= { firewallPortForwardingEntry 3}

firewallPortProtocol OBJECT-TYPE
  SYNTAX        FirewallPortProtocolValues
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION
    "Enumerated value of:
          tcp (1),
          udp (2),
          tcpOrUdp (3),
          icmp (4),
	  icmpv4 (5),
          none (6)
    "
  ::= { firewallPortForwardingEntry 4}

firewallPortPublicPortStart OBJECT-TYPE
  SYNTAX        Unsigned32
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION
    "Lowest value port number for the range."
  ::= { firewallPortForwardingEntry 5}

firewallPortPublicPortEnd OBJECT-TYPE
  SYNTAX        Unsigned32
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION
    "Highest value port number for the range. This can be equal to 
     firewallPortPublicPortStart if there is only one port."
  ::= { firewallPortForwardingEntry 6}

firewallPortPrivatePort OBJECT-TYPE
  SYNTAX        Unsigned32
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION
    "The port number with which to send the traffic."
  ::= { firewallPortForwardingEntry 7}

firewallPortPrivateIPAddress OBJECT-TYPE
  SYNTAX        IpAddress
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION
    "The port IP Address with which to send the traffic."
  ::= { firewallPortForwardingEntry 8}

firewallPortForwardingRowStatus OBJECT-TYPE
  SYNTAX        ZhoneRowStatus
  MAX-ACCESS    read-write
  STATUS        current
  DESCRIPTION   
    "The SNMP RowStatus of the current row. The following objects must
     be specified upon row creation:
        firewallPortForwardingName    
        firewallPortPrivateIPAddress
    "
  ::= { firewallPortForwardingEntry 9}


-- ****************************************************************************
--
-- Conformance Information
--

zhnFirewallConformance OBJECT IDENTIFIER ::= { zhnFirewall 3 }

zhnFirewallGroups OBJECT IDENTIFIER ::= { zhnFirewallConformance 1}
zhnFirewallCompliances OBJECT IDENTIFIER ::= { zhnFirewallConformance 2}
 
--
-- Compliance Statements
--

zhnFirewallCompliance  MODULE-COMPLIANCE
  STATUS        current
  DESCRIPTION
        "The Compliance statement for SNMP entities which
         manage the Zhone CPE LAN Firewall Management Access Services 
	 and Port Forwarding Information"
  MODULE  -- this module
  MANDATORY-GROUPS {
      zhnFirewallMgmtAccessGroup
  }
  ::= {zhnFirewallCompliances 1}


--
-- Units of Conformance
--

zhnFirewallMgmtAccessGroup OBJECT-GROUP
   OBJECTS {
      firewallMgmtService,
      firewallMgmtAction
   }
   STATUS current
   DESCRIPTION
      "A collection of Zhone IP objects that describe the 
       LAN Management Access Services that can be filtered for 
       a particular LAN interface."
   ::= { zhnFirewallGroups 1}

zhnFirewallPortForwardingGroup OBJECT-GROUP
   OBJECTS {
      firewallPortForwardingName,
      firewallPortType,
      firewallPortProtocol,
      firewallPortPublicPortStart,
      firewallPortPublicPortEnd,
      firewallPortPrivatePort,
      firewallPortPrivateIPAddress,
      firewallPortForwardingRowStatus
   }
   STATUS current
   DESCRIPTION
      "A collection of Zhone IP objects that describe the 
       LAN Port Forwarding Management rules for filtering
       protocols and ports for a particular LAN interface."
   ::= { zhnFirewallGroups 2}


END
