-- MIB module extracted from ITU-T J.192 (11/2005)
CABH-SEC-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
Unsigned32,
zeroDotZero,
Counter32,
OBJECT-TYPE FROM SNMPv2-SMI -- RFC 2578
DateAndTime,
TruthValue,
TimeStamp,
RowStatus,
VariablePointer FROM SNMPv2-TC -- RFC 2579
OBJECT-GROUP,
MODULE-COMPLIANCE FROM SNMPv2-CONF -- RFC 2580
InetPortNumber,
InetAddress FROM INET-ADDRESS-MIB --RFC 3291
SnmpAdminString FROM SNMP-FRAMEWORK-MIB --RFC 2571
X509Certificate FROM DOCS-BPI2-MIB
ZeroBasedCounter32 FROM RMON2-MIB
docsDevFilterIpEntry FROM DOCS-CABLE-DEVICE-MIB
InterfaceIndexOrZero FROM IF-MIB
clabProjCableHome FROM CLAB-DEF-MIB;
cabhSecMib MODULE-IDENTITY
LAST-UPDATED "200408060000Z" -- August 6, 2004
ORGANIZATION "CableLabs Broadband Access Department"
CONTACT-INFO
"Kevin Luehrs
Postal: Cable Television Laboratories, Inc.
858 Coal Creek Circle
Louisville, Colorado 80027
U.S.A.
Phone: +1 303-661-9100
Fax: +1 303-661-9199
E-mail: k.luehrs@cablelabs.com; mibs@cablelabs.com"
DESCRIPTION
"This MIB module supplies the basic management
objects for the Security Portal Services."
::= { clabProjCableHome 2 }
-- Textual conventions
cabhSecMibObjects OBJECT IDENTIFIER ::= { cabhSecMib 5 }
cabhSecFwObjects OBJECT IDENTIFIER ::= { cabhSecMib 1 }
cabhSecFwBase OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 }
cabhSecFwLogCtl OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 }
cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMib 2 }
cabhSecKerbObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 3 }
cabhSecKerbBase OBJECT IDENTIFIER ::= { cabhSecKerbObjects 1 }
cabhSec2FwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 4 }
cabhSec2FwBase OBJECT IDENTIFIER ::= { cabhSec2FwObjects 1 }
cabhSec2FwEvent OBJECT IDENTIFIER ::= { cabhSec2FwObjects 2 }
cabhSec2FwLog OBJECT IDENTIFIER ::= { cabhSec2FwObjects 3 }
cabhSec2FwFilter OBJECT IDENTIFIER ::= { cabhSec2FwObjects 4 }
--
-- CableHome 1.0 Base Firewall Functions
--
cabhSecFwPolicyFileEnable OBJECT-TYPE
SYNTAX INTEGER {
enable (1),
disable(2)
}
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"This parameter indicates whether or not to enable
the firewall functionality."
DEFVAL { enable }
::= { cabhSecFwBase 1 }
cabhSecFwPolicyFileURL OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"A policy rule set file download is triggered when the
value used to set this object is different than the value
in the cabhSecFwPolicySuccessfulFileURL object."
REFERENCE
"CableHome 1.0 Specification, CH-SP-CH1.0-I05-030801,
11.3.5.2 of ITU-T Rec. J.191, Firewall Rule Set Management
Parameters."
DEFVAL { "" }
::= { cabhSecFwBase 2 }
cabhSecFwPolicyFileHash OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0|20))
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"Hash of the contents of the rules set file,
calculated and sent to the PS prior to sending
the rules set file. For the SHA-1 authentication
algorithm, the length of the hash is 160 bits.
This hash value is encoded in binary format."
DEFVAL { ''h }
::= { cabhSecFwBase 3 }
cabhSecFwPolicyFileOperStatus OBJECT-TYPE
SYNTAX INTEGER {
inProgress(1),
complete(2),
-- completeFromMgt(3), deprecated
failed(4)
}
MAX-ACCESS read-only
STATUS deprecated
DESCRIPTION
"inProgress(1) indicates a firewall configuration
file download is underway.
complete (2) indicates the firewall configuration
file downloaded and configured successfully.
completeFromMgt(3) This state is deprecated.
failed(4) indicates the last attempted firewall
configuration file download or processing
failed ordinarily due to TFTP timeout."
::= { cabhSecFwBase 4 }
cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS deprecated
DESCRIPTION
"The rule set version currently operating in the
PS device. This object should be in the syntax
used by the individual vendor to identify software
versions. Any PS element MUST return a string
descriptive of the current rule set file load.
If this is not applicable, this object MUST
contain an empty string."
::= { cabhSecFwBase 5 }
cabhSecFwPolicySuccessfulFileURL OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS deprecated
DESCRIPTION
"Contains the location of the last successful downloaded
policy rule set file in the format pointed in the
reference. If a successful download has never occurred,
this MIB object MUST report empty string."
REFERENCE
"CableHome 1.0 Specification, CH-SP-CH1.0-I05-030801,
11.3.5.2 of ITU-T Rec. J.191, Firewall Rule Set Management
Parameters."
DEFVAL { "" }
::= { cabhSecFwBase 6 }
--
-- CableHome 1.0 Firewall Event MIBs
--
cabhSecFwEventType1Enable OBJECT-TYPE
SYNTAX INTEGER {
enable(1), -- log event
disable(2) -- do not log event
}
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"This object enables or disables logging of type 1
firewall event messages. Type 1 event messages report
attempts from both private and public clients to
traverse the firewall that violate the Security
Policy."
DEFVAL { disable }
::= { cabhSecFwLogCtl 1 }
cabhSecFwEventType2Enable OBJECT-TYPE
SYNTAX INTEGER {
enable(1), -- log event
disable(2) -- do not log event
}
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"This object enables or disables logging of
type 2 firewall event messages. Type 2 event
messages report identified Denial of Service
attack attempts."
DEFVAL { disable }
::= { cabhSecFwLogCtl 2 }
cabhSecFwEventType3Enable OBJECT-TYPE
SYNTAX INTEGER {
enable(1), -- log event
disable(2) -- do not log event
}
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"Enables or disables logging of type 3 firewall
event messages. Type 3 event messages report
changes made to the following firewall management
parameters: cabhSecFwPolicyFileURL,
cabhSecFwPolicyFileCurrentVersion,
cabhSecFwPolicyFileEnable"
DEFVAL { disable }
::= { cabhSecFwLogCtl 3 }
cabhSecFwEventAttackAlertThreshold OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"If the number of type 1 or 2 hacker attacks
exceeds this threshold in the period defined
by cabhSecFwEventAttackAlertPeriod, a firewall
message event MUST be logged with priority
level 4."
DEFVAL { 65535 }
::= { cabhSecFwLogCtl 4 }
cabhSecFwEventAttackAlertPeriod OBJECT-TYPE
SYNTAX INTEGER (0..65535)
MAX-ACCESS read-write
STATUS deprecated
DESCRIPTION
"Indicates the period to be used (in hours) for
the cabhSecFwEventAttackAlertThreshold. This MIB
variable should always keep track of the last x
hours of events meaning that if the variable is
set to track events for 10 hours then, when the
11th hour is reached, the 1st hour of events is
deleted from the tracking log. A default value
is set to zero, meaning zero time, so that this
MIB variable will not track any events unless
configured."
DEFVAL { 0 }
::= { cabhSecFwLogCtl 5 }
--
-- CableHome PS device certificate
--
cabhSecCertPsCert OBJECT-TYPE
SYNTAX X509Certificate
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The X509 DER-encoded PS certificate."
::= { cabhSecCertObjects 1 }
--
-- CableHome 1.1 Firewall Management MIBs
--
cabhSec2FwEnable OBJECT-TYPE
SYNTAX INTEGER {
enabled(1),
disabled(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This parameter indicates whether to enable or disable the
firewall."
DEFVAL { enabled }
::= { cabhSec2FwBase 1 }
cabhSec2FwPolicyFileURL OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A policy rule set file download is triggered when the
value used to set this object is different than the value
in the cabhSec2FwPolicySuccessfulFileURL object."
REFERENCE
"CableHome 1.1 Specification, CH-SP-CH1.1-I05-040806,
11.6.4.9.1 of ITU-T Rec. J.192, Firewall Rule Set Management
MIB Objects."
DEFVAL { "" }
::= { cabhSec2FwBase 2 }
cabhSec2FwPolicyFileHash OBJECT-TYPE
SYNTAX OCTET STRING (SIZE(0|20))
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Hash of the contents of the firewall
configuration file. For the SHA-1 authentication
algorithm, the length of the hash is 160 bits.
This hash value is encoded in binary format."
DEFVAL { ''h }
::= { cabhSec2FwBase 3 }
cabhSec2FwPolicyFileOperStatus OBJECT-TYPE
SYNTAX INTEGER {
inProgress(1),
complete(2),
failed(3)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"InProgress(1) indicates a firewall configuration
file download is underway. Complete(2) indicates
the firewall configuration file was downloaded
and processed successfully. Failed(3) indicates
that the last attempted firewall configuration
file download or processing failed."
::= { cabhSec2FwBase 4 }
cabhSec2FwPolicyFileCurrentVersion OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"A label set by the cable operator that can be
used to track various versions of configured
rulesets. Once the label is set and configured
rules are changed, it may not accurately reflect
the version of configured rules running on the box.
If this object has never been configured, it MUST
contain an empty string."
DEFVAL { "" }
::= { cabhSec2FwBase 5 }
cabhSec2FwClearPreviousRuleset OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"If set to 'true', the PS MUST clear all entries in the
docsDevFilterIpTable. Reading this value always returns
false."
REFERENCE
"CableHome specification – Security section"
DEFVAL { false }
::= { cabhSec2FwBase 6 }
cabhSec2FwPolicySelection OBJECT-TYPE
SYNTAX INTEGER {
factoryDefault(1),
configuredRulesetBoth(2),
factoryDefaultAndConfiguredRulesetBoth(3),
configuredRulesetDocsDevFilterIpTable(4),
configuredRulesetCabhSec2FwLocalFilterIpTable (5),
factoryDefaultAndDocsDevFilterIpTable (6),
factoryDefaultAndCabhSec2FwLocalFilterIpTable (7)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object allows for selection of the filtering policy
as defined by the following options:
factoryDefault (1) The firewall filters against the Factory
Default Ruleset in the cabhSec2FwFactoryDefaultFilterTable.
configuredRulesetBoth (2) The firewall filters against the
Configured Ruleset defined by both the
docsDevFilterIpTable and the cabhSec2FwLocalFilterIpTable.
factoryDefaultAndConfiguredRulesetBoth (3) The firewall
filters against the CableHome specified Factory Default
Ruleset in the cabhSec2FwFactoryDefaultFilterTable and
the Configured Ruleset in the docsDevFilterIpTable and
the cabhSec2FwLocalFilterIpTable.
configuredRulesetDocsDevFilterIpTable(4) The firewall
filters against the Configured Ruleset defined by the
docsDevFilterIpTable.
configuredRulesetCabhSec2FwLocalFilterIpTable (5) The
firewall filters against the Configured Ruleset defined by
the cabhSec2FwLocalFilterIpTable.
factoryDefaultAndDocsDevFilterIpTable (6) The firewall
filters against the Factory Default Ruleset and the
Configured Ruleset defined by the DocsDevFilterIpTable.
factoryDefaultAndCabhSec2FwLocalFilterIpTable (7) The
firewall filters against the Factory Default Ruleset and
the Configured Ruleset defined by the
cabhSec2FwLocalFilterIpTable."
REFERENCE
"CableHome specification – Security section."
DEFVAL { factoryDefault }
::= { cabhSec2FwBase 7 }
cabhSec2FwEventSetToFactory OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"If set to 'true', entries in cabhSec2FwEventControlEntry
are set to their default values.
Reading this value always returns false."
DEFVAL { false }
::= { cabhSec2FwBase 8 }
cabhSec2FwEventLastSetToFactory OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when cabhSec2FwEventSetToFactory
was Last set to true. Zero if never reset."
::= { cabhSec2FwBase 9 }
cabhSec2FwPolicySuccessfulFileURL OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Contains the location of the last successful downloaded
policy rule set file in the format pointed in the
reference. If a successful download has not yet
occurred, this MIB object should report empty string."
REFERENCE
"CableHome 1.1 Specification, CH-SP-CH1.1-I05-040806,
11.6.4.9.1 of ITU�T Rec. J.192, Firewall Rule Set Management MIB Objects."
DEFVAL { "" }
::= { cabhSec2FwBase 10 }
cabhSec2FwConfiguredRulesetPriority OBJECT-TYPE
SYNTAX INTEGER {
docsDevFilterIpTable (1),
cabhSec2FwLocalFilterIpTable (2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This object defines which Configured Ruleset filter rule
has priority when a conflict exists between a filter rule
in the docsDevFilterIpTable and a filter rule in the
cabhSec2FwLocalFilterIpTable as indicated by the following
options:
docsDevFilterIpTable (1) – indicates that filter rules in
the docsDevFilterIpTable have priority over any
conflicting filters that may exist in the
cabhSec2FwLocalFilterIpTable.
cabhSec2FwLocalFilterIpTable (2) – indicates that filter
rules in the cabhSec2FwLocalFilterIpTable have priority
over any conflicting filters that may exist in the
docsDevFilterIpTable."
REFERENCE
"CableHome specification – Security section."
DEFVAL { cabhSec2FwLocalFilterIpTable }
::= { cabhSec2FwBase 11 }
cabhSec2FwClearLocalRuleset OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"If set to 'true', the PS MUST clear all entries in the
cabhSec2FwLocalFilterIpTable. Reading this value always
returns false."
REFERENCE
"CableHome specification – Security section"
DEFVAL { false }
::= { cabhSec2FwBase 12 }
-- +++++++++++
--
-- CableHome 1.1 Firewall Event MIBs
--
cabhSec2FwEventControlTable OBJECT-TYPE
SYNTAX SEQUENCE OF CabhSec2FwEventControlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table controls the reporting of the
Firewall Attacks events"
::= { cabhSec2FwEvent 1 }
cabhSec2FwEventControlEntry OBJECT-TYPE
SYNTAX CabhSec2FwEventControlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Allows configuration of the reporting mechanisms
for a particular type of attack."
INDEX { cabhSec2FwEventType }
::= { cabhSec2FwEventControlTable 1 }
CabhSec2FwEventControlEntry ::= SEQUENCE {
cabhSec2FwEventType INTEGER,
cabhSec2FwEventEnable INTEGER,
cabhSec2FwEventThreshold Unsigned32,
cabhSec2FwEventInterval Unsigned32,
cabhSec2FwEventCount ZeroBasedCounter32,
cabhSec2FwEventLogReset TruthValue,
cabhSec2FwEventLogLastReset TimeStamp
}
cabhSec2FwEventType OBJECT-TYPE
SYNTAX INTEGER {
type1(1),
type2(2),
type3(3),
type4(4),
type5(5),
type6(6)
}
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Classification of the different types of
attacks.
Type 1 logs all attempts from both LAN and WAN
clients to traverse the Firewall that violate the
Security Policy.
Type 2 logs identified Denial of Service attack
attempts.
Type 3 logs all changes made to the
cabhSec2FwPolicyFileURL,
cabhSec2FwPolicyFileCurrentVersion or
cabhSec2FwPolicyFileEnable objects.
Type 4 logs all failed attempts to modify
cabhSec2FwPolicyFileURL and
cabhSec2FwPolicyFileEnable objects.
Type 5 logs allowed inbound packets from the WAN.
Type 6 logs allowed outbound packets from the
LAN."
::= { cabhSec2FwEventControlEntry 1 }
cabhSec2FwEventEnable OBJECT-TYPE
SYNTAX INTEGER {
enabled(1),
disabled(2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Enables or disables counting and logging of
firewall events by type as assigned by
cabhSec2FwEventType."
DEFVAL { disabled }
::= { cabhSec2FwEventControlEntry 2 }
cabhSec2FwEventThreshold OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Number of attacks to count before sending the
appropriate event by type as assigned by
cabhSec2FwEventType."
DEFVAL { 0 }
::= { cabhSec2FwEventControlEntry 3 }
cabhSec2FwEventInterval OBJECT-TYPE
SYNTAX Unsigned32 (0..744)
UNITS "hours"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates the time interval in hours to count and log
occurrences of a firewall event type as assigned in
cabhSec2FwEventType. If this MIB has a value of zero,
then there is no interval assigned and the PS will not
count or log events."
DEFVAL { 0 }
::= { cabhSec2FwEventControlEntry 4 }
cabhSec2FwEventCount OBJECT-TYPE
SYNTAX ZeroBasedCounter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Indicates the current count up to the
cabhSec2FwEventThreshold value by type as
assigned by cabhSec2FwEventType."
::= { cabhSec2FwEventControlEntry 5 }
cabhSec2FwEventLogReset OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Setting this object to true clears the log table
for the specified event type. Reading this object
always returns false."
DEFVAL { false }
::= { cabhSec2FwEventControlEntry 6 }
cabhSec2FwEventLogLastReset OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of sysUpTime when cabhSec2FwEventLogReset was
last set to true. Zero if never reset."
::= { cabhSec2FwEventControlEntry 7 }
--
-- CableHome 1.1 Firewall Log Tables
--
cabhSec2FwLogTable OBJECT-TYPE
SYNTAX SEQUENCE OF CabhSec2FwLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Contains a log of packet information as related
to events enabled by the cable operator. The types
are defined in the CableHome 1.1 specification and
require various objects to be included in the log.
The following is a description for what is
expected in the log for each type Type 1, Type 2,
Type 5 and Type 6 table MUST include
cabhSec2FwEventType, cabhSec2FwEventPriority,
cabhSec2FwEventId, cabhSec2FwLogTime,
cabhSec2FwIpProtocol, cabhSec2FwIpSourceAddr,
cabhSec2FwIpDestAddr, cabhSec2FwIpSourcePort,
cabhSec2FwIpDestPort, cabhSec2Fw,
cabhSec2FwReplayCount. The other values not used
by Types 1, 2, 5 and 6 are default values. Type 3
and Type 4 MUST include cabhSec2FwEventType,
cabhSec2FwEventPriority, cabhSec2FwEventId,
cabhSec2FwLogTime, cabhSec2FwIpSourceAddr,
cabhSec2FwLogMIBPointer. The other values not used
by type 3 and 4 are default values. When applicable,
Type 1, Type 5,and Type 6 MUST also include
cabhSec2FwLogMatchingFilterTableName,
cabhSec2FwLogMatchingFilterTableIndex,
cabhSec2FwLogMatchingFilterDescr."
::= { cabhSec2FwLog 1 }
cabhSec2FwLogEntry OBJECT-TYPE
SYNTAX CabhSec2FwLogEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Each entry contains the log of firewall events"
INDEX {cabhSec2FwLogIndex}
::= { cabhSec2FwLogTable 1 }
CabhSec2FwLogEntry ::= SEQUENCE {
cabhSec2FwLogIndex Unsigned32,
cabhSec2FwLogEventType INTEGER,
cabhSec2FwLogEventPriority INTEGER,
cabhSec2FwLogEventId Unsigned32,
cabhSec2FwLogTime DateAndTime,
cabhSec2FwLogIpProtocol Unsigned32,
cabhSec2FwLogIpSourceAddr InetAddress,
cabhSec2FwLogIpDestAddr InetAddress,
cabhSec2FwLogIpSourcePort InetPortNumber,
cabhSec2FwLogIpDestPort InetPortNumber,
cabhSec2FwLogMessageType Unsigned32,
cabhSec2FwLogReplayCount Unsigned32,
cabhSec2FwLogMIBPointer VariablePointer,
cabhSec2FwLogMatchingFilterTableName INTEGER,
cabhSec2FwLogMatchingFilterTableIndex Unsigned32,
cabhSec2FwLogMatchingFilterDescr SnmpAdminString
}
cabhSec2FwLogIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A sequence number for the specific events
under a cabhSec2FwEventType."
::= { cabhSec2FwLogEntry 1 }
cabhSec2FwLogEventType OBJECT-TYPE
SYNTAX INTEGER {
type1(1),
type2(2),
type3(3),
type4(4),
type5(5),
type6(6)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Classification of the different types of
attacks.
Type 1 logs all attempts from both LAN and WAN
clients to traverse the Firewall that violate
the Security Policy.
Type 2 logs identified Denial of Service attack
attempts.
Type 3 logs all changes made to the
cabhSec2FwPolicyFileURL,
cabhSec2FwPolicyFileCurrentVersion or
cabhSec2FwPolicyFileEnable objects.
Type 4 logs all failed attempts to modify
cabhSec2FwPolicyFileURL and
cabhSec2FwPolicyFileEnable objects.
Type 5 logs allowed inbound packets from the WAN.
Type 6 logs allowed outbound packets from the
LAN."
::= { cabhSec2FwLogEntry 2 }
cabhSec2FwLogEventPriority OBJECT-TYPE
SYNTAX INTEGER {
emergency(1),
alert(2),
critical(3),
error(4),
warning(5),
notice(6),
information(7),
debug(8)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The priority level of this event as defined
by CableHome Specification. If a priority is
not assigned in the CableHome specification for
a particular event, then the vendor or cable
operator may assign priorities. These are
ordered from most serious (emergency)to least
serious (debug)."
::= { cabhSec2FwLogEntry 3 }
cabhSec2FwLogEventId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The assigned event ID."
::= { cabhSec2FwLogEntry 4 }
cabhSec2FwLogTime OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time that this entry was created by the PS."
::= { cabhSec2FwLogEntry 5 }
cabhSec2FwLogIpProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..256)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IP Protocol."
::= { cabhSec2FwLogEntry 6 }
cabhSec2FwLogIpSourceAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Source IP Address of the packet logged."
::= { cabhSec2FwLogEntry 7 }
cabhSec2FwLogIpDestAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Destination IP Address of the packet logged."
::= { cabhSec2FwLogEntry 8 }
cabhSec2FwLogIpSourcePort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Source IP Port of the packet logged."
::= { cabhSec2FwLogEntry 9 }
cabhSec2FwLogIpDestPort OBJECT-TYPE
SYNTAX InetPortNumber
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The Source IP Port of the packet logged."
::= { cabhSec2FwLogEntry 10 }
cabhSec2FwLogMessageType OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ICMP defined types."
::= { cabhSec2FwLogEntry 11}
cabhSec2FwLogReplayCount OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of identical attack packets that
were seen by the firewall based on
cabhSec2FwLogIpProtocol, cabhSec2FwLogIpSourceAddr,
cabhSec2FwLogIpDestAddr, cabhSec2FwLogIpSourcePort,
cabhSec2FwLogIpDestPort and cabhSec2FwLogMessageType."
DEFVAL { 0 }
::= { cabhSec2FwLogEntry 12 }
cabhSec2FwLogMIBPointer OBJECT-TYPE
SYNTAX VariablePointer
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Identifies if the cabhSec2FwPolicyFileURL or the
cabhSec2FwEnable MIB object changed or an attempt
was made to change it."
DEFVAL { zeroDotZero }
::= { cabhSec2FwLogEntry 13 }
cabhSec2FwLogMatchingFilterTableName OBJECT-TYPE
SYNTAX INTEGER {
cabhSec2FwFactoryDefaultFilterTable(1),
docsDevFilterIpTable(2),
cabhSec2FwLocalFilterIpTable(3),
none(4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When applicable, cabhSec2FwLogMatchingFilterTableName
indicates the filter table name containing the last filter
rule matched that caused the event to be generated."
DEFVAL { none }
::= { cabhSec2FwLogEntry 14 }
cabhSec2FwLogMatchingFilterTableIndex OBJECT-TYPE
SYNTAX Unsigned32 (0..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When applicable, cabhSec2FwLogMatchingFilterTableIndex
indicates the filter table index if the last filter
rule matched that caused the event to be generated. If
the value is 0, the event was not caused by a filter
rule match. "
DEFVAL { 0 }
::= { cabhSec2FwLogEntry 15 }
cabhSec2FwLogMatchingFilterDescr OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When applicable, cabhSec2FwLogMatchingFilterDesc
contains the description value found in the
cabhSec2FwFilterScheduleDesc MIB object or the
cabhSec2FwLocalFilterIpDesc MIB object of the last
filter rule matched that caused the event to be
generated."
DEFVAL { "" }
::= { cabhSec2FwLogEntry 16 }
-- ============================================================
--
-- CableHome 1.1 PS IP Filter Scheduling Table
--
-- The cabhSec2FwFilterScheduleTable contains the firewall
-- policy identification and links that policy as defined
-- in RFC 2669 to specific time of day restrictions.
--
-- =============================================================
cabhSec2FwFilterScheduleTable OBJECT-TYPE
SYNTAX SEQUENCE OF CabhSec2FwFilterScheduleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Extends the filtering matching parameters of
docsDevFilterIpTable defined in RFC 2669 for CableHome
Residential Gateways to include time day intervals and days
of the week."
::= { cabhSec2FwFilter 1 }
cabhSec2FwFilterScheduleEntry OBJECT-TYPE
SYNTAX CabhSec2FwFilterScheduleEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Extended values for entries of docsDevFilterIpTable.
If the PS has not aqcuired ToD, the entire
docsDevFilterIpEntry rule set is ignored.
Note: A filter time period may include two days
(e.g., from 10 PM to 4 AM). A filter time period that
includes two days is identified by the absolute value
of the cabhSec2FwFilterScheduleEndTime being less than the
absolute value of the cabhSec2FwFilterScheduleStartTime.
The cabhSec2FwFilterScheduleDOW setting and the
cabhSec2FwFilterScheduleStartTime value indicate what day
and time the filter becomes active. The
cabhSec2FwFilterScheduleEndTime indicates when the filter
becomes inactive on the second day. The maximum filter
time period that includes two days is 24 hours.
If cabhSec2FwFilterScheduleStartTime is less than or
equal to the cabhSec2FwFilterScheduleEndTime, the time
period of the filter falls in the same day."
AUGMENTS { docsDevFilterIpEntry }
::= { cabhSec2FwFilterScheduleTable 1 }
CabhSec2FwFilterScheduleEntry ::= SEQUENCE {
cabhSec2FwFilterScheduleStartTime Unsigned32,
cabhSec2FwFilterScheduleEndTime Unsigned32,
cabhSec2FwFilterScheduleDOW BITS,
cabhSec2FwFilterScheduleDescr SnmpAdminString
}
cabhSec2FwFilterScheduleStartTime OBJECT-TYPE
SYNTAX Unsigned32 (0..2359)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The start time for matching the filter ruleset in the
specified days indicated in cabhSec2FwFilterScheduleDOW.
Time is represented in Military Time, e.g., 8:30 AM is
represented as 830 and 11:45 PM as 2345. An attempt to set
this object to an invalid military time value, e.g., 1182,
returns 'wrongValue' error."
DEFVAL { 0 }
::= { cabhSec2FwFilterScheduleEntry 1 }
cabhSec2FwFilterScheduleEndTime OBJECT-TYPE
SYNTAX Unsigned32 (0..2359)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The end time for matching the filter rule for the
days indicated in cabhSec2FwFilterScheduleDOW. The filter
rule associated with this end time MUST not be disabled
until the minute following the time indicated by this
MIB object. If the time period is for two days,
identified by cabhSec2FwFilterScheduleEndTime being
less than cabhSec2FwFilterScheduleStartTime, then
the cabhSec2FwFilterScheduleDOW settings
do not apply to this MIB object.
Time is represented in the same manner as in
cabhSec2FwFilterScheduleStartTime. An attempt to set
this object to an invalid military time value, e.g., 1182,
returns 'wrongValue' error."
DEFVAL { 2359 }
::= { cabhSec2FwFilterScheduleEntry 2 }
cabhSec2FwFilterScheduleDOW OBJECT-TYPE
SYNTAX BITS {
sunday(0),
monday(1),
tuesday(2),
wednesday(3),
thursday(4),
friday(5),
saturday(6)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If the day of week bit associated with the PS given day
is '1', this object criteria matches."
DEFVAL { 'fe'h } -- 11111110 Sun-Sat
::= { cabhSec2FwFilterScheduleEntry 3 }
cabhSec2FwFilterScheduleDescr OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A filter rule description configured by the
cable operator or subscriber."
DEFVAL { "" }
::= { cabhSec2FwFilterScheduleEntry 4 }
-- ============================================================
--
-- CableHome 1.1 PS Firewall Factory Default Filter Table
--
-- The cabhSec2FwFactoryDefaultFilterTable contains the
-- firewall factory default ruleset in a read only table as
-- defined by the CableLabs CableHome 1.1 Specification.
--
-- =============================================================
cabhSec2FwFactoryDefaultFilterTable OBJECT-TYPE
SYNTAX SEQUENCE OF CabhSec2FwFactoryDefaultFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Contains the firewall factory default ruleset as
defined by the CableLabs CableHome 1.1 Specification."
::= { cabhSec2FwFilter 2 }
cabhSec2FwFactoryDefaultFilterEntry OBJECT-TYPE
SYNTAX CabhSec2FwFactoryDefaultFilterEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Contains the firewall factory default ruleset."
INDEX {cabhSec2FwFactoryDefaultFilterIndex }
::= { cabhSec2FwFactoryDefaultFilterTable 1 }
CabhSec2FwFactoryDefaultFilterEntry ::= SEQUENCE {
cabhSec2FwFactoryDefaultFilterIndex Unsigned32,
cabhSec2FwFactoryDefaultFilterControl INTEGER,
cabhSec2FwFactoryDefaultFilterIfIndex InterfaceIndexOrZero,
cabhSec2FwFactoryDefaultFilterDirection INTEGER,
cabhSec2FwFactoryDefaultFilterSaddr InetAddress,
cabhSec2FwFactoryDefaultFilterSmask InetAddress,
cabhSec2FwFactoryDefaultFilterDaddr InetAddress,
cabhSec2FwFactoryDefaultFilterDmask InetAddress,
cabhSec2FwFactoryDefaultFilterProtocol Unsigned32,
cabhSec2FwFactoryDefaultFilterSourcePortLow Unsigned32,
cabhSec2FwFactoryDefaultFilterSourcePortHigh Unsigned32,
cabhSec2FwFactoryDefaultFilterDestPortLow Unsigned32,
cabhSec2FwFactoryDefaultFilterDestPortHigh Unsigned32,
cabhSec2FwFactoryDefaultFilterContinue TruthValue
}
cabhSec2FwFactoryDefaultFilterIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Index used to order the application of filters.
The filter with the lowest index is always applied
first."
::= { cabhSec2FwFactoryDefaultFilterEntry 1 }
cabhSec2FwFactoryDefaultFilterControl OBJECT-TYPE
SYNTAX INTEGER {
deny(1),
allow(2)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If set to deny(1), all packets matching this filter
will be discarded. If set to allow(2), all
packets matching this filter will be accepted.
The cabhSec2FwFactoryDefaultFilterContinue object is
set to true, and therefore the PS MUST continue to
scan the table for other matches to apply the match
with the highest cabhSec2FwFactoryDefaultFilterIndex
value."
::= { cabhSec2FwFactoryDefaultFilterEntry 2 }
cabhSec2FwFactoryDefaultFilterIfIndex OBJECT-TYPE
SYNTAX InterfaceIndexOrZero
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index number assigned to this object MUST
match the IfIndex numbering assigned in the
ifTable from the Interfaces Group MIB [RFC 2863],
and as specified in CH 1.1 Spec, Table 6-17 of
ITU-T Rec. J.192, Numbering Interfaces in the
ifTable. If the value is zero, the filter applies
to all interfaces. This object MUST be specified
to create a row in this table."
::= { cabhSec2FwFactoryDefaultFilterEntry 3 }
cabhSec2FwFactoryDefaultFilterDirection OBJECT-TYPE
SYNTAX INTEGER {
inbound(1),
outbound(2),
both(3)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This value represents direction in relationship
to the assigned
cabhSec2FwFactoryDefaultFilterIfIndex
in this particular rule, meaning that the PS
MUST represent traffic direction as follows:
inbound(1)traffic, outbound(2) traffic, or
both(3)inbound and outbound traffic."
::= { cabhSec2FwFactoryDefaultFilterEntry 4 }
cabhSec2FwFactoryDefaultFilterSaddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The source IP address, or portion thereof, that is
to be matched for this filter. The source address
is first masked (and'ed) against
cabhSec2FwFactoryDefaultFilterSmask
before being compared to this value. A value of 0
for this object and 0 for the mask matches all IP
addresses."
DEFVAL { '00000000'h }
::= { cabhSec2FwFactoryDefaultFilterEntry 5 }
cabhSec2FwFactoryDefaultFilterSmask OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A bit mask that is to be applied to the source
address prior to matching. This mask is not
necessarily the same as a subnet mask, but 1's
bits must be leftmost and contiguous."
DEFVAL { '00000000'h }
::= { cabhSec2FwFactoryDefaultFilterEntry 6 }
cabhSec2FwFactoryDefaultFilterDaddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The destination IP address, or portion thereof, that
is to be matched for this filter. The destination
address is first masked (and'ed) against
cabhSec2FwFactoryDefaultFilterDmask
before being compared to this value. A value of 0
for this object and 0 for the mask matches all
IP addresses."
DEFVAL { '00000000'h }
::= { cabhSec2FwFactoryDefaultFilterEntry 7 }
cabhSec2FwFactoryDefaultFilterDmask OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A bit mask that is to be applied to the destination
address prior to matching. This mask is not necessarily
the same as a subnet mask, but 1's bits must be leftmost
and contiguous."
DEFVAL { '00000000'h }
::= { cabhSec2FwFactoryDefaultFilterEntry 8 }
cabhSec2FwFactoryDefaultFilterProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The protocol value that is to be matched. For example:
icmp is 1, tcp is 6, udp is 17. A value of 65535 matches
ANY protocol."
DEFVAL { 65535 }
::= { cabhSec2FwFactoryDefaultFilterEntry 9 }
cabhSec2FwFactoryDefaultFilterSourcePortLow OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If cabhSec2FwFactoryDefaultFilterProtocol is udp
or tcp, this is the inclusive lower bound of the
transport-layer source port range that is to be
matched, otherwise it is ignored during matching."
DEFVAL { 0 }
::= { cabhSec2FwFactoryDefaultFilterEntry 10 }
cabhSec2FwFactoryDefaultFilterSourcePortHigh OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If cabhSec2FwFactoryDefaultFilterProtocol is
udp or tcp, this is the inclusive upper bound
of the transport-layer source port range that
is to be matched, otherwise it is ignored
during matching."
DEFVAL { 65535 }
::= { cabhSec2FwFactoryDefaultFilterEntry 11 }
cabhSec2FwFactoryDefaultFilterDestPortLow OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If cabhSec2FwFactoryDefaultFilterProtocol is
udp or tcp, this is the inclusive lower bound
of the transport-layer destination port range
that is to be matched, otherwise it is ignored
during matching."
DEFVAL { 0 }
::= { cabhSec2FwFactoryDefaultFilterEntry 12 }
cabhSec2FwFactoryDefaultFilterDestPortHigh OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If cabhSec2FwFactoryDefaultFilterProtocol is
udp or tcp, this is the inclusive upper bound
of the transport-layer destination port range
that is to be matched, otherwise it is ignored
during matching."
DEFVAL { 65535 }
::= { cabhSec2FwFactoryDefaultFilterEntry 13 }
cabhSec2FwFactoryDefaultFilterContinue OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This value is always set to true so the PS MUST continue
scanning and applying rules."
DEFVAL { true }
::= { cabhSec2FwFactoryDefaultFilterEntry 14 }
-- ============================================================
--
-- CableHome 1.1 PS Firewall Local Filter Table
--
-- The cabhSec2FwLocalFilterIpTable can be configured to contain
-- a filtering Ruleset for the PS firewall. It can be used to
-- support subscriber specific or local filtering rules that
-- are separate from general filtering rules that may be
-- be configured in the docsDevFilterIpTable.
-- =============================================================
cabhSec2FwLocalFilterIpTable OBJECT-TYPE
SYNTAX SEQUENCE OF CabhSec2FwLocalFilterIpEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Contains a configured filtering Ruleset for the
PS firewall."
::= { cabhSec2FwFilter 3 }
cabhSec2FwLocalFilterIpEntry OBJECT-TYPE
SYNTAX CabhSec2FwLocalFilterIpEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Contains a configured filter rule for the PS
firewall.
If the PS has not aqcuired ToD, entries that do not have
default time settings are ignored.
Note that a filter time period may include two days
(e.g., from 10 PM to 4 AM). A filter time period that
includes two days is identified by the absolute value of
the cabhSec2FwLocalFilterIpEndTime being less than the
absolute value of the cabhSec2FwLocalFilterIpStartTime.
The cabhSec2FwLocalFilterIpDOW setting and the
cabhSec2FwLocalFilterIpStartTime value indicate what day
and time the filter becomes active. The
cabhSec2FwLocalFilterIpEndTime indicates when the filter
becomes inactive on the second day. The maximum filter time
period that includes two days is 24 hours.
If cabhSec2FwLocalFilterIpStartTime is less than or equal
to the cabhSec2FwLocalFilterIpEndTime, the time period
of the filter falls in the same day."
INDEX { cabhSec2FwLocalFilterIpIndex }
::= { cabhSec2FwLocalFilterIpTable 1 }
CabhSec2FwLocalFilterIpEntry ::= SEQUENCE {
cabhSec2FwLocalFilterIpIndex Unsigned32,
cabhSec2FwLocalFilterIpStatus RowStatus,
cabhSec2FwLocalFilterIpControl INTEGER,
cabhSec2FwLocalFilterIpIfIndex InterfaceIndexOrZero,
cabhSec2FwLocalFilterIpDirection INTEGER,
cabhSec2FwLocalFilterIpSaddr InetAddress,
cabhSec2FwLocalFilterIpSmask InetAddress,
cabhSec2FwLocalFilterIpDaddr InetAddress,
cabhSec2FwLocalFilterIpDmask InetAddress,
cabhSec2FwLocalFilterIpProtocol Unsigned32,
cabhSec2FwLocalFilterIpSourcePortLow Unsigned32,
cabhSec2FwLocalFilterIpSourcePortHigh Unsigned32,
cabhSec2FwLocalFilterIpDestPortLow Unsigned32,
cabhSec2FwLocalFilterIpDestPortHigh Unsigned32,
cabhSec2FwLocalFilterIpMatches Counter32,
cabhSec2FwLocalFilterIpContinue TruthValue,
cabhSec2FwLocalFilterIpStartTime Unsigned32,
cabhSec2FwLocalFilterIpEndTime Unsigned32,
cabhSec2FwLocalFilterIpDOW BITS,
cabhSec2FwLocalFilterIpDescr SnmpAdminString
}
cabhSec2FwLocalFilterIpIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Index used to order the application of filters.
The filter with the lowest index is always applied
first."
::= { cabhSec2FwLocalFilterIpEntry 1 }
cabhSec2FwLocalFilterIpStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Controls and reflects the status of rows in this
table. Creation of the
rows may be done via either create-and-wait or
create-and-go, but the filter is not applied until this
object is set to (or changes to) active. There is no
restriction in changing any object in a row while this
object is set to active."
::= { cabhSec2FwLocalFilterIpEntry 2 }
cabhSec2FwLocalFilterIpControl OBJECT-TYPE
SYNTAX INTEGER {
deny(1),
allow(2)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If set to deny(1), all packets matching this filter
will be discarded. If set to allow(2), all
packets matching this filter will be accepted.
The cabhSec2FwLocalFilterIpContinue object is
set to true, and therefore the PS MUST continue to
scan the table for other matches to apply the match
with the highest cabhSec2FwLocalFilterIpIndex
value."
::= { cabhSec2FwLocalFilterIpEntry 3 }
cabhSec2FwLocalFilterIpIfIndex OBJECT-TYPE
SYNTAX InterfaceIndexOrZero
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The index number assigned to this object MUST
match the IfIndex numbering assigned in the
ifTable from the Interfaces Group MIB [RFC 2863],
and as specified in CH 1.1 Spec, Table 6-17 of
ITU-T Rec. J.192, Numbering Interfaces in the ifTable."
DEFVAL { 255 }
::= { cabhSec2FwLocalFilterIpEntry 4 }
cabhSec2FwLocalFilterIpDirection OBJECT-TYPE
SYNTAX INTEGER {
inbound(1),
outbound(2),
both(3)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This value represents direction in relationship
to the assigned cabhSec2FwLocalFilterIpIfIndex
in this particular rule, meaning that the PS
MUST represent traffic direction as follows:
inbound(1)traffic, outbound(2) traffic, or
both(3)inbound and outbound traffic."
::= { cabhSec2FwLocalFilterIpEntry 5 }
cabhSec2FwLocalFilterIpSaddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The source IP address, or portion thereof, that is
to be matched for this filter. The source address
is first masked (and'ed) against
cabhSec2FwLocalFilterIpSmask before being compared to this
value. A value of 0 for this object and 0 for the mask
matches all IP addresses."
DEFVAL { '00000000'h }
::= { cabhSec2FwLocalFilterIpEntry 6 }
cabhSec2FwLocalFilterIpSmask OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A bit mask that is to be applied to the source
address prior to matching. This mask is not
necessarily the same as a subnet mask, but 1's
bits must be leftmost and contiguous."
DEFVAL { '00000000'h }
::= { cabhSec2FwLocalFilterIpEntry 7 }
cabhSec2FwLocalFilterIpDaddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The destination IP address, or portion thereof, that
is to be matched for this filter. The destination
address is first masked (and'ed) against
cabhSec2FwLocalFilterIpDmask
before being compared to this value. A value of 0
for this object and 0 for the mask matches all
IP addresses."
DEFVAL { '00000000'h }
::= { cabhSec2FwLocalFilterIpEntry 8 }
cabhSec2FwLocalFilterIpDmask OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A bit mask that is to be applied to the destination
address prior to matching. This mask is not necessarily
the same as a subnet mask, but 1's bits must be leftmost
and contiguous."
DEFVAL { '00000000'h }
::= { cabhSec2FwLocalFilterIpEntry 9 }
cabhSec2FwLocalFilterIpProtocol OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The protocol value that is to be matched. For example:
icmp is 1, tcp is 6, udp is 17. A value of 65535 matches
ANY protocol."
DEFVAL { 65535 }
::= { cabhSec2FwLocalFilterIpEntry 10 }
cabhSec2FwLocalFilterIpSourcePortLow OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If cabhSec2FwLocalFilterIpProtocol is udp
or tcp, this is the inclusive lower bound of the
transport-layer source port range that is to be
matched, otherwise it is ignored during matching."
DEFVAL { 0 }
::= { cabhSec2FwLocalFilterIpEntry 11 }
cabhSec2FwLocalFilterIpSourcePortHigh OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If cabhSec2FwLocalFilterIpProtocol is
udp or tcp, this is the inclusive upper bound
of the transport-layer source port range that
is to be matched, otherwise it is ignored
during matching."
DEFVAL { 65535 }
::= { cabhSec2FwLocalFilterIpEntry 12 }
cabhSec2FwLocalFilterIpDestPortLow OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If cabhSec2FwLocalFilterIpProtocol is
udp or tcp, this is the inclusive lower bound
of the transport-layer destination port range
that is to be matched, otherwise it is ignored
during matching."
DEFVAL { 0 }
::= { cabhSec2FwLocalFilterIpEntry 13 }
cabhSec2FwLocalFilterIpDestPortHigh OBJECT-TYPE
SYNTAX Unsigned32 (0..65535)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If cabhSec2FwLocalFilterIpProtocol is
udp or tcp, this is the inclusive upper bound
of the transport-layer destination port range
that is to be matched, otherwise it is ignored
during matching."
DEFVAL { 65535 }
::= { cabhSec2FwLocalFilterIpEntry 14 }
cabhSec2FwLocalFilterIpMatches OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Counts the number of times this filter was matched.
This object is initialized to 0 at boot, or at row
creation, and is reset only upon reboot."
::= { cabhSec2FwLocalFilterIpEntry 15 }
cabhSec2FwLocalFilterIpContinue OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"This value is always set to true so the PS MUST continue
scanning and applying rules."
DEFVAL { true }
::= { cabhSec2FwLocalFilterIpEntry 16 }
cabhSec2FwLocalFilterIpStartTime OBJECT-TYPE
SYNTAX Unsigned32 (0..2359)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The start time for matching the filter ruleset in the
specified days indicated in cabhSec2FwLocalFilterIpDOW.
Time is represented in Military Time, e.g., 8:30 AM is
represented as 830 and 11:45 PM as 2345. An attempt to set
this object to an invalid military time value, e.g., 1182,
returns 'wrongValue' error."
DEFVAL { 0 }
::= { cabhSec2FwLocalFilterIpEntry 17 }
cabhSec2FwLocalFilterIpEndTime OBJECT-TYPE
SYNTAX Unsigned32 (0..2359)
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The end time for matching the filter ruleset for the
days indicated in cabhSec2FwLocalFilterIpDOW. The filter
rule associated with this end time MUST not be disabled
until the minute following the time indicated by this
MIB object. If the time period is for two days, identified
by cabhSec2FwLocalFilterIpEndTime being less than
cabhSec2FwLocalFilterIpStartTime, then the
cabhSec2FwLocalFilterIpDOW settings do not apply to this
MIB object. Time is represented in the same manner as in
cabhSec2FwLocalFilterIpStartTime. An attempt to set
this object to an invalid military time value, e.g., 1182,
returns 'wrongValue' error."
DEFVAL { 2359 }
::= { cabhSec2FwLocalFilterIpEntry 18 }
cabhSec2FwLocalFilterIpDOW OBJECT-TYPE
SYNTAX BITS {
sunday(0),
monday(1),
tuesday(2),
wednesday(3),
thursday(4),
friday(5),
saturday(6)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If the day of week bit associated with the PS given day
is '1', this object criteria matches."
DEFVAL { 'fe'h } -- 11111110 Sun-Sat
::= { cabhSec2FwLocalFilterIpEntry 19 }
cabhSec2FwLocalFilterIpDescr OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(0..32))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A filter rule description configured by the
cable operator or subscriber."
DEFVAL { "" }
::= { cabhSec2FwLocalFilterIpEntry 20 }
--
-- Kerberos MIBs
--
cabhSecKerbPKINITGracePeriod OBJECT-TYPE
SYNTAX Unsigned32 (15..600)
UNITS "minutes"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The PKINIT Grace Period is needed by the PS
to know when it should start retrying to get
a new ticket. The PS MUST obtain a new Kerberos
ticket (with a PKINIT exchange),this, many minutes
before the old ticket expires."
DEFVAL { 30 }
::= { cabhSecKerbBase 1}
cabhSecKerbTGSGracePeriod OBJECT-TYPE
SYNTAX Unsigned32 (1..600)
UNITS "minutes"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The TGS Grace Period is needed by the PS to
know when it should start retrying to get a new
ticket. The PS MUST obtain a new Kerberos ticket
(with a TGS Request), this, many minutes before the
old ticket expires."
DEFVAL { 10 }
::= { cabhSecKerbBase 2 }
cabhSecKerbUnsolicitedKeyMaxTimeout OBJECT-TYPE
SYNTAX Unsigned32 (15..600)
UNITS "seconds"
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"This timeout applies to PS initiated AP-REQ/REP
key management exchange with NMS. The maximum
timeout is the value which may not be exceeded in
the exponential backoff algorithm."
DEFVAL { 600 }
::= { cabhSecKerbBase 3 }
cabhSecKerbUnsolicitedKeyMaxRetries OBJECT-TYPE
SYNTAX Unsigned32 (1..32)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The number of retries the PS is allowed for
AP-REQ/REP key management exchange initiation
with the NMS. This is the maximum number of
retries before the PS gives up attempting to
establish an SNMPv3 security association
with NMS."
DEFVAL { 8 }
::= { cabhSecKerbBase 4 }
cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 3 }
cabhSecConformance OBJECT IDENTIFIER ::= { cabhSecMib 4 }
cabhSecCompliances OBJECT IDENTIFIER ::= { cabhSecConformance 1 }
cabhSecGroups OBJECT IDENTIFIER ::= { cabhSecConformance 2 }
--
-- Notification Group for future extension
--
-- compliance statements
cabhSecCompliance MODULE-COMPLIANCE
STATUS deprecated
DESCRIPTION
"The compliance statement for CableHome Security."
MODULE --cabhSecMib
-- unconditionally mandatory groups
MANDATORY-GROUPS {
cabhSecCertGroup,
cabhSecKerbGroup
}
-- conditional mandatory groups
GROUP cabhSecGroup
DESCRIPTION
"This group is implemented only for CH 1.0 gateways."
::= { cabhSecCompliances 1 }
cabhSec2Compliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for CableHome 1.1 Security."
MODULE --cabhSecMib
-- unconditionally mandatory groups
MANDATORY-GROUPS {
cabhSecCertGroup,
cabhSecKerbGroup,
cabhSec2Group
}
::= { cabhSecCompliances 2 }
cabhSecGroup OBJECT-GROUP
OBJECTS {
cabhSecFwPolicyFileEnable,
cabhSecFwPolicyFileURL,
cabhSecFwPolicyFileHash,
cabhSecFwPolicyFileOperStatus,
cabhSecFwPolicyFileCurrentVersion,
cabhSecFwPolicySuccessfulFileURL,
cabhSecFwEventType1Enable,
cabhSecFwEventType2Enable,
cabhSecFwEventType3Enable,
cabhSecFwEventAttackAlertThreshold,
cabhSecFwEventAttackAlertPeriod
}
STATUS deprecated
DESCRIPTION
"Group of objects in CableHome 1.0 Firewall MIB."
::= { cabhSecGroups 1 }
cabhSecCertGroup OBJECT-GROUP
OBJECTS {
cabhSecCertPsCert
}
STATUS current
DESCRIPTION
"Group of objects in CableHome gateway for PS
Certificate."
::= { cabhSecGroups 2 }
cabhSecKerbGroup OBJECT-GROUP
OBJECTS {
cabhSecKerbPKINITGracePeriod,
cabhSecKerbTGSGracePeriod,
cabhSecKerbUnsolicitedKeyMaxTimeout,
cabhSecKerbUnsolicitedKeyMaxRetries
}
STATUS current
DESCRIPTION
"Group of objects in CableHome gateway for Kerberos."
::= { cabhSecGroups 3 }
cabhSec2Group OBJECT-GROUP
OBJECTS {
cabhSec2FwEnable,
cabhSec2FwPolicyFileURL,
cabhSec2FwPolicyFileHash,
cabhSec2FwPolicyFileOperStatus,
cabhSec2FwPolicyFileCurrentVersion,
cabhSec2FwClearPreviousRuleset,
cabhSec2FwPolicySelection,
cabhSec2FwEventSetToFactory,
cabhSec2FwEventLastSetToFactory,
cabhSec2FwPolicySuccessfulFileURL,
cabhSec2FwEventEnable,
cabhSec2FwEventThreshold,
cabhSec2FwEventInterval,
cabhSec2FwEventCount,
cabhSec2FwEventLogReset,
cabhSec2FwEventLogLastReset,
cabhSec2FwLogEventType,
cabhSec2FwLogEventPriority,
cabhSec2FwLogEventId,
cabhSec2FwLogTime,
cabhSec2FwLogIpProtocol,
cabhSec2FwLogIpSourceAddr,
cabhSec2FwLogIpDestAddr,
cabhSec2FwLogIpSourcePort,
cabhSec2FwLogIpDestPort,
cabhSec2FwLogMessageType,
cabhSec2FwLogReplayCount,
cabhSec2FwLogMIBPointer,
cabhSec2FwFilterScheduleStartTime,
cabhSec2FwFilterScheduleEndTime,
cabhSec2FwFilterScheduleDOW,
cabhSec2FwFactoryDefaultFilterControl,
cabhSec2FwFactoryDefaultFilterIfIndex,
cabhSec2FwFactoryDefaultFilterDirection,
cabhSec2FwFactoryDefaultFilterSaddr,
cabhSec2FwFactoryDefaultFilterSmask,
cabhSec2FwFactoryDefaultFilterDaddr,
cabhSec2FwFactoryDefaultFilterDmask,
cabhSec2FwFactoryDefaultFilterProtocol,
cabhSec2FwFactoryDefaultFilterSourcePortLow,
cabhSec2FwFactoryDefaultFilterSourcePortHigh,
cabhSec2FwFactoryDefaultFilterDestPortLow,
cabhSec2FwFactoryDefaultFilterDestPortHigh,
cabhSec2FwFactoryDefaultFilterContinue
}
STATUS current
DESCRIPTION
"Group of objects in CableHome 1.1 Firewall MIB."
::= { cabhSecGroups 4 }
END