<?xml version="1.0" encoding="utf-8"?>
<!--
     Firewall Builder Document Type Definition
     http://www.fwbuilder.org/
     Version: $Revision: 1.41 $
     Authors:  Friedhelm Duesterhoeft, Vadim Zaliva, Vadim Kurland, Tidei Maurizio

TODO:

1. Allow groups of unrelated objects.

-->

<!ENTITY % BOOLEAN   "(False|True)">
<!ENTITY % STRING    "CDATA">
<!ENTITY % NUMBER    "CDATA">

<!--
 * Supported policy rule actions:
 *
 *        Accept - accept the packet, analysis terminates
 *
 *        Reject - reject the packet and send ICMP 'unreachable' or
 *                 TCP RST back to sender, analysis terminates
 *
 *        Deny   - drop the packet, nothing is sent back to sender,
 *                 analysis terminates
 *
 *        Scrub  - run the packet through normalizer (see 'scrub' in
 *                 PF), continue analysis
 *
 *        Return - action used internally, meaning may depend on
 *                 implementation of the policy compiler but generally 
 *                 means return from the block of rules
 *
 *        Skip   - skip N rules down and continue analysis. Used
 *                 internally.
 *
 *        Continue - do nothing, continue analysis. Used internally.
 *
 *        Accounting - generate target firewall platform rule to count
 *                 the packet and continue analysis.
 *
 *        Modify - edit the packet (change some header values, like
 *                 TOS bits) or mark it somehow if the kernel supports 
 *                 that (e.g. target MARK in iptables)
 *
 *        Tag    - put a tag on the packet or mark it somehow
 *        
 *        Pipe   - send the packet to the userland process for inspection
 *        
 *        Classify - classify the packet for QoS or traffic shaping
 * 
 *        Custom - platform-depended custom action
 *
 *        Branch - branch to a subset of rules for inspection
 *
-->

<!ENTITY % ACTION    "(Accept|Reject|Deny|Scrub|Return|Skip|Continue|Accounting|Modify|Tag|Pipe|Classify|Custom|Branch|Route)">
<!ENTITY % DIRECTION "(Inbound|Outbound|Both)">
<!ENTITY % IPADDRESS "CDATA">
<!ENTITY % NETMASK   "CDATA">

<!-- Standard attributes presented in all nodes -->
<!ENTITY % STD_ATTRIBUTES '
 name    %STRING;  #REQUIRED
 comment %STRING;  #IMPLIED
 id      ID        #REQUIRED
 ro      %BOOLEAN; #IMPLIED
'>

<!-- Standard attributes for all system nodes -->
<!ENTITY % SYS_ATTRIBUTES '
'>

<!-- 
      **** Document structure, main groups. ****
-->

<!ELEMENT FWObjectDatabase (Library*)>
<!ATTLIST FWObjectDatabase
 xmlns        CDATA     #FIXED "http://www.fwbuilder.org/1.0/"
 version      %STRING;  #FIXED "2.1.14"
 lastModified %NUMBER;  #IMPLIED
 id           ID        #REQUIRED
>

<!ELEMENT Library ((AnyNetwork|AnyIPService|AnyInterval|ObjectGroup|Host|Firewall|Network|IPv4|DNSName|AddressTable|physAddress|AddressRange|ObjectRef|ServiceGroup|IPService|ICMPService|TCPService|UDPService|CustomService|ServiceRef|IntervalGroup|Interval|IntervalRef|Interface|Policy|NAT|PolicyRule|NATRule|Library|TagService)*)>
<!ATTLIST Library
 %STD_ATTRIBUTES;
 color   %STRING;  #IMPLIED
>


<!-- 
      **** Document structure, Services. ****
-->

<!ELEMENT AnyIPService EMPTY>
<!ATTLIST AnyIPService
 %SYS_ATTRIBUTES;
 %STD_ATTRIBUTES;
 protocol_num %NUMBER;  #FIXED     "0"
>

<!-- Reference to Services child -->
<!ELEMENT ServiceRef EMPTY>
<!ATTLIST ServiceRef 
       ref IDREF #REQUIRED
>

<!ELEMENT ServiceGroup (( ServiceGroup | IPService | ICMPService  | TCPService | UDPService | CustomService | ServiceRef | TagService)*)>
<!ATTLIST ServiceGroup
 %STD_ATTRIBUTES;
>

<!-- 
      **** Document structure, Objects. ****
-->

<!-- Reference to Objects child -->
<!ELEMENT ObjectRef EMPTY>
<!ATTLIST ObjectRef 
       ref IDREF #REQUIRED
>

<!ELEMENT ObjectGroup ((ObjectGroup|Host|Firewall|Network|IPv4|DNSName|AddressTable|AddressRange|ObjectRef)*)>
<!ATTLIST ObjectGroup
 %STD_ATTRIBUTES;
>

<!-- 

This element will contain elements with platform  specific
options.

<Options>
    <Option name="option1_name">Value1</Option>
    <Option name="option2_name">Value2</Option>
</Options>

Since list of compilers is open (everybody could write his
own compiler) we do not define content model for this element.

-->

<!ELEMENT Option ANY>
<!ATTLIST Option
 name %STRING; #REQUIRED
>


<!ELEMENT PolicyRuleOptions (Option*)>
<!ELEMENT NATRuleOptions    (Option*)>
<!ELEMENT RoutingRuleOptions (Option*)>
<!ELEMENT FirewallOptions   (Option*)>
<!ELEMENT HostOptions       (Option*)>
<!ELEMENT GatewayOptions    (Option*)>

<!-- 
      **** Document structure, rest ****
-->

<!ELEMENT NATRule (OSrc,ODst,OSrv,TSrc,TDst,TSrv,When?, NATRuleOptions?, NAT?)>
<!ATTLIST NATRule
 id      ID       #REQUIRED
 disabled  %BOOLEAN;   "False"
 position  %NUMBER;    #REQUIRED
 comment   %STRING;    #IMPLIED
>

<!ELEMENT When (IntervalRef*)>
<!ATTLIST When
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT OSrc (ObjectRef*)>
<!ATTLIST OSrc
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT ODst (ObjectRef*)>
<!ATTLIST ODst
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT OSrv (ServiceRef*)>
<!ATTLIST OSrv
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT TSrc (ObjectRef*)>
<!ATTLIST TSrc
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT TDst (ObjectRef*)>
<!ATTLIST TDst
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT TSrv (ServiceRef*)>
<!ATTLIST TSrv
 neg %BOOLEAN; #REQUIRED
>


<!ELEMENT RoutingRule (RDst,RGtw,RItf, RoutingRuleOptions?, Routing?)>
<!ATTLIST RoutingRule
 id      ID       #REQUIRED
 disabled  %BOOLEAN;   "False"
 position  %NUMBER;    #REQUIRED
 metric    %NUMBER;    "0"
 comment   %STRING;    #IMPLIED
>

<!ELEMENT RDst (ObjectRef*)>
<!ATTLIST RDst
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT RGtw (ObjectRef*)>
<!ATTLIST RGtw
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT RItf (ObjectRef*)>
<!ATTLIST RItf
 neg %BOOLEAN; #REQUIRED
>


<!ELEMENT PolicyRule (Src,Dst,Srv?,Itf?,When?,PolicyRuleOptions?,Policy?)>
<!ATTLIST PolicyRule
 id       ID       #REQUIRED
 disabled  %BOOLEAN;   "False"
 position  %NUMBER;    #REQUIRED
 direction %DIRECTION; #IMPLIED
 action    %ACTION;    #REQUIRED
 log       %BOOLEAN;   #REQUIRED
 comment   %STRING;    #IMPLIED
>

<!ELEMENT Src (ObjectRef*)>
<!ATTLIST Src
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT Dst (ObjectRef*)>
<!ATTLIST Dst
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT Srv (ServiceRef*)>
<!ATTLIST Srv
 neg %BOOLEAN; #REQUIRED
>

<!ELEMENT Itf (ObjectRef*)>
<!ATTLIST Itf
 neg %BOOLEAN; #REQUIRED
>


<!--
   hardware or physical address (MAC, DLCI etc.)
-->
<!ELEMENT physAddress EMPTY>
<!ATTLIST physAddress
 %STD_ATTRIBUTES;
 address %STRING; #REQUIRED
>

<!ELEMENT IPv4 EMPTY>
<!ATTLIST IPv4
 %STD_ATTRIBUTES;
 address %IPADDRESS; #REQUIRED
 netmask %NETMASK;   #REQUIRED
>

<!ELEMENT DNSName EMPTY>
<!ATTLIST DNSName
 %STD_ATTRIBUTES;
 dnsrec         %STRING;    #REQUIRED
 run_time       %BOOLEAN;   #REQUIRED
>

<!ELEMENT AddressTable ((IPv4|ObjectRef)*)>
<!ATTLIST AddressTable
 %STD_ATTRIBUTES;
 filename       %STRING;    #REQUIRED
 run_time       %BOOLEAN;   #REQUIRED
>
<!--
Interface can have the following attributes:

   - dyn            interface has dynamically assigned address
   - unnum          interface is unnumbered (does not have IP address, but 
                    may still have MAC address)
   - bridgeport     interface serves as a bridge port on bridging firewall.
                    The difference between bridge port and unnumbered interface
                    is that compilers may use special modules or commands for
                    bridge ports on platforms that support them, such as 
                    module physdev for iptables.
   - mgmt           this is management interface
   - physAddress    MAC address of this interface
   - security_level
   - network_zone   ID of the object representing network zone
   - unprotected    Skip this interface while assigning access lists or policy rules
   - label          human-readable label of this interface

-->
<!ELEMENT Interface (IPv4*, physAddress?)>
<!ATTLIST Interface
 %STD_ATTRIBUTES;
 dyn            %BOOLEAN;   #REQUIRED
 unnum          %BOOLEAN;   #IMPLIED
 mgmt           %BOOLEAN;   #IMPLIED
 bridgeport     %BOOLEAN;   #IMPLIED
 security_level %NUMBER;    #REQUIRED
 network_zone   IDREF       #IMPLIED
 unprotected    %BOOLEAN;   #IMPLIED
 label          %STRING;    #IMPLIED
>


<!-- Remote management information for Firewall, Host, Gateway  -->
<!ELEMENT Management (SNMPManagement? , FWBDManagement?, PolicyInstallScript?)>
<!ATTLIST Management
 address              %IPADDRESS; #REQUIRED
>

<!-- User-defined custom policy installation script for Firewall  -->
<!ELEMENT PolicyInstallScript EMPTY>
<!ATTLIST PolicyInstallScript
 enabled   %BOOLEAN;  "False"
 command   %STRING;    #IMPLIED
 arguments %STRING;    #IMPLIED
>

<!-- SNMP management information for Firewall, Host, Gateway  -->
<!ELEMENT SNMPManagement EMPTY>
<!ATTLIST SNMPManagement
 enabled  %BOOLEAN;  "False"
 snmp_read_community  %STRING;    #IMPLIED
 snmp_write_community %STRING;    #IMPLIED
>

<!-- FWBD management information for Firewall, Host, Gateway  -->
<!ELEMENT FWBDManagement (PublicKey?)>
<!ATTLIST FWBDManagement
 enabled  %BOOLEAN;  "False"
 port                 %NUMBER;    #REQUIRED
 identity             %STRING;    #REQUIRED
>

<!-- Remote FWBD public key for Firewall, Host, Gateway  -->
<!ELEMENT PublicKey (#PCDATA)>

<!ELEMENT Host (Interface*, Management?, HostOptions?)>
<!ATTLIST Host
 %STD_ATTRIBUTES;
 host_OS              %STRING;    #IMPLIED
>

<!ELEMENT AnyNetwork EMPTY>
<!ATTLIST AnyNetwork
 %SYS_ATTRIBUTES;
 %STD_ATTRIBUTES;
 address              %IPADDRESS; #FIXED    "0.0.0.0"
 netmask              %NETMASK;   #FIXED    "0.0.0.0"
>

<!ELEMENT Network EMPTY>
<!ATTLIST Network
 %STD_ATTRIBUTES;
 address %IPADDRESS; #REQUIRED
 netmask %NETMASK;   #REQUIRED
>

<!ELEMENT AddressRange EMPTY>
<!ATTLIST AddressRange
 %STD_ATTRIBUTES;
 start_address %IPADDRESS; #REQUIRED
 end_address   %IPADDRESS; #REQUIRED
>

<!ELEMENT ICMPService EMPTY>
<!ATTLIST ICMPService
 %STD_ATTRIBUTES;
 code %NUMBER; #REQUIRED
 type %NUMBER; #REQUIRED
>


<!ELEMENT TagService EMPTY>
<!ATTLIST TagService
 %STD_ATTRIBUTES;
 tagcode %STRING;  #REQUIRED
>

<!ELEMENT IPService EMPTY>
<!ATTLIST IPService
 %STD_ATTRIBUTES;
 protocol_num %NUMBER;  #REQUIRED
 fragm        %BOOLEAN; #IMPLIED
 lsrr         %BOOLEAN; #IMPLIED
 rr           %BOOLEAN; #IMPLIED
 short_fragm  %BOOLEAN; #IMPLIED
 ssrr         %BOOLEAN; #IMPLIED
 ts           %BOOLEAN; #IMPLIED
>

<!ELEMENT TCPService EMPTY>
<!ATTLIST TCPService
 %STD_ATTRIBUTES;
 dst_range_end   %NUMBER;  #REQUIRED
 dst_range_start %NUMBER;  #REQUIRED
 urg_flag        %BOOLEAN; #REQUIRED
 ack_flag        %BOOLEAN; #REQUIRED
 psh_flag        %BOOLEAN; #REQUIRED
 rst_flag        %BOOLEAN; #REQUIRED
 syn_flag        %BOOLEAN; #REQUIRED
 fin_flag        %BOOLEAN; #REQUIRED
 urg_flag_mask   %BOOLEAN; #REQUIRED
 ack_flag_mask   %BOOLEAN; #REQUIRED
 psh_flag_mask   %BOOLEAN; #REQUIRED
 rst_flag_mask   %BOOLEAN; #REQUIRED
 syn_flag_mask   %BOOLEAN; #REQUIRED
 fin_flag_mask   %BOOLEAN; #REQUIRED
 src_range_end   %NUMBER;  #REQUIRED
 src_range_start %NUMBER;  #REQUIRED
 established     %BOOLEAN; #IMPLIED
>

<!ELEMENT UDPService EMPTY>
<!ATTLIST UDPService
 %STD_ATTRIBUTES;
 dst_range_end   %NUMBER; #REQUIRED
 dst_range_start %NUMBER; #REQUIRED
 src_range_end   %NUMBER; #REQUIRED
 src_range_start %NUMBER; #REQUIRED
>

<!ELEMENT CustomServiceCommand (#PCDATA)>
<!ATTLIST CustomServiceCommand
 platform %STRING; #REQUIRED
>

<!ELEMENT CustomService  (CustomServiceCommand*)>
<!ATTLIST CustomService
 %STD_ATTRIBUTES;
>

<!ELEMENT Gateway (Interface* , Management?, GatewayOptions?)>
<!ATTLIST Gateway
 %STD_ATTRIBUTES;
 address              %IPADDRESS; #REQUIRED
 host_OS              %STRING;    #IMPLIED
>

<!ELEMENT Firewall (NAT , Policy , Routing , Interface* , Management?, FirewallOptions?)>
<!ATTLIST Firewall
 %STD_ATTRIBUTES;
 platform             %STRING;    #REQUIRED
 version              %STRING;    #IMPLIED
 host_OS              %STRING;    #IMPLIED
 lastModified         %NUMBER;    #IMPLIED
 lastInstalled        %NUMBER;    #IMPLIED
 lastCompiled         %NUMBER;    #IMPLIED
 inactive             %BOOLEAN;   #IMPLIED
>

<!ELEMENT NAT (NATRule*)>
<!ATTLIST NAT
 id       ID       #REQUIRED
>

<!ELEMENT Policy (PolicyRule*)>
<!ATTLIST Policy
 id       ID       #REQUIRED
>

<!ELEMENT Routing (RoutingRule*)>
<!ATTLIST Routing
 id       ID       #REQUIRED
>


<!-- Time -->

<!ELEMENT IntervalGroup ((IntervalGroup|Interval|IntervalRef)*)>
<!ATTLIST IntervalGroup
 %STD_ATTRIBUTES;
>

<!-- Reference to time interval -->
<!ELEMENT IntervalRef EMPTY>
<!ATTLIST IntervalRef 
       ref IDREF #REQUIRED
>

<!ELEMENT Interval EMPTY>
<!ATTLIST Interval
 %STD_ATTRIBUTES;
 from_second  %NUMBER; "-1"
 from_minute  %NUMBER; "-1"
 from_hour    %NUMBER; "-1"
 from_day     %NUMBER; "-1"
 from_month   %NUMBER; "-1"
 from_year    %NUMBER; "-1"
 from_weekday %NUMBER; "-1"

 to_second    %NUMBER; "-1"
 to_minute    %NUMBER; "-1"
 to_hour      %NUMBER; "-1"
 to_day       %NUMBER; "-1"
 to_month     %NUMBER; "-1"
 to_year      %NUMBER; "-1"
 to_weekday   %NUMBER; "-1"
>

<!ELEMENT AnyInterval EMPTY>
<!ATTLIST AnyInterval
 %SYS_ATTRIBUTES;
 %STD_ATTRIBUTES;
 from_second  %NUMBER; #FIXED "-1"
 from_minute  %NUMBER; #FIXED "-1"
 from_hour    %NUMBER; #FIXED "-1"
 from_day     %NUMBER; #FIXED "-1"
 from_month   %NUMBER; #FIXED "-1"
 from_year    %NUMBER; #FIXED "-1"
 from_weekday %NUMBER; #FIXED "-1"

 to_second    %NUMBER; #FIXED "-1"
 to_minute    %NUMBER; #FIXED "-1"
 to_hour      %NUMBER; #FIXED "-1"
 to_day       %NUMBER; #FIXED "-1"
 to_month     %NUMBER; #FIXED "-1"
 to_year      %NUMBER; #FIXED "-1"
 to_weekday   %NUMBER; #FIXED "-1"
>

