<?xml version="1.0" encoding="UTF-8"?>

<ntman:Node xmlns="http://www.ecs.soton.ac.uk/~src299/xmlnetman/firewall" 
		 xmlns:ntman="http://www.ecs.soton.ac.uk/~src299/xmlnetman"
       xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" 
       xsi:schemaLocation="http://www.ecs.soton.ac.uk/~src299/xmlnetman Node.xsd">

	<ntman:Mappings>
		<ntman:Variable name="node_name" value="Sooty"/>
		<ntman:Variable name="interface_1_ip" value="192.168.15.95"/>
		<ntman:Variable name="interface_1" value="rl0"/>
		<ntman:Variable name="interface_2_ip" value="192.168.30.95"/>
		<ntman:Variable name="interface_2" value="wi0"/>

		<ntman:Variable name="wlan_if" value="$interface_2"/>
		<ntman:Variable name="trusted_if" value="$interface_1"/>

      <ntman:Variable name="network" value="192.168.15"/>      <!-- Our main network -->
      <ntman:Variable name="network_1" value="192.168.30"/>    <!-- Our WLan network -->
	</ntman:Mappings>

   <!-- Firewall to protect trusted internet against wireless LAN traffic -->
	<fw:Firewall>

		<Mappings>
			<Variable name="rule_base" value="1000"/>              <!-- Rule ID to start allocating -->
			<Variable name="upstream_dns" value="192.168.2.100"/>  <!-- Where our upstream DNS server lives -->
		</Mappings>

		<!-- Standard loopback processing -->
		<fw:FirewallConstruct name="Loopback Handeling" 
                            description="Protect loopback device">

			<Mappings>
				<Variable name="block_rule_base" value="$rule_base"/>
			</Mappings>

			<fw:Rule Desc="Allow loopback" RuleID="$block_rule_base">
				<fw:action perform="pass"/>
				<fw:protocol type="all"/>
				<fw:src type="any"/>
				<fw:dst type="any"/>
				<fw:interface via="lo0"/>
			</fw:Rule>
			<fw:Rule Desc="Prevent spoofing of loopback" RuleID="$block_rule_base+1">
				<fw:action perform="deny"/>
				<fw:log logamount="0" value="true"/>
				<fw:protocol type="all"/>
				<fw:src type="any"/>
				<fw:dst mask="255.0.0.0" address="127.0.0.1" type="ip"/>
				<fw:interface/>
			</fw:Rule>

		</fw:FirewallConstruct>

		<!-- Just some standard protection. Externally defined. -->
		<fw:FirewallConstruct name="Standard Protection" 
                            description="External">

			<Mappings>
				<Variable name="block_rule_base" value="$rule_base+1000"/>
				<Variable name="untrusted_if" value="$wlan_if"/>
			</Mappings>

			<ExternalConstruct name="Firewall::ExternalConstruct:Protection"/>
		</fw:FirewallConstruct>

		<!-- Just some standard protection. Externally defined. -->
		<fw:FirewallConstruct name="Standard Protection" 
                            description="External">

			<Mappings>
				<Variable name="block_rule_base" value="$rule_base+2000"/>
				<Variable name="untrusted_if" value="$trusted_if"/>
			</Mappings>

			<ExternalConstruct name="Firewall::ExternalConstruct:Protection"/>
		</fw:FirewallConstruct>

      <!-- Automatically create the firewall rules required to allow DNS queries to come in
           on the two networks we serve -->
      <fw:FirewallConstruct name="Dynamic DNS Service" 
                            description="Automatically create firewall Rules to allow DNS service operation">

         <CallFunction name="Firewall::Functions:DNSAccess" onPath="$this/DNS(1)/Bindings(1)"> 
            <Parameter name="networks" value="$network,$network_1"/>
            <Parameter name="ips" value="$interface_1_ip,$interface_2_ip"/>
            <Parameter name="interfaces" value="$interface_1,$interface_2"/>
            <Parameter name="ruleid" value="$rule_base+3000"/>
            <Parameter name="port" value="53"/>
         </CallFunction>  

      </fw:FirewallConstruct>

		<!-- Allow me to query my upstream DNS server -->
		<fw:FirewallConstruct name="Forwarding of DNS queries" 
                            description="Allow me to query my upstream DNS server">

			<Mappings>
				<Variable name="block_rule_base" value="$rule_base+3500"/>
			</Mappings>

         <fw:Rule Desc="Allow DNS queries out to upstream DNS server" RuleID="$block_rule_base">
				<fw:action perform="pass"/>
				<fw:protocol type="other" name="udp"/>
				<fw:src type="ip" address="$interface_1_ip" mask="255.255.255.255" ports="set">
               <fw:port-num port="53"/>
            </fw:src>
				<fw:dst type="ip" address="$upstream_dns" mask="255.255.255.255" ports="set">
               <fw:port-num port="53"/>
            </fw:dst>
				<fw:interface direction="out" xmit="$trusted_if"/>
			</fw:Rule>

         <fw:Rule Desc="Allow DNS queries back from upstream DNS server" RuleID="$block_rule_base+1">
				<fw:action perform="pass"/>
				<fw:protocol type="other" name="udp"/>
				<fw:src type="ip" address="$upstream_dns" mask="255.255.255.255" ports="set">
               <fw:port-num port="53"/>
            </fw:src>
				<fw:dst type="ip" address="$interface_1_ip" mask="255.255.255.255" ports="set">
               <fw:port-num port="53"/>
            </fw:dst>
				<fw:interface direction="in" recv="$trusted_if"/>
			</fw:Rule>

      </fw:FirewallConstruct>

		<!-- Deal with other incomming ICMP connections -->
		<fw:FirewallConstruct name="Incomming ICMP Connections" 
                            description="Handle ICMP requests">

			<Mappings>
				<Variable name="block_rule_base" value="$rule_base+4000"/>
			</Mappings>

			<fw:Rule Desc="Allow ICMP queries from our trusted network to us" RuleID="$block_rule_base">
				<fw:action perform="pass"/>
				<fw:protocol name="icmp" type="other"/>
				<fw:src type="ip" address="$trusted_net" mask="$net_mask"/>
				<fw:dst type="ip" address="$interface_1_ip" mask="255.255.255.255"/>
				<fw:options>
               <fw:icmptype type="echo-request"/>
				</fw:options>
			</fw:Rule>

			<fw:Rule Desc="Allow ICMP queries from our wireless network to us" RuleID="$block_rule_base+1">
				<fw:action perform="pass"/>
				<fw:protocol name="icmp" type="other"/>
				<fw:src type="ip" address="$wlan_net" mask="$net_mask"/>
				<fw:dst type="ip" address="$interface_2_ip" mask="255.255.255.255"/>
				<fw:options>
               <fw:icmptype type="echo-request"/>
				</fw:options>
			</fw:Rule>

			<fw:Rule Desc="Allow ICMP replies from wireless LAN to trusted network" RuleID="$block_rule_base+2">
				<fw:action perform="pass"/>
				<fw:protocol name="icmp" type="other"/>
				<fw:src type="ip" address="$wlan_net" mask="$net_mask"/>
				<fw:dst type="ip" address="$trusted_net" mask="$net_mask"/>
				<fw:options>
               <fw:icmptype type="echo-reply"/>
               <fw:icmptype type="ts-reply"/>
               <fw:icmptype type="info-reply"/>
               <fw:icmptype type="add-mask-reply"/>
               <fw:icmptype type="dst-unreach"/>
               <fw:icmptype type="source-quench"/>
               <fw:icmptype type="ttl-exceed"/>
               <fw:icmptype type="header-bad"/>
				</fw:options>
			</fw:Rule>

      </fw:FirewallConstruct>

		<!-- Deal with other incomming connections -->
		<fw:FirewallConstruct name="Incomming Connections" 
                            description="What to do with incomming connections">

			<Mappings>
				<Variable name="block_rule_base" value="$rule_base+5000"/>
			</Mappings>

         <fw:Rule Desc="Let established TCP connections flow through" RuleID="$block_rule_base">
				<fw:action perform="pass"/>
				<fw:protocol type="other" name="tcp"/>
				<fw:src type="any"/>
				<fw:dst type="any"/>
				<fw:options established="true"/>
			</fw:Rule>

         <fw:Rule Desc="Deny incomming connections directly to me from WLan" RuleID="$block_rule_base+1">
				<fw:action perform="deny"/>
				<fw:protocol type="all"/>
				<fw:src type="any"/>
				<fw:dst type="ip" address="$interface_2_ip" mask="255.255.255.255"/>
				<fw:interface direction="in" recv="$wlan_if"/>
			</fw:Rule>

         <fw:Rule Desc="Deny all other incomming connections from trusted lan" RuleID="$block_rule_base+2">
				<fw:action perform="deny"/>
				<fw:protocol type="all"/>
				<fw:src type="any"/>
				<fw:dst type="ip" address="$interface_1_ip" mask="255.255.255.255"/>
				<fw:interface direction="in" recv="$trusted_if"/>
			</fw:Rule>

		</fw:FirewallConstruct>

		<!-- Connection requests travelling through us -->
		<fw:FirewallConstruct name="Throughput" 
                            description="What we allow to travel across us">

			<Mappings>
				<Variable name="block_rule_base" value="$rule_base+6000"/>
			</Mappings>

         <fw:Rule Desc="Allow packets to be routed through over trusted LAN" RuleID="$block_rule_base">
				<fw:action perform="pass"/>
				<fw:protocol type="all"/>
				<fw:src type="ip" address="$wlan_net" mask="255.255.255.0"/>
				<fw:dst type="ip" address="$trusted_net" mask="255.255.255.0" negate="true"/>
				<fw:interface recv="$wlan_if"/>
			</fw:Rule>

         <fw:Rule Desc="Allow all packets back out to wireless LAN" RuleID="$block_rule_base+1">
				<fw:action perform="pass"/>
				<fw:protocol type="all"/>
				<fw:src type="any"/>
				<fw:dst type="ip" address="$wlan_net" mask="255.255.255.0"/>
				<fw:interface recv="$trusted_if"/>
			</fw:Rule>

		</fw:FirewallConstruct>

		<!-- Traffic originating from this node -->
		<fw:FirewallConstruct name="Local traffic" 
                            description="Allow outgoing local traffic">

			<Mappings>
				<Variable name="block_rule_base" value="$rule_base+7000"/>
			</Mappings>

         <fw:Rule Desc="Outgoing from trusted interface" RuleID="$block_rule_base">
				<fw:action perform="pass"/>
				<fw:protocol type="all"/>
            <fw:src type="ip" address="$interface_1_ip" mask="255.255.255.255"/>
				<fw:dst type="any"/>
            <fw:interface direction="out"/>
			</fw:Rule>

         <fw:Rule Desc="Outgoing from wireless interface" RuleID="$block_rule_base+1">
				<fw:action perform="pass"/>
				<fw:protocol type="all"/>
            <fw:src type="ip" address="$interface_2_ip" mask="255.255.255.255"/>
				<fw:dst type="any"/>
            <fw:interface direction="out"/>
			</fw:Rule>

		</fw:FirewallConstruct>

	</fw:Firewall>


   <!-- DNS service configuration follows -->
   <dns:DNS>

      <!-- DNS wide global variable mappings -->
      <Mappings>
         <Variable name="root_domain" value="toons.foo.net"/>    <!-- The domain we are authorative to -->
         <Variable name="NS" value="sooty.$root_domain"/>        <!-- Our primary name server -->
      </Mappings>

      <!-- Options - i.e. named.conf in BIND8 : Defines all our zones -->
      <dns:Bindings>
         <dns:Zone name="$root_domain" type="master" file="db.toons.foo.net"/>          <!-- Forward -->
         <dns:Zone name="15.168.192.in-addr.arpa" type="master" file="db.$network"/>    <!-- Reverse (Primary) -->
         <dns:Zone name="30.168.192.in-addr.arpa" type="master" file="db.$network_1"/>  <!-- Reverse (Secondary) -->
         <dns:Zone name="0.0.127.in-addr.arpa" type="master" file="db.127.0.0"/>        <!-- Loopback -->
      </dns:Bindings>

      <!-- All the forward resolution files -->
      <dns:DNSConstruct name="Forward" description="Standard forward resolution">

         <Mappings>
            <Variable name="file" value="db.slybase.homeip.net"/>
         </Mappings>

         <!-- Standard forward lookup -->
         <dns:ForwardSOA match="$root_domain"
                         primaryns="$NS"
                         adminmail="root.$this.$root_domain"
								 file="db.$root_domain"
                         serial="5"
                         refresh="10800"
                         retry="3600"
                         expire="604800"
                         min_ttl="86400">

            <dns:NS match="@" target="$this.$root_domain"/>   
            <dns:A match="localhost" target="127.0.0.1"/>

            <!-- Primary network -->
            <dns:A match="sooty" target="$network.95"/>
            <dns:A match="sly" target="$network.90"/>
            <dns:A match="ben" target="$network.101"/>
            <dns:A match="roadrunner" target="$network.254"/>

            <!-- Secondary network (WLan) -->
            <dns:A match="sooty" target="$network_1.95"/>
            <dns:A match="tigger" target="$network_1.125"/>
            <dns:A match="kanga" target="$network_1.150"/>

            <!-- Some CNAME for out LAN -->
            <dns:CNAME match="www" target="ben"/> 
            <dns:CNAME match="ftp" target="ben"/> 
            <dns:CNAME match="www2" target="sly"/> 
            <dns:CNAME match="mail" target="sly"/> 

            <!-- Mail Exchanger -->
            <dns:MX match="@" target="mail.$root_domain" priority="10"/>

            <dns:A match="@" target="$network.95"/>
         </dns:ForwardSOA>

      </dns:DNSConstruct>

      <!-- Use a function to generate the reverse resolution file (SOA) for our primary LAN -->
      <dns:DNSConstruct name="Reverse" description="Standard reverse resolution">

         <!-- Execute the function call on the forward SOA defined above -->
         <CallFunction name="DNS::Functions:GenReverseSOA" onConstruct="DNS::ServiceConstruct:$this/forward"> 
            <Parameter name="dbfile" value="db.$network"/>
            <Parameter name="with_net" value="$network"/>
         </CallFunction>  

      </dns:DNSConstruct>

      <!-- Use a function to generate the reverse resolution file (SOA) for the WLAN-->
      <dns:DNSConstruct name="Reverse" description="Standard reverse resolution">

         <!-- Execute the function call on the forward SOA defined above -->
         <CallFunction name="DNS::Functions:GenReverseSOA" onConstruct="DNS::ServiceConstruct:$this/forward"> 
            <Parameter name="dbfile" value="db.$network_1"/>
            <Parameter name="with_net" value="$network_1"/>
         </CallFunction>  

      </dns:DNSConstruct>

      <!-- Use externally defined loopback feature -->
      <dns:DNSConstruct name="Loopback" description="Pull in external loopback definitions">

         <Mappings>
            <Variable name="primaryns" value="$NS"/>
            <Variable name="adminmail" value="root.$this.$root_domain"/>
            <Variable name="domain" value="$root_domain"/>
         </Mappings>

         <!-- Pull in loopback definition. Use variables to define behaviour -->
         <ExternalConstruct name="DNS::ExternalConstruct:Loopback"/>

      </dns:DNSConstruct>
   </dns:DNS>

</ntman:Node>

