Appendix I. Configuration Objects

Table of Contents

I.1. Top level
I.1.1. config: Top level config
I.2. Objects
I.2.1. system: System settings
I.2.2. link: Web links
I.2.3. routing-table: Default source IP for services using a given table
I.2.4. user: Admin users
I.2.5. eap: User access controlled by EAP
I.2.6. log: Log target controls
I.2.7. log-syslog: Syslog logger settings
I.2.8. log-email: Email logger settings
I.2.9. services: System services
I.2.10. http-service: Web service settings
I.2.11. dns-service: DNS service settings
I.2.12. dns-host: Fixed local DNS host settings
I.2.13. dns-block: Fixed local DNS blocks
I.2.14. telnet-service: Telnet service settings
I.2.15. snmp-service: SNMP service settings
I.2.16. time-service: System time server settings
I.2.17. ethernet: Physical port controls
I.2.18. sampling: Packet sampling configuration
I.2.19. portdef: Port grouping and naming
I.2.20. interface: Port-group/VLAN interface settings
I.2.21. subnet: Subnet settings
I.2.22. subnet-template: Subnet option templates for RA
I.2.23. dhcp6-client: DHCPv6 Client
I.2.24. vrrp: VRRP settings
I.2.25. dhcps: DHCP server settings
I.2.26. dhcp-attr-hex: DHCP server attributes (hex)
I.2.27. dhcp-attr-string: DHCP server attributes (string)
I.2.28. dhcp-attr-number: DHCP server attributes (numeric)
I.2.29. dhcp-attr-ip: DHCP server attributes (IP)
I.2.30. route: Static routes
I.2.31. network: Locally originated networks
I.2.32. blackhole: Dead end networks
I.2.33. loopback: Locally originated networks
I.2.34. namedbgpmap: Mapping and filtering rules of BGP prefixes
I.2.35. bgprule: Individual mapping/filtering rule
I.2.36. bgp: Overall BGP settings
I.2.37. bgppeer: BGP peer definitions
I.2.38. bgpmap: Mapping and filtering rules of BGP prefixes
I.2.39. cqm: Constant Quality Monitoring settings
I.2.40. fb105: FB105 tunnel definition
I.2.41. fb105-route: FB105 routes
I.2.42. ipsec-ike: IPsec configuration (IKEv2)
I.2.43. ike-connection: connection configuration
I.2.44. ipsec-route: IPsec tunnel routes
I.2.45. ike-roaming: IKE roaming IP pools
I.2.46. ike-proposal: IKE security proposal
I.2.47. ipsec-proposal: IPsec AH/ESP proposal
I.2.48. ipsec-manual: peer configuration
I.2.49. profile: Control profile
I.2.50. profile-date: Test passes if within any of the time ranges specified
I.2.51. profile-time: Test passes if within any of the date/time ranges specified
I.2.52. profile-ping: Test passes if any addresses are pingable
I.2.53. shaper: Traffic shaper
I.2.54. shaper-override: Traffic shaper override based on profile
I.2.55. ip-group: IP Group
I.2.56. route-override: Routing override rules
I.2.57. session-route-rule: Routing override rule
I.2.58. session-route-share: Route override load sharing
I.2.59. rule-set: Firewall/mapping rule set
I.2.60. session-rule: Firewall rules
I.2.61. session-share: Firewall load sharing
I.2.62. etun: Ether tunnel
I.2.63. dhcp-relay: DHCP server settings for remote / relayed requests
I.3. Data types
I.3.1. user-level: User login level
I.3.2. ppp-dump: PPP dump format
I.3.3. autoloadtype: Type of s/w auto load
I.3.4. lacp-hot-standby: LACP hot standby mode
I.3.5. config-access: Type of access user has to config
I.3.6. eap-subsystem: Subsystem with EAP access control
I.3.7. eap-method: EAP access method
I.3.8. syslog-severity: Syslog severity
I.3.9. syslog-facility: Syslog facility
I.3.10. http-mode: HTTP/HTTPS security mode
I.3.11. month: Month name (3 letter)
I.3.12. day: Day name (3 letter)
I.3.13. port: Physical port
I.3.14. Crossover: Crossover configuration
I.3.15. LinkFlow: Physical port flow control setting
I.3.16. LinkClock: Physical port Gigabit clock master/slave setting
I.3.17. LinkLED-y: Yellow LED setting
I.3.18. LinkLED-g: Green LED setting
I.3.19. LinkPower: PHY power saving options
I.3.20. LinkFault: Link fault type to send
I.3.21. sampling-protocol: Sampling protocol
I.3.22. trunk-mode: Trunk port mode
I.3.23. ramode: IPv6 route announce level
I.3.24. bgpmode: BGP announcement mode
I.3.25. sampling-mode: Sampling mode
I.3.26. sfoption: Source filter option
I.3.27. peertype: BGP peer type
I.3.28. ipsec-type: IPsec encapsulation type
I.3.29. ike-authmethod: authentication method
I.3.30. ike-mode: connection setup mode
I.3.31. ipsec-auth-algorithm: IPsec authentication algorithm
I.3.32. ipsec-crypt-algorithm: IPsec encryption algorithm
I.3.33. ike-PRF: IKE Pseudo-Random Function
I.3.34. ike-DH: IKE Diffie-Hellman group
I.3.35. ike-ESN: IKE Sequence Number support
I.3.36. ipsec-encapsulation: Manually keyed IPsec encapsulation mode
I.3.37. switch: Profile manual setting
I.3.38. chksum-action: Handling of TCP/UDP packet checksum
I.3.39. dynamic-graph: Type of dynamic graph
I.3.40. firewall-action: Firewall action
I.4. Basic types

This appendix defines the object definitions used in the FireBrick FB6402 (firewall) configuration. Copyright © 2008-2023 FireBrick Ltd.

I.1. Top level

I.1.1. config: Top level config

The top level config element contains all of the FireBrick configuration data.

Table I.1. config: Attributes

AttributeTypeDefaultDescription
ip IPAddr -Config store IP address
patch integer -Internal use, for s/w updates that change config syntax
serial string -Serial number
timestamp dateTime -Config store time, set automatically when config is saved
version string -Code version
who string -Config store username

Table I.2. config: Elements

ElementTypeInstancesDescription
bgp bgp Optional, up to 100BGP config
bgp-filter namedbgpmap Optional, unlimitedMapping and filtering rules for use with BGP peers
blackhole blackhole Optional, unlimitedBlack hole (dropped packets) networks
cqm cqm OptionalConstant Quality Monitoring config
dhcp-relay dhcp-relay Optional, unlimitedDHCP server settings for remote / relayed requests
eap eap Optional, unlimitedUser access control via EAP
ethernet ethernet Optional, unlimitedEthernet port settings
etun etun Optional, unlimitedEther tunnel (RFC3378)
fb105 fb105 Optional, up to 255FB105 tunnel settings
interface interface Optional, up to 8192Ethernet interface (port-group/vlan) and subnets
ip-group ip-group Optional, unlimitedNamed IP groups
ipsec-ike ipsec-ike OptionalIPsec connection settings
log log Optional, up to 63Log target controls
loopback loopback Optional, unlimitedExtra local addresses
network network Optional, unlimitedLocally originated networks
nowhere blackhole Optional, unlimitedDead end (icmp error) networks
port portdef Optional, up to 2Port grouping and naming
profile profile Optional, unlimitedControl profiles
route route Optional, unlimitedStatic routes
route-override route-override Optional, unlimitedRouting override rules
routing-tables routing-table Optional, unlimitedRouting table settings
rule-set rule-set Optional, unlimitedFirewall/mapping rules
sampling sampling OptionalSampling parameters
services services OptionalGeneral system services
shaper shaper Optional, unlimitedNamed traffic shapers
system system OptionalSystem settings
user user Optional, unlimitedAdmin users