From 126b561e3264b6d99d53683191616aab38459f53 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Fri, 8 Apr 2011 18:08:56 -0700 Subject: [PATCH] * PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules with service set to "http" and destination set to asa firewall object should generate different command syntax". Policy rules that have firewall object in Destination and http object in Service now generate "http" commands. This is similar to how fwbuilder generates "ssh", "telnet" and "icmp" commands to permit corresponding services to the firewall itself. --- doc/ChangeLog | 8 +++ src/cisco_lib/PolicyCompiler_cisco.cpp | 26 +++++---- src/cisco_lib/PolicyCompiler_cisco.h | 14 ++++- src/cisco_lib/PolicyCompiler_pix.cpp | 5 +- src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp | 4 +- src/cisco_lib/PolicyCompiler_pix_writers.cpp | 41 +++++--------- test/pix/cluster1-1_pix1.fw.orig | 9 ++-- test/pix/cluster1-1_pix2.fw.orig | 9 ++-- test/pix/cluster1_pix1.fw.orig | 57 ++++++++++---------- test/pix/cluster1_pix2.fw.orig | 57 ++++++++++---------- test/pix/firewall.fw.orig | 19 +++---- test/pix/firewall1.fw.orig | 10 ++-- test/pix/firewall10.fw.orig | 12 ++--- test/pix/firewall11.fw.orig | 6 ++- test/pix/firewall12.fw.orig | 8 ++- test/pix/firewall13.fw.orig | 6 ++- test/pix/firewall14.fw.orig | 6 ++- test/pix/firewall2.fw.orig | 6 +-- test/pix/firewall20.fw.orig | 6 ++- test/pix/firewall21-1.fw.orig | 6 ++- test/pix/firewall21.fw.orig | 6 ++- test/pix/firewall22.fw.orig | 6 ++- test/pix/firewall23.fw.orig | 6 ++- test/pix/firewall3.fw.orig | 26 ++++----- test/pix/firewall33.fw.orig | 6 +-- test/pix/firewall34.fw.orig | 6 +-- test/pix/firewall4.fw.orig | 6 +-- test/pix/firewall50.fw.orig | 13 +++-- test/pix/firewall6.fw.orig | 6 ++- test/pix/firewall8.fw.orig | 6 ++- test/pix/firewall80.fw.orig | 9 ++-- test/pix/firewall81.fw.orig | 9 ++-- test/pix/firewall82.fw.orig | 9 ++-- test/pix/firewall83.fw.orig | 9 ++-- test/pix/firewall9.fw.orig | 6 ++- test/pix/firewall90.fw.orig | 5 +- test/pix/firewall91.fw.orig | 5 +- test/pix/firewall92.fw.orig | 5 +- test/pix/firewall93.fw.orig | 5 +- test/pix/firewall94.fw.orig | 5 +- test/pix/fwsm1.fw.orig | 14 +++-- test/pix/fwsm2.fw.orig | 14 +++-- test/pix/objects-for-regression-tests.fwb | 8 +-- test/pix/pix515.fw.orig | 10 ++-- test/pix/real.fw.orig | 8 +-- test/pix/test_net_zone_2.fw.orig | 6 ++- 46 files changed, 271 insertions(+), 258 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index dc26dafb5..1a6486cfd 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,13 @@ 2011-04-08 vadim + * PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules + with service set to "http" and destination set to asa firewall + object should generate different command syntax". Policy rules + that have firewall object in Destination and http object in + Service now generate "http" commands. This is similar to how + fwbuilder generates "ssh", "telnet" and "icmp" commands to permit + corresponding services to the firewall itself. + * pix.g (static_starts_with_tcp_udp): more fixes for import of PIX/ASA "static" command in different variations. See #2334 diff --git a/src/cisco_lib/PolicyCompiler_cisco.cpp b/src/cisco_lib/PolicyCompiler_cisco.cpp index 98cb48e7d..55539f63d 100644 --- a/src/cisco_lib/PolicyCompiler_cisco.cpp +++ b/src/cisco_lib/PolicyCompiler_cisco.cpp @@ -31,6 +31,7 @@ #include "NamedObjectsManager.h" #include "fwbuilder/AddressTable.h" +#include "fwbuilder/Cluster.h" #include "fwbuilder/FWObjectDatabase.h" #include "fwbuilder/ICMPService.h" #include "fwbuilder/IPService.h" @@ -493,16 +494,22 @@ bool PolicyCompiler_cisco::specialCaseWithDynInterface::processNext() */ bool PolicyCompiler_cisco::tcpServiceToFW::processNext() { - PolicyRule *rule=getNext(); if (rule==NULL) return false; - PolicyCompiler_cisco *cisco_comp=dynamic_cast(compiler); -// RuleElementSrc *src=rule->getSrc(); -// RuleElementDst *dst=rule->getDst(); - RuleElementSrv *srv=rule->getSrv(); - Address *a=compiler->getFirstDst(rule); + PolicyRule *rule = getNext(); if (rule==NULL) return false; + PolicyCompiler_cisco *cisco_comp = + dynamic_cast(compiler); + + RuleElementSrv *srv = rule->getSrv(); + Address *a = compiler->getFirstDst(rule); assert(a!=NULL); - if (rule->getAction()==PolicyRule::Accept && - compiler->complexMatch(a,cisco_comp->fw)) + if (rule->getAction()==PolicyRule::Accept + && + ( + (Cluster::cast(a) != NULL && Cluster::cast(a)->hasMember(compiler->fw)) + || + a->getId() == compiler->fw->getId() + ) + ) { std::list cl; for (list::iterator i1=srv->begin(); i1!=srv->end(); ++i1) @@ -515,6 +522,7 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext() TCPUDPService::cast(s)->getDstRangeStart()==port && TCPUDPService::cast(s)->getDstRangeEnd()==port) cl.push_back(obj); } + if (!cl.empty()) { PolicyRule *r = compiler->dbcopy->createPolicyRule(); @@ -527,7 +535,7 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext() RuleElementSrv *nsrv = r->getSrv(); nsrv->clearChildren(); nsrv->addRef( cl.front() ); - r->setBool("ssh_telnet_cmd",true); + r->setBool("tcp_service_to_fw", true); tmp_queue.push_back(r); for (list::iterator i1=cl.begin(); i1!=cl.end(); ++i1) diff --git a/src/cisco_lib/PolicyCompiler_cisco.h b/src/cisco_lib/PolicyCompiler_cisco.h index 01748a573..6d8af8b2b 100644 --- a/src/cisco_lib/PolicyCompiler_cisco.h +++ b/src/cisco_lib/PolicyCompiler_cisco.h @@ -291,7 +291,7 @@ protected: class telnetToFirewall : public tcpServiceToFW { public: - telnetToFirewall(const std::string &n):tcpServiceToFW(23,n) {} + telnetToFirewall(const std::string &n):tcpServiceToFW(23, n) {} }; friend class telnetToFirewall; @@ -301,10 +301,20 @@ protected: class sshToFirewall : public tcpServiceToFW { public: - sshToFirewall(const std::string &n):tcpServiceToFW(22,n) {} + sshToFirewall(const std::string &n):tcpServiceToFW(22, n) {} }; friend class sshToFirewall; + /** + * this processor splits rules if it finds telnet to firewall + */ + class httpToFirewall : public tcpServiceToFW + { + public: + httpToFirewall(const std::string &n):tcpServiceToFW(80, n) {} + }; + friend class httpToFirewall; + /** * replace fw with one of its interfaces in SRC in interface * policy rule diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index 3d98e34cf..b93d2c764 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -544,7 +544,10 @@ void PolicyCompiler_pix::compile() add( new telnetToFirewall( "separate rules controlling telnet to firewall")); - add( new sshToFirewall("separate rules controlling ssh to firewall" )); + add( new sshToFirewall( + "separate rules controlling ssh to firewall" )); + add( new httpToFirewall( + "separate rules controlling http to firewall")); add( new separateSrcPort("split rules matching source ports")); add( new separateCustom("split rules matching custom services")); diff --git a/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp b/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp index a30d30862..546e8fc23 100644 --- a/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp +++ b/src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp @@ -75,7 +75,7 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext() tmp_queue.push_back(rule); bool icmp_cmd = rule->getBool("icmp_cmd"); - bool ssh_telnet_cmd = rule->getBool("ssh_telnet_cmd"); + bool tcp_service_to_fw = rule->getBool("tcp_service_to_fw"); // int interface_id = rule->getInterfaceId(); RuleElementItf *intf_re = rule->getItf(); @@ -86,7 +86,7 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext() if (intf_re->isAny() && rule->getDirection()==PolicyRule::Both) return true; - if (intf_re->isAny() && !icmp_cmd && !ssh_telnet_cmd && ( + if (intf_re->isAny() && !icmp_cmd && !tcp_service_to_fw && ( rule->getDirection()==PolicyRule::Inbound || rule->getDirection()==PolicyRule::Outbound) ) compiler->abort(rule, "Direction set without interface"); diff --git a/src/cisco_lib/PolicyCompiler_pix_writers.cpp b/src/cisco_lib/PolicyCompiler_pix_writers.cpp index cfd38cdb7..0b4c8b4e8 100644 --- a/src/cisco_lib/PolicyCompiler_pix_writers.cpp +++ b/src/cisco_lib/PolicyCompiler_pix_writers.cpp @@ -308,8 +308,6 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule) RuleElementSrc *rel = rule->getSrc(); Service *srv = compiler->getFirstSrv(rule); -// Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId())); - RuleElementItf *intf_re = rule->getItf(); Interface *rule_iface = Interface::cast( FWObjectReference::getObject(intf_re->front())); @@ -319,54 +317,43 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule) for (FWObject::iterator i=rel->begin(); i!=rel->end(); ++i) { - FWObject *o = *i; - if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer(); -// Address *a; + FWObject *o = FWReference::getObject(*i); if (dynamic_cast(o)!=NULL) { for (FWObject::iterator j=o->begin(); j!=o->end(); ++j) { - FWObject *o1 = *j; - if (FWReference::cast(o1)!=NULL) - o1=FWReference::cast(o1)->getPointer(); - Address *a=Address::cast(o1); + Address *a = Address::cast(FWReference::getObject(*j)); assert(a!=NULL); - str << _printSingleSSHTelnetCommand( - port, a, rule_iface->getLabel()); + str << _printSingleSSHTelnetCommand(port, a, rule_iface->getLabel()); } } else { - Address *a=Address::cast(o); + Address *a = Address::cast(o); assert(a!=NULL); - str << _printSingleSSHTelnetCommand( - port, a, rule_iface->getLabel()); + str << _printSingleSSHTelnetCommand(port, a, rule_iface->getLabel()); } } return str.str(); } -string PolicyCompiler_pix::PrintRule::_printSingleSSHTelnetCommand(int port, - Address *a, - const string &interfaceLabel) +string PolicyCompiler_pix::PrintRule::_printSingleSSHTelnetCommand( + int port, Address *a, const string &interfaceLabel) { string res; - if (port==23) + if (port==22) res = "ssh "; + if (port==23) res = "telnet "; + if (port==80) res = "http "; + + if (!res.empty()) { - res += "telnet "; - res += a->getAddressPtr()->toString() + " " - + a->getNetmaskPtr()->toString() + " " - + interfaceLabel + "\n"; - } - if (port==22) - { - res += "ssh "; res += a->getAddressPtr()->toString() + " " + a->getNetmaskPtr()->toString() + " " + interfaceLabel + "\n"; } + return res; } @@ -398,7 +385,7 @@ bool PolicyCompiler_pix::PrintRule::processNext() // return true; } - if (rule->getBool("ssh_telnet_cmd")) + if (rule->getBool("tcp_service_to_fw")) { compiler->output << _printSSHTelnetCommand(rule); return true; diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 0b5d0bd77..d856638bf 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:25 2011 PDT by vadim +! Generated Fri Apr 8 18:06:03 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -147,7 +147,6 @@ object-group network id56627X61097.src.net.0 network-object host 192.0.2.253 exit - !################ ! ! Rule 0 (Ethernet0.101) @@ -160,10 +159,10 @@ access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300 ! Rule 1 (global) ! SSH Access to firewall is permitted ! only from internal network -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 3 (global) ! Firewall uses one of the machines diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index 4e3ce8b42..044942794 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:25 2011 PDT by vadim +! Generated Fri Apr 8 18:06:03 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -147,7 +147,6 @@ object-group network id56627X61097.src.net.0 network-object host 192.0.2.253 exit - !################ ! ! Rule 0 (Ethernet0.101) @@ -160,10 +159,10 @@ access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 3 interval 300 ! Rule 1 (global) ! SSH Access to firewall is permitted ! only from internal network -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 3 (global) ! Firewall uses one of the machines diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index ea9401a34..b9c7eb99e 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:24 2011 PDT by vadim +! Generated Fri Apr 8 18:06:03 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -147,7 +147,6 @@ object-group network id55439X897.src.net.0 network-object host 192.0.2.253 exit - !################ ! ! Rule 0 (Ethernet0.101) @@ -160,10 +159,10 @@ access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300 ! Rule 1 (global) ! SSH Access to firewall is permitted ! only from internal network -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 3 (global) ! Firewall uses one of the machines @@ -180,32 +179,32 @@ access-list inside_out permit udp object-group id2913X78273.src.net.1 10.3.14.0 access-list inside_out permit udp object-group id2913X78273.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300 ! ! Rule 5 (Ethernet0.101,Ethernet0.102) -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 ! ! Rule 6 (cl1 itf) -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 ! ! Rule 7 (Ethernet0.101,Ethernet0.102) access-list outside_in permit udp any 10.3.14.0 255.255.255.0 eq 53 diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index b7cff454e..e82e98b2f 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:24 2011 PDT by vadim +! Generated Fri Apr 8 18:06:03 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -152,7 +152,6 @@ object-group network id3401X82678.dst.net.0 network-object host 192.0.2.254 exit - !################ ! ! Rule 0 (Ethernet0.101) @@ -165,10 +164,10 @@ access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 3 interval 300 ! Rule 1 (global) ! SSH Access to firewall is permitted ! only from internal network -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 3 (global) ! Firewall uses one of the machines @@ -185,32 +184,32 @@ access-list inside_out permit udp object-group id2913X78273.src.net.1 10.3.14.0 access-list inside_out permit udp object-group id2913X78273.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300 ! ! Rule 5 (Ethernet0.101,Ethernet0.102) -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 ! ! Rule 6 (cl1 itf) -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 -ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 +ssh 0.0.0.0 0.0.0.0 dmz20 ! ! Rule 7 (Ethernet0.101,Ethernet0.102) access-list outside_in permit udp any 10.3.14.0 255.255.255.0 eq 53 diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index d93c9b8e9..235e3896d 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:12 2011 PDT by vadim +! Generated Fri Apr 8 18:05:51 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -274,7 +274,6 @@ clear telnet clear object-group - object-group network id3C4E4C38.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 @@ -387,7 +386,6 @@ object-group service pol-firewall2-4.srv.tcp.0 tcp port-object eq 7100 exit - !################ clear access-list tmp_acl @@ -399,7 +397,7 @@ access-group tmp_acl in interface inside ! ! Rule -1 backup ssh access rule (automatic) -ssh 192.168.1.100 255.255.255.255 inside +ssh 192.168.1.100 255.255.255.255 inside ! ! Rule 0 (global) ! firewall:Policy:0: error: Rule '0 (global)' shadows rule '1 (ethernet1)' below it @@ -441,7 +439,7 @@ access-list outside_acl_in permit icmp any any 3 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 4 (ethernet0) -ssh 192.168.1.0 255.255.255.0 inside +ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id3C4E4C38.dst.net.0 object-group id3C4E4C38.srv.tcp.0 @@ -500,12 +498,9 @@ access-list inside_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 31 access-list dmz_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128 ! ! Rule 15 (global) -access-list outside_acl_in permit icmp any host 22.22.22.22 3 -access-list inside_acl_in permit icmp any host 192.168.1.1 3 -access-list dmz_acl_in permit icmp any host 192.168.2.1 3 -access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 -access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 -access-list dmz_acl_in permit tcp any host 192.168.2.1 eq 80 +http 192.168.1.0 255.255.255.0 inside +icmp permit 192.168.1.0 255.255.255.0 3 inside +access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.0 host 192.168.1.1 3 ! ! Rule 16 (global) access-list outside_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index d46636001..17087bcaf 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:12 2011 PDT by vadim +! Generated Fri Apr 8 18:05:50 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported @@ -69,6 +69,8 @@ no sysopt route dnat floodguard disable + + !################ ! ! Rule 2 (eth1) @@ -103,8 +105,8 @@ access-list dmz_acl_in permit icmp any host 192.168.2.1 11 telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 dmz -ssh 0.0.0.0 0.0.0.0 inside -ssh 0.0.0.0 0.0.0.0 dmz +ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 dmz ! ! Rule 11 (global) ! hostF has the same IP address as firewal. diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index f74351268..4d1d2e0aa 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:13 2011 PDT by vadim +! Generated Fri Apr 8 18:05:51 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -94,7 +94,6 @@ fixup protocol sqlnet 1521 clear object-group - object-group network id3DB0FA90.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 @@ -223,7 +222,6 @@ object-group service id3DB0FA12.srv.tcp.0 tcp port-object eq 7100 exit - !################ ! ! Rule 3 (ethernet1) @@ -305,9 +303,9 @@ access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id3DB0FA12.srv.tcp.0 ! ! Rule 19 (global) -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 inside -ssh 0.0.0.0 0.0.0.0 dmz +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index 8bba37ca6..25a22c5da 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:13 2011 PDT by vadim +! Generated Fri Apr 8 18:05:51 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -75,6 +75,8 @@ sysopt route dnat floodguard enable + + !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 6ac5454c7..83c173bbf 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:13 2011 PDT by vadim +! Generated Fri Apr 8 18:05:52 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -90,14 +90,12 @@ fixup protocol icmp error clear object-group - object-group network id3F8F95CD.dst.net.0 network-object host 192.0.2.20 network-object host 192.0.2.21 network-object host 192.0.2.23 exit - !################ ! ! Rule 0 (global) @@ -105,7 +103,7 @@ access-list inside_acl_in remark 0 (global) access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 1 (global) -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) icmp permit any 0 outside diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 42fe7d33c..3d35653f4 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:14 2011 PDT by vadim +! Generated Fri Apr 8 18:05:52 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -71,6 +71,8 @@ no sysopt nodnsalias outbound floodguard enable + + !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 95c947355..0463813ad 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:14 2011 PDT by vadim +! Generated Fri Apr 8 18:05:52 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -67,6 +67,8 @@ no sysopt nodnsalias outbound floodguard enable + + !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 3fdc9ac11..5ccd393d3 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:14 2011 PDT by vadim +! Generated Fri Apr 8 18:05:53 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -73,7 +73,6 @@ clear telnet clear object-group - object-group service id3D6EF08C.srv.tcp.0 tcp port-object eq 80 port-object eq 119 @@ -84,7 +83,6 @@ object-group network id3D8FCCDE.src.net.0 network-object host 192.168.1.20 exit - !################ ! ! Rule 0 (eth1) diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index 98673ecee..87bc2283a 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:15 2011 PDT by vadim +! Generated Fri Apr 8 18:05:53 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -80,6 +80,8 @@ floodguard enable fixup protocol ftp 21 + + !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 943458b3b..e2cb4d8ab 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:15 2011 PDT by vadim +! Generated Fri Apr 8 18:05:54 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -85,6 +85,8 @@ floodguard enable fixup protocol ftp 21 + + !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 7ff5ddf94..4b8c7166d 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:15 2011 PDT by vadim +! Generated Fri Apr 8 18:05:53 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -100,6 +100,8 @@ policy-map global_policy service-policy global_policy global + + !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 6b02a45a4..d9b277254 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:16 2011 PDT by vadim +! Generated Fri Apr 8 18:05:54 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -93,6 +93,8 @@ policy-map global_policy service-policy global_policy global + + !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall23.fw.orig b/test/pix/firewall23.fw.orig index 1fa7e0ea5..7a2796469 100755 --- a/test/pix/firewall23.fw.orig +++ b/test/pix/firewall23.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:16 2011 PDT by vadim +! Generated Fri Apr 8 18:05:54 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -70,6 +70,8 @@ clear global clear nat + + !################ ! diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index a8db20af3..06d264956 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:16 2011 PDT by vadim +! Generated Fri Apr 8 18:05:54 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -78,14 +78,16 @@ clear icmp clear telnet + + !################ ! ! Rule 0 (eth0) -ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 inside access-list inside_acl_in permit tcp any any eq 22 ! ! Rule 1 (eth0) -ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 inside ! ! Rule 2 (eth0) icmp permit any 3 inside @@ -96,11 +98,11 @@ access-list inside_acl_in permit icmp any any 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 ! ! Rule 4 (eth1) -ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside access-list outside_acl_in permit tcp any any eq 22 ! ! Rule 5 (eth1) -ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 outside ! ! Rule 6 (eth1) icmp permit any 3 outside @@ -125,17 +127,17 @@ access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 ! ! Rule 10 (global) -ssh 0.0.0.0 0.0.0.0 inside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 dmz +ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 dmz access-list inside_acl_in permit tcp any any eq 22 access-list outside_acl_in permit tcp any any eq 22 access-list dmz_acl_in permit tcp any any eq 22 ! ! Rule 11 (global) -ssh 0.0.0.0 0.0.0.0 inside -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 dmz +ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 dmz ! ! Rule 12 (global) telnet 0.0.0.0 0.0.0.0 inside diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index dab8d27ad..74fc0c3ed 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:16 2011 PDT by vadim +! Generated Fri Apr 8 18:05:55 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -75,7 +75,6 @@ floodguard disable clear object-group - object-group network id43867C2418346.src.net.0 network-object host 157.166.224.25 network-object host 157.166.224.26 @@ -99,7 +98,6 @@ object-group network id438728A918346.dst.net.0 network-object host 157.166.255.19 exit - !################ ! ! Rule 0 (eth0.100) diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index e71850e99..2e3a387d6 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:17 2011 PDT by vadim +! Generated Fri Apr 8 18:05:55 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -64,7 +64,6 @@ floodguard disable clear object-group - object-group network id16988X10208.dst.net.0 network-object 192.168.1.1 255.255.255.255 network-object 192.168.1.2 255.255.255.255 @@ -190,7 +189,6 @@ object-group network id21263X16880.src.net.0 network-object 10.1.4.0 255.255.255.0 exit - !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 8a5df0a4c..69a67ef1e 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:17 2011 PDT by vadim +! Generated Fri Apr 8 18:05:55 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -85,7 +85,6 @@ clear telnet clear object-group - object-group service id3D79A1C2.srv.tcp.0 tcp port-object eq 80 port-object eq 22 @@ -96,7 +95,6 @@ object-group network id3D79A1E4.dst.net.0 network-object host 192.168.1.20 exit - !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index df791473d..7d8b535a6 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:18 2011 PDT by vadim +! Generated Fri Apr 8 18:05:56 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -239,7 +239,6 @@ object-group service id4514304928543.srv.tcp.0 tcp port-object eq 7100 exit - !################ clear config access-list tmp_acl @@ -262,7 +261,7 @@ access-list outside_acl_in permit icmp any any 3 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) -ssh 192.168.1.0 255.255.255.0 inside +ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id45142FA628543.dst.net.0 object-group id45142FA628543.srv.tcp.0 @@ -331,9 +330,9 @@ access-list inside_acl_in permit tcp any object-group id4514301628543.dst.net.0 access-list dmz_acl_in permit tcp any object-group id4514301628543.dst.net.0 eq 3128 ! ! Rule 17 (global) -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 inside -ssh 0.0.0.0 0.0.0.0 dmz +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 69b853b99..1071ec385 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:18 2011 PDT by vadim +! Generated Fri Apr 8 18:05:56 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -85,6 +85,8 @@ clear icmp clear telnet + + !################ ! ! Rule 0 (eth1) diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index fdcd31a56..e4953e69a 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:18 2011 PDT by vadim +! Generated Fri Apr 8 18:05:57 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -78,6 +78,8 @@ floodguard enable fixup protocol ftp 21 + + !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index ea8d17220..4c29ac929 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:19 2011 PDT by vadim +! Generated Fri Apr 8 18:05:57 2011 PDT by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported @@ -117,14 +117,13 @@ object-group icmp-type id21447X11252.srv.icmp.0 icmp-object 8 exit - !################ ! ! Rule 0 (FastEthernet1) -ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 inside ! ! Rule 1 (FastEthernet1) -ssh 0.0.0.0 0.0.0.0 inside +access-list inside_acl_in permit tcp any host 22.22.22.22 eq 22 ! ! Rule 2 (global) access-list outside_acl_in permit tcp any host 192.168.1.10 eq 22 diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index ec8b26188..ce1031448 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:19 2011 PDT by vadim +! Generated Fri Apr 8 18:05:57 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -105,7 +105,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit - !################ ! ! Rule 0 (global) @@ -133,8 +132,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! test rule using translated address in dst ! firewall81:Policy:3: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. -access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 -access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 +http 0.0.0.0 0.0.0.0 inside +http 0.0.0.0 0.0.0.0 outside ! ! Rule 4 (global) ! for #1942 diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 4ae918e69..77c35ca05 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:20 2011 PDT by vadim +! Generated Fri Apr 8 18:05:58 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -105,7 +105,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit - !################ ! ! Rule 0 (global) @@ -133,8 +132,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! test rule using translated address in dst ! firewall82:Policy:3: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. -access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 -access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 +http 0.0.0.0 0.0.0.0 inside +http 0.0.0.0 0.0.0.0 outside ! ! Rule 4 (global) access-list inside_acl_in deny ip any any diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index d071c69af..1363ac599 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:20 2011 PDT by vadim +! Generated Fri Apr 8 18:05:58 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -103,7 +103,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit - !################ ! ! Rule 0 (global) @@ -125,8 +124,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 3 (global) ! test rule using translated address in dst -access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 -access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 +http 0.0.0.0 0.0.0.0 inside +http 0.0.0.0 0.0.0.0 outside ! ! Rule 4 (global) access-list inside_acl_in deny ip any any diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index bda6a7559..c36cfd72e 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:20 2011 PDT by vadim +! Generated Fri Apr 8 18:05:59 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -94,6 +94,8 @@ fixup protocol sqlnet 1521 fixup protocol tftp 69 + + !################ diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index c9d318d27..026173deb 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:20 2011 PDT by vadim +! Generated Fri Apr 8 18:05:59 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -234,7 +234,6 @@ object-group network id78630X30274.src.net.0 network-object 10.1.3.0 255.255.255.0 exit - !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 6753d505f..d74f4e493 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:21 2011 PDT by vadim +! Generated Fri Apr 8 18:05:59 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -132,7 +132,6 @@ object network outside_range.0 range 22.22.22.21 22.22.22.25 exit - !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index 4d4316f1b..b18673b97 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:21 2011 PDT by vadim +! Generated Fri Apr 8 18:05:59 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -133,7 +133,6 @@ object-group network id20655X6113.osrc.net.0 network-object object internal_subnet_2.0 exit - !################ ! ! Rule 0 (global) diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index 5f1726688..b46b18a51 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:21 2011 PDT by vadim +! Generated Fri Apr 8 18:06:00 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -102,7 +102,6 @@ object network inside-range-1.0 range 10.0.0.1 10.0.0.5 exit - !################ ! diff --git a/test/pix/firewall94.fw.orig b/test/pix/firewall94.fw.orig index 040ce9706..2bcb302bc 100755 --- a/test/pix/firewall94.fw.orig +++ b/test/pix/firewall94.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:22 2011 PDT by vadim +! Generated Fri Apr 8 18:06:00 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -94,7 +94,6 @@ object-group network id26782X14355.src.net.0 network-object object inside-range-2.0 exit - !################ ! ! Rule 0 (global) diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index a3a374370..89f59d82d 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:22 2011 PDT by vadim +! Generated Fri Apr 8 18:06:01 2011 PDT by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported @@ -107,7 +107,6 @@ clear telnet clear object-group - object-group network id444A03DE9567.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 @@ -220,7 +219,6 @@ object-group service id444A04819567.srv.tcp.0 tcp port-object eq 7100 exit - !################ access-list mode auto @@ -244,7 +242,7 @@ access-list outside_acl_in permit icmp any any 3 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) -ssh 192.168.1.0 255.255.255.0 inside +ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id444A03DE9567.dst.net.0 object-group id444A03DE9567.srv.tcp.0 @@ -303,9 +301,9 @@ access-list inside_acl_in permit tcp any object-group id444A044E9567.dst.net.0 e access-list dmz_acl_in permit tcp any object-group id444A044E9567.dst.net.0 eq 3128 ! ! Rule 15 (global) -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 inside -ssh 0.0.0.0 0.0.0.0 dmz +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index a4a1b8b5d..2251e8a35 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:22 2011 PDT by vadim +! Generated Fri Apr 8 18:06:01 2011 PDT by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported @@ -120,7 +120,6 @@ clear config telnet clear config object-group - object-group network id17298X54624.dst.net.0 network-object host 211.11.11.11 network-object host 211.22.22.22 @@ -233,7 +232,6 @@ object-group service id17461X54624.srv.tcp.0 tcp port-object eq 7100 exit - !################ access-list mode auto @@ -257,7 +255,7 @@ access-list outside_acl_in permit icmp any any 3 access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) -ssh 192.168.1.0 255.255.255.0 inside +ssh 192.168.1.0 255.255.255.0 inside ! ! Rule 5 (ethernet0) access-list inside_acl_in permit tcp any object-group id17298X54624.dst.net.0 object-group id17298X54624.srv.tcp.0 @@ -316,9 +314,9 @@ access-list inside_acl_in permit tcp any object-group id17410X54624.dst.net.0 eq access-list dmz_acl_in permit tcp any object-group id17410X54624.dst.net.0 eq 3128 ! ! Rule 15 (global) -ssh 0.0.0.0 0.0.0.0 outside -ssh 0.0.0.0 0.0.0.0 inside -ssh 0.0.0.0 0.0.0.0 dmz +ssh 0.0.0.0 0.0.0.0 outside +ssh 0.0.0.0 0.0.0.0 inside +ssh 0.0.0.0 0.0.0.0 dmz access-list outside_acl_in permit icmp any host 22.22.22.22 3 access-list inside_acl_in permit icmp any host 192.168.1.1 3 access-list dmz_acl_in permit icmp any host 192.168.2.1 3 diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index c95323d66..19e37f777 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -1414,7 +1414,7 @@ - + @@ -2077,7 +2077,7 @@ - + @@ -18124,14 +18124,14 @@ no sysopt nodnsalias outbound - + - + diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index dfb3b01af..c4003c27f 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:23 2011 PDT by vadim +! Generated Fri Apr 8 18:06:02 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -94,6 +94,8 @@ clear config icmp clear config telnet + + !################ clear config access-list tmp_acl @@ -105,10 +107,10 @@ access-group tmp_acl in interface inside ! ! Rule -1 backup ssh access rule (automatic) -ssh 10.3.14.42 255.255.255.255 inside +ssh 10.3.14.42 255.255.255.255 inside ! ! Rule 0 (global) -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside access-list inside_acl_in remark 0 (global) access-list inside_acl_in permit tcp 10.3.14.0 255.255.255.0 host 10.3.14.206 eq 53 access-list inside_acl_in permit udp 10.3.14.0 255.255.255.0 host 10.3.14.206 eq 53 diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 9110434d7..3277de8f5 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 10:50:23 2011 PDT by vadim +! Generated Fri Apr 8 18:06:02 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -95,6 +95,8 @@ clear icmp clear telnet + + !################ ! ! Rule 0 (global) @@ -102,7 +104,7 @@ access-list inside_acl_in remark 0 (global) access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any ! ! Rule 1 (global) -ssh 10.3.14.0 255.255.255.0 inside +ssh 10.3.14.0 255.255.255.0 inside ! ! Rule 2 (global) icmp permit any 0 outside diff --git a/test/pix/test_net_zone_2.fw.orig b/test/pix/test_net_zone_2.fw.orig index a06543b2e..3d22b600c 100755 --- a/test/pix/test_net_zone_2.fw.orig +++ b/test/pix/test_net_zone_2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_pix v4.2.0.3519 +! Firewall Builder fwb_pix v4.2.0.3522 ! -! Generated Thu Apr 7 11:00:37 2011 PDT by vadim +! Generated Fri Apr 8 18:06:03 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported @@ -62,6 +62,8 @@ no sysopt route dnat floodguard disable + + !################ ! ! Rule 0 (global)