* PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules

with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.

doc/ChangeLog

@@ -1,5 +1,13 @@
 2011-04-08  vadim  <vadim@netcitadel.com>
 
+	* PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules
+	with service set to "http" and destination set to asa firewall
+	object should generate different command syntax". Policy rules
+	that have firewall object in Destination and http object in
+	Service now generate "http" commands. This is similar to how
+	fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
+	corresponding services to the firewall itself.
+
 	* pix.g (static_starts_with_tcp_udp): more fixes for import of
 	PIX/ASA "static" command in different variations. See #2334
 

src/cisco_lib/PolicyCompiler_cisco.cpp

@@ -31,6 +31,7 @@
 #include "NamedObjectsManager.h"
 
 #include "fwbuilder/AddressTable.h"
+#include "fwbuilder/Cluster.h"
 #include "fwbuilder/FWObjectDatabase.h"
 #include "fwbuilder/ICMPService.h"
 #include "fwbuilder/IPService.h"
@@ -493,16 +494,22 @@ bool PolicyCompiler_cisco::specialCaseWithDynInterface::processNext()
  */
 bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
 {
-    PolicyRule     *rule=getNext(); if (rule==NULL) return false;
-    PolicyCompiler_cisco *cisco_comp=dynamic_cast<PolicyCompiler_cisco*>(compiler);
-//    RuleElementSrc *src=rule->getSrc();
-//    RuleElementDst *dst=rule->getDst();
-    RuleElementSrv *srv=rule->getSrv();
-    Address  *a=compiler->getFirstDst(rule);
+    PolicyRule *rule = getNext(); if (rule==NULL) return false;
+    PolicyCompiler_cisco *cisco_comp =
+        dynamic_cast<PolicyCompiler_cisco*>(compiler);
+
+    RuleElementSrv *srv = rule->getSrv();
+    Address *a = compiler->getFirstDst(rule);
     assert(a!=NULL);
 
-    if (rule->getAction()==PolicyRule::Accept && 
-        compiler->complexMatch(a,cisco_comp->fw)) 
+    if (rule->getAction()==PolicyRule::Accept
+        &&
+        (
+            (Cluster::cast(a) != NULL && Cluster::cast(a)->hasMember(compiler->fw))
+            ||
+            a->getId() == compiler->fw->getId()
+        )
+    )
     {
         std::list<FWObject*> cl;
         for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1) 
@@ -515,6 +522,7 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
                 TCPUDPService::cast(s)->getDstRangeStart()==port && 
                 TCPUDPService::cast(s)->getDstRangeEnd()==port) cl.push_back(obj);
         }
+
         if (!cl.empty()) 
         {
             PolicyRule  *r = compiler->dbcopy->createPolicyRule();
@@ -527,7 +535,7 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
             RuleElementSrv *nsrv = r->getSrv();
             nsrv->clearChildren();
             nsrv->addRef( cl.front() );
-            r->setBool("ssh_telnet_cmd",true);
+            r->setBool("tcp_service_to_fw", true);
             tmp_queue.push_back(r);
 
             for (list<FWObject*>::iterator i1=cl.begin(); i1!=cl.end(); ++i1)  

src/cisco_lib/PolicyCompiler_cisco.h

@@ -291,7 +291,7 @@ protected:
         class telnetToFirewall : public tcpServiceToFW
         {
             public:
-            telnetToFirewall(const std::string &n):tcpServiceToFW(23,n) {}
+            telnetToFirewall(const std::string &n):tcpServiceToFW(23, n) {}
         };
         friend  class telnetToFirewall;
 
@@ -301,10 +301,20 @@ protected:
         class sshToFirewall : public tcpServiceToFW
         {
             public:
-            sshToFirewall(const std::string &n):tcpServiceToFW(22,n) {}
+            sshToFirewall(const std::string &n):tcpServiceToFW(22, n) {}
         };
         friend  class sshToFirewall;
 
+        /**
+         * this processor splits rules if it finds telnet to firewall
+         */
+        class httpToFirewall : public tcpServiceToFW
+        {
+            public:
+            httpToFirewall(const std::string &n):tcpServiceToFW(80, n) {}
+        };
+        friend  class httpToFirewall;
+
         /**
          * replace fw with one of its interfaces in SRC in interface
          * policy rule

src/cisco_lib/PolicyCompiler_pix.cpp

@@ -544,7 +544,10 @@ void PolicyCompiler_pix::compile()
 
     add( new telnetToFirewall(
              "separate rules controlling telnet to firewall"));
-    add( new sshToFirewall("separate rules controlling ssh to firewall" ));
+    add( new sshToFirewall(
+             "separate rules controlling ssh to firewall" ));
+    add( new httpToFirewall(
+             "separate rules controlling http to firewall"));
 
     add( new separateSrcPort("split rules matching source ports"));
     add( new separateCustom("split rules matching custom services"));

src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp

@@ -75,7 +75,7 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
     tmp_queue.push_back(rule);
 
     bool icmp_cmd = rule->getBool("icmp_cmd");
-    bool ssh_telnet_cmd = rule->getBool("ssh_telnet_cmd");
+    bool tcp_service_to_fw = rule->getBool("tcp_service_to_fw");
 
 //    int interface_id = rule->getInterfaceId();
     RuleElementItf *intf_re = rule->getItf();
@@ -86,7 +86,7 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
     if (intf_re->isAny() && rule->getDirection()==PolicyRule::Both)
         return true;
 
-    if (intf_re->isAny() && !icmp_cmd && !ssh_telnet_cmd && (
+    if (intf_re->isAny() && !icmp_cmd && !tcp_service_to_fw && (
             rule->getDirection()==PolicyRule::Inbound ||
             rule->getDirection()==PolicyRule::Outbound)
     ) compiler->abort(rule, "Direction set without interface");

src/cisco_lib/PolicyCompiler_pix_writers.cpp

@@ -308,8 +308,6 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule)
     RuleElementSrc *rel = rule->getSrc();
     Service *srv = compiler->getFirstSrv(rule);
 
-//    Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
-
     RuleElementItf *intf_re = rule->getItf();
     Interface *rule_iface = Interface::cast(
         FWObjectReference::getObject(intf_re->front()));
@@ -319,54 +317,43 @@ string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule)
 
     for (FWObject::iterator i=rel->begin(); i!=rel->end(); ++i)
     {
-        FWObject *o = *i;
-        if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
-//        Address *a;
+        FWObject *o = FWReference::getObject(*i);
 
         if (dynamic_cast<PIXObjectGroup*>(o)!=NULL)
         {
             for (FWObject::iterator j=o->begin(); j!=o->end(); ++j)
             {
-                FWObject *o1 = *j;
-                if (FWReference::cast(o1)!=NULL) 
-                    o1=FWReference::cast(o1)->getPointer();
-                Address *a=Address::cast(o1);
+                Address *a = Address::cast(FWReference::getObject(*j));
                 assert(a!=NULL);
-                str << _printSingleSSHTelnetCommand(
-                    port, a, rule_iface->getLabel());
+                str << _printSingleSSHTelnetCommand(port, a, rule_iface->getLabel());
             }
         } else
         {
-            Address *a=Address::cast(o);
+            Address *a = Address::cast(o);
             assert(a!=NULL);
-            str << _printSingleSSHTelnetCommand(
-                port, a, rule_iface->getLabel());
+            str << _printSingleSSHTelnetCommand(port, a, rule_iface->getLabel());
         }
     }
 
     return str.str();
 }
 
-string PolicyCompiler_pix::PrintRule::_printSingleSSHTelnetCommand(int port,
-                                                Address *a,
-                                                const string &interfaceLabel)
+string PolicyCompiler_pix::PrintRule::_printSingleSSHTelnetCommand(
+    int port, Address *a, const string &interfaceLabel)
 {
     string res;
 
-    if (port==23) 
+    if (port==22) res = "ssh ";
+    if (port==23) res = "telnet ";
+    if (port==80) res = "http ";
+
+    if (!res.empty())
     {
-        res += "telnet ";
-        res += a->getAddressPtr()->toString() + " " 
-            + a->getNetmaskPtr()->toString() + " "
-            + interfaceLabel     + "\n";
-    }
-    if (port==22) 
-    {
-        res += "ssh    ";
         res += a->getAddressPtr()->toString() + " " 
             + a->getNetmaskPtr()->toString() + " "
             + interfaceLabel     + "\n";
     }
+
     return res;
 }
 
@@ -398,7 +385,7 @@ bool PolicyCompiler_pix::PrintRule::processNext()
 //        return true;
     } 
 
-    if (rule->getBool("ssh_telnet_cmd"))
+    if (rule->getBool("tcp_service_to_fw"))
     {
         compiler->output << _printSSHTelnetCommand(rule);
         return true;

test/pix/cluster1-1_pix1.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:25 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@@ -147,7 +147,6 @@ object-group network id56627X61097.src.net.0
   network-object host 192.0.2.253 
 exit
 
-
 !################
 ! 
 ! Rule  0 (Ethernet0.101)

test/pix/cluster1-1_pix2.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:25 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@@ -147,7 +147,6 @@ object-group network id56627X61097.src.net.0
   network-object host 192.0.2.253 
 exit
 
-
 !################
 ! 
 ! Rule  0 (Ethernet0.101)

test/pix/cluster1_pix1.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:24 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@@ -147,7 +147,6 @@ object-group network id55439X897.src.net.0
   network-object host 192.0.2.253 
 exit
 
-
 !################
 ! 
 ! Rule  0 (Ethernet0.101)

test/pix/cluster1_pix2.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:24 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@@ -152,7 +152,6 @@ object-group network id3401X82678.dst.net.0
   network-object host 192.0.2.254 
 exit
 
-
 !################
 ! 
 ! Rule  0 (Ethernet0.101)

test/pix/firewall.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:12 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:51 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@@ -274,7 +274,6 @@ clear telnet
 clear object-group
 
 
-
 object-group network id3C4E4C38.dst.net.0
   network-object host 211.11.11.11 
   network-object host 211.22.22.22 
@@ -387,7 +386,6 @@ object-group service pol-firewall2-4.srv.tcp.0 tcp
   port-object eq 7100
 exit
 
-
 !################
 
 clear access-list tmp_acl
@@ -500,12 +498,9 @@ access-list inside_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 31
 access-list dmz_acl_in permit tcp any object-group id3D0F8031.dst.net.0 eq 3128 
 ! 
 ! Rule  15 (global)
-access-list outside_acl_in permit icmp any host 22.22.22.22 3 
-access-list inside_acl_in permit icmp any host 192.168.1.1 3 
-access-list dmz_acl_in permit icmp any host 192.168.2.1 3 
-access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 
-access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 
-access-list dmz_acl_in permit tcp any host 192.168.2.1 eq 80 
+http 192.168.1.0 255.255.255.0 inside
+icmp permit 192.168.1.0 255.255.255.0 3  inside
+access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.0 host 192.168.1.1 3 
 ! 
 ! Rule  16 (global)
 access-list outside_acl_in permit tcp any object-group id3CD87B1E.dst.net.0 object-group id3CD87B1E.srv.tcp.0 

test/pix/firewall1.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:12 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:50 2011 PDT by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
@@ -69,6 +69,8 @@ no sysopt route dnat
 floodguard disable
 
 
+
+
 !################
 ! 
 ! Rule  2 (eth1)

test/pix/firewall10.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:13 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:51 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -94,7 +94,6 @@ fixup protocol sqlnet 1521
 clear object-group
 
 
-
 object-group network id3DB0FA90.dst.net.0
   network-object host 211.11.11.11 
   network-object host 211.22.22.22 
@@ -223,7 +222,6 @@ object-group service id3DB0FA12.srv.tcp.0 tcp
   port-object eq 7100
 exit
 
-
 !################
 ! 
 ! Rule  3 (ethernet1)

test/pix/firewall11.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:13 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:51 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@@ -75,6 +75,8 @@ sysopt route dnat
 floodguard enable
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall12.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:13 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:52 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -90,14 +90,12 @@ fixup protocol icmp error
 clear object-group
 
 
-
 object-group network id3F8F95CD.dst.net.0
   network-object host 192.0.2.20 
   network-object host 192.0.2.21 
   network-object host 192.0.2.23 
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall13.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:14 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:52 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -71,6 +71,8 @@ no sysopt nodnsalias outbound
 floodguard enable
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall14.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:14 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:52 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -67,6 +67,8 @@ no sysopt nodnsalias outbound
 floodguard enable
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall2.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:14 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:53 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -73,7 +73,6 @@ clear telnet
 clear object-group
 
 
-
 object-group service id3D6EF08C.srv.tcp.0 tcp
   port-object eq 80
   port-object eq 119
@@ -84,7 +83,6 @@ object-group network id3D8FCCDE.src.net.0
   network-object host 192.168.1.20 
 exit
 
-
 !################
 ! 
 ! Rule  0 (eth1)

test/pix/firewall20.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:15 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:53 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -80,6 +80,8 @@ floodguard enable
 fixup protocol ftp 21
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall21-1.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:15 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:54 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -85,6 +85,8 @@ floodguard enable
 fixup protocol ftp 21
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall21.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:15 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:53 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@@ -100,6 +100,8 @@ policy-map global_policy
 service-policy global_policy global
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall22.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:16 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:54 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@@ -93,6 +93,8 @@ policy-map global_policy
 service-policy global_policy global
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall23.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:16 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:54 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -70,6 +70,8 @@ clear global
 clear nat
 
 
+
+
 !################
 
 ! 

test/pix/firewall3.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:16 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:54 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@@ -78,6 +78,8 @@ clear icmp
 clear telnet
 
 
+
+
 !################
 ! 
 ! Rule  0 (eth0)

test/pix/firewall33.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:16 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:55 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -75,7 +75,6 @@ floodguard disable
 clear object-group
 
 
-
 object-group network id43867C2418346.src.net.0
   network-object host 157.166.224.25 
   network-object host 157.166.224.26 
@@ -99,7 +98,6 @@ object-group network id438728A918346.dst.net.0
   network-object host 157.166.255.19 
 exit
 
-
 !################
 ! 
 ! Rule  0 (eth0.100)

test/pix/firewall34.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:17 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:55 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -64,7 +64,6 @@ floodguard disable
 clear object-group
 
 
-
 object-group network id16988X10208.dst.net.0
   network-object 192.168.1.1 255.255.255.255 
   network-object 192.168.1.2 255.255.255.255 
@@ -190,7 +189,6 @@ object-group network id21263X16880.src.net.0
   network-object 10.1.4.0 255.255.255.0 
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall4.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:17 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:55 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@@ -85,7 +85,6 @@ clear telnet
 clear object-group
 
 
-
 object-group service id3D79A1C2.srv.tcp.0 tcp
   port-object eq 80
   port-object eq 22
@@ -96,7 +95,6 @@ object-group network id3D79A1E4.dst.net.0
   network-object host 192.168.1.20 
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall50.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:18 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:56 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@@ -239,7 +239,6 @@ object-group service id4514304928543.srv.tcp.0 tcp
   port-object eq 7100
 exit
 
-
 !################
 
 clear config access-list tmp_acl

test/pix/firewall6.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:18 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:56 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@@ -85,6 +85,8 @@ clear icmp
 clear telnet
 
 
+
+
 !################
 ! 
 ! Rule  0 (eth1)

test/pix/firewall8.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:18 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:57 2011 PDT by vadim
 !
 ! Compiled for pix 6.2
 ! Outbound ACLs: not supported
@@ -78,6 +78,8 @@ floodguard enable
 fixup protocol ftp 21
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall80.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:19 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:57 2011 PDT by vadim
 !
 ! Compiled for pix 8.2
 ! Outbound ACLs: supported
@@ -117,14 +117,13 @@ object-group icmp-type id21447X11252.srv.icmp.0
   icmp-object 8
 exit
 
-
 !################
 ! 
 ! Rule  0 (FastEthernet1)
 ssh 0.0.0.0 0.0.0.0 inside
 ! 
 ! Rule  1 (FastEthernet1)
-ssh    0.0.0.0 0.0.0.0 inside
+access-list inside_acl_in permit tcp any host 22.22.22.22 eq 22 
 ! 
 ! Rule  2 (global)
 access-list outside_acl_in permit tcp any host 192.168.1.10 eq 22 

test/pix/firewall81.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:19 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:57 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -105,7 +105,6 @@ object network hostA:eth0.0
   host 192.168.1.10
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)
@@ -133,8 +132,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
 ! test rule using translated address in dst
 ! firewall81:Policy:3: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. 
 
-access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 
-access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 
+http 0.0.0.0 0.0.0.0 inside
+http 0.0.0.0 0.0.0.0 outside
 ! 
 ! Rule  4 (global)
 ! for #1942

test/pix/firewall82.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:20 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:58 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -105,7 +105,6 @@ object network hostA:eth0.0
   host 192.168.1.10
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)
@@ -133,8 +132,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
 ! test rule using translated address in dst
 ! firewall82:Policy:3: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. 
 
-access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 
-access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 
+http 0.0.0.0 0.0.0.0 inside
+http 0.0.0.0 0.0.0.0 outside
 ! 
 ! Rule  4 (global)
 access-list inside_acl_in deny   ip any any 

test/pix/firewall83.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:20 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:58 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -103,7 +103,6 @@ object network hostA:eth0.0
   host 192.168.1.10
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)
@@ -125,8 +124,8 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80
 ! 
 ! Rule  3 (global)
 ! test rule using translated address in dst
-access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 
-access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 
+http 0.0.0.0 0.0.0.0 inside
+http 0.0.0.0 0.0.0.0 outside
 ! 
 ! Rule  4 (global)
 access-list inside_acl_in deny   ip any any 

test/pix/firewall9.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:20 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:59 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -94,6 +94,8 @@ fixup protocol sqlnet 1521
 fixup protocol tftp 69
 
 
+
+
 !################
 
 

test/pix/firewall90.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:20 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:59 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -234,7 +234,6 @@ object-group network id78630X30274.src.net.0
   network-object 10.1.3.0 255.255.255.0 
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall91.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:21 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:59 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -132,7 +132,6 @@ object network outside_range.0
   range 22.22.22.21 22.22.22.25
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall92.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:21 2011 PDT by vadim
+!  Generated Fri Apr  8 18:05:59 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -133,7 +133,6 @@ object-group network id20655X6113.osrc.net.0
   network-object object internal_subnet_2.0
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)

test/pix/firewall93.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:21 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:00 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -102,7 +102,6 @@ object network inside-range-1.0
   range 10.0.0.1 10.0.0.5
 exit
 
-
 !################
 
 ! 

test/pix/firewall94.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:22 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:00 2011 PDT by vadim
 !
 ! Compiled for pix 8.3
 ! Outbound ACLs: supported
@@ -94,7 +94,6 @@ object-group network id26782X14355.src.net.0
   network-object object inside-range-2.0
 exit
 
-
 !################
 ! 
 ! Rule  0 (global)

test/pix/fwsm1.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:22 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:01 2011 PDT by vadim
 !
 ! Compiled for fwsm 2.3
 ! Outbound ACLs: supported
@@ -107,7 +107,6 @@ clear telnet
 clear object-group
 
 
-
 object-group network id444A03DE9567.dst.net.0
   network-object host 211.11.11.11 
   network-object host 211.22.22.22 
@@ -220,7 +219,6 @@ object-group service id444A04819567.srv.tcp.0 tcp
   port-object eq 7100
 exit
 
-
 !################
 access-list mode auto
 

test/pix/fwsm2.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:22 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:01 2011 PDT by vadim
 !
 ! Compiled for fwsm 4.x
 ! Outbound ACLs: supported
@@ -120,7 +120,6 @@ clear config telnet
 clear config object-group
 
 
-
 object-group network id17298X54624.dst.net.0
   network-object host 211.11.11.11 
   network-object host 211.22.22.22 
@@ -233,7 +232,6 @@ object-group service id17461X54624.srv.tcp.0 tcp
   port-object eq 7100
 exit
 
-
 !################
 access-list mode auto
 

test/pix/objects-for-regression-tests.fwb

@@ -1414,7 +1414,7 @@
       <ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False"/>
     </ServiceGroup>
     <ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
-      <Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1295222056" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
+      <Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1302311125" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
         <NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="nat-firewall2-0" disabled="False" group="" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -2077,7 +2077,7 @@
           </PolicyRule>
           <PolicyRule id="id3D50CD96" disabled="False" group="" log="False" position="15" action="Accept" direction="Both" comment="">
             <Src neg="False">
-              <ObjectRef ref="sysid0"/>
+              <ObjectRef ref="net-Internal_net"/>
             </Src>
             <Dst neg="False">
               <ObjectRef ref="fw-firewall2"/>
@@ -18124,14 +18124,14 @@ no sysopt nodnsalias outbound
         </Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295466889" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
+      <Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1302310919" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
         <NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id70310X19497" disabled="False" group="" position="0" action="Translate" comment="">
             <OSrc neg="False">
               <ObjectRef ref="sysid0"/>
             </OSrc>
             <ODst neg="False">
-              <ObjectRef ref="id86637X27607"/>
+              <ObjectRef ref="id21478X13826"/>
             </ODst>
             <OSrv neg="False">
               <ServiceRef ref="id21571X21575"/>

test/pix/pix515.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:23 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:02 2011 PDT by vadim
 !
 ! Compiled for pix 7.0
 ! Outbound ACLs: supported
@@ -94,6 +94,8 @@ clear config icmp
 clear config telnet
 
 
+
+
 !################
 
 clear config access-list tmp_acl

test/pix/real.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 10:50:23 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:02 2011 PDT by vadim
 !
 ! Compiled for pix 6.3
 ! Outbound ACLs: not supported
@@ -95,6 +95,8 @@ clear icmp
 clear telnet
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)

test/pix/test_net_zone_2.fw.orig

@@ -1,9 +1,9 @@
 !
 !  This is automatically generated file. DO NOT MODIFY !
 !
-!  Firewall Builder  fwb_pix v4.2.0.3519
+!  Firewall Builder  fwb_pix v4.2.0.3522
 !
-!  Generated Thu Apr  7 11:00:37 2011 PDT by vadim
+!  Generated Fri Apr  8 18:06:03 2011 PDT by vadim
 !
 ! Compiled for pix 6.1
 ! Outbound ACLs: not supported
@@ -62,6 +62,8 @@ no sysopt route dnat
 floodguard disable
 
 
+
+
 !################
 ! 
 ! Rule  0 (global)