onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-01 22:57:33 +02:00
Code Issues Releases Wiki Activity

fixes #1963 move printing of object-group definitions to

Browse Source 
NamedObjectManager::getNamedObjectsDefinitions(); also refactoring of the code that generates "clear" commands
This commit is contained in:
Vadim Kurland 2011-01-20 17:25:09 -08:00
parent 72ec86afbe
commit 12d93a54c0
86 changed files with 1003 additions and 758 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
doc/ChangeLog
View File

@ -1,5 +1,27 @@
2011-01-20 vadim <vadim@netcitadel.com>
* NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions):
see #1963 "move printing of object-group definitions to
NamedObjectManager::getNamedObjectsDefinitions()". Consolidated
code that works with named objects and object groups in the class
NamedObjectManager. This class manages all the objects and in the
end generates commands.
* PolicyCompiler_cisco (printClearCommands): Refactored parts that
generate "clear" commands to make sure they are printed in the
right order at the top of the generated configuration. Previously
compiler placed "clear global", "clear static" and "clear nat"
commands above the NAT section but below policy section. Since
ASA8.3 nat commands can use named objects and object groups, and
since I have added support for object groups in ASA 8.3 policy
rules, I now need to clear objects and object groups at the very
beginning of the generated config. However in order to be able to
clear objects and object-groups, I need to clear access-lists and
nat commands that might be using them first. So, all clear
commands are now grouped at the beginning of the generated
configuration. This affects pix/asa, iosacl and procurve_acl
platforms.
* NamedObjectsAndGroupsSupport.cpp (printObjectsForRE): See #1959
"ASA Policy - ranges are broken into composite network instead of
using range command". I have to create named objects for address

3
src/cisco_lib/ACL.cpp
View File

@ -27,8 +27,11 @@
#include <sstream>
using namespace fwcompiler;
using namespace std;
string ciscoACL::addLine(const std::string &s)
{
acl.push_back(s);

129
src/cisco_lib/ACL.h
View File

@ -31,74 +31,77 @@
#include "fwbuilder/Interface.h"
class ciscoACL {
bool _ip_acl;
std::string _name;
std::string _workName;
libfwbuilder::Interface *_interface;
std::string _dir;
std::string _last_rule_label;
int nlines;
std::list<std::string> acl;
bool quote_remarks;
namespace fwcompiler {
std::string printLine(const std::string &s);
std::string quoteLine(const std::string &s);
class ciscoACL {
bool _ip_acl;
std::string _name;
std::string _workName;
libfwbuilder::Interface *_interface;
std::string _dir;
std::string _last_rule_label;
int nlines;
std::list<std::string> acl;
bool quote_remarks;
public:
ciscoACL() {
_ip_acl = false;
_name = "";
_workName = "";
_interface = NULL;
_dir = "in";
nlines = 0;
_last_rule_label = "";
quote_remarks = false;
}
ciscoACL(const std::string &n,
libfwbuilder::Interface *intf,
const std::string &d="in",
bool _ip_list=false)
{
_ip_acl = _ip_list;
_name = n;
_workName = "";
_interface = intf;
_dir = d;
nlines = 0;
_last_rule_label = "";
quote_remarks = false;
}
std::string addLine(const std::string &s);
/*
* Adds remark to access list. Checks and adds each remark only
* once. We use rule labels and comments for remarks
*/
std::string addRemark(const std::string &rl, const std::string &comment);
void setName(const std::string &s) { _name=s; }
std::string name() { return _name; }
void setWorkName(const std::string &s) { _workName=s; }
std::string workName() { return _workName; }
void setInterface(libfwbuilder::Interface *intf) { _interface=intf; }
libfwbuilder::Interface* getInterface() { return _interface; }
std::string printLine(const std::string &s);
std::string quoteLine(const std::string &s);
void setDirection(const std::string &d) { _dir=d; }
std::string direction() { return _dir; }
public:
ciscoACL() {
_ip_acl = false;
_name = "";
_workName = "";
_interface = NULL;
_dir = "in";
nlines = 0;
_last_rule_label = "";
quote_remarks = false;
}
void setQuoteRemarks(bool f) { quote_remarks = f; }
ciscoACL(const std::string &n,
libfwbuilder::Interface *intf,
const std::string &d="in",
bool _ip_list=false)
{
_ip_acl = _ip_list;
_name = n;
_workName = "";
_interface = intf;
_dir = d;
nlines = 0;
_last_rule_label = "";
quote_remarks = false;
}
std::string addLine(const std::string &s);
/*
* Adds remark to access list. Checks and adds each remark only
* once. We use rule labels and comments for remarks
*/
std::string addRemark(const std::string &rl, const std::string &comment);
void setName(const std::string &s) { _name=s; }
std::string name() { return _name; }
void setWorkName(const std::string &s) { _workName=s; }
std::string workName() { return _workName; }
void setInterface(libfwbuilder::Interface *intf) { _interface=intf; }
libfwbuilder::Interface* getInterface() { return _interface; }
std::string print();
std::string printLastLine();
void setDirection(const std::string &d) { _dir=d; }
std::string direction() { return _dir; }
void setQuoteRemarks(bool f) { quote_remarks = f; }
int size() { return nlines; }
};
std::string print();
std::string printLastLine();
int size() { return nlines; }
};
}
#endif

3
src/cisco_lib/CompilerDriver_iosacl.cpp
View File

@ -44,6 +44,9 @@
#include "Configlet.h"
#include "CompilerDriver_iosacl.h"
#include "PolicyCompiler_iosacl.h"
#include "ACL.h"
#include "BaseObjectGroup.h"
#include "NamedObjectsAndGroupsSupport.h"
#include <QString>
#include <QFileInfo>

6
src/cisco_lib/CompilerDriver_iosacl.h
View File

@ -46,7 +46,11 @@ namespace libfwbuilder {
namespace fwcompiler {
class CompilerDriver_iosacl : public CompilerDriver {
class ciscoACL;
class NamedObjectManager;
class CompilerDriver_iosacl : public CompilerDriver
{
protected:
std::string system_configuration_script;

15
src/cisco_lib/CompilerDriver_iosacl_run.cpp
View File

@ -205,6 +205,9 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
}
string clear_commands;
string object_groups_definitions;
for (vector<int>::iterator i=ipv4_6_runs.begin();
i!=ipv4_6_runs.end(); ++i)
{
@ -274,6 +277,10 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
}
policy_script += c.getCompiledScript();
clear_commands += c.printClearCommands();
object_groups_definitions +=
named_object_manager.getNamedObjectsDefinitions();
} else
info(" Nothing to compile in Policy");
}
@ -318,17 +325,17 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
all_errors.push_front(getErrors("").c_str());
}
system_configuration_script +=
named_object_manager.getNamedObjectsDefinitions();
if (single_rule_compile_on)
{
return formSingleRuleCompileOutput(
QString::fromUtf8(
(named_object_manager.getNamedObjectsDefinitions() +
(object_groups_definitions +
policy_script + routing_script).c_str()));
}
system_configuration_script += clear_commands;
system_configuration_script += object_groups_definitions;
QString script_buffer = assembleFwScript(
cluster, fw, !cluster_id.empty(), oscnf.get());

40
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -361,6 +361,10 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
oscnf->prolog();
oscnf->processFirewallOptions();
string clear_commands;
bool have_named_objects = false;
bool have_object_groups = false;
string object_groups_definitions;
/* create compilers and run the whole thing */
string version = fw->getStr("version");
@ -390,6 +394,15 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
{
n->compile();
n->epilog();
clear_commands += n->printClearCommands();
have_named_objects = (have_named_objects ||
named_object_manager.haveNamedObjects());
have_object_groups = (have_object_groups ||
named_object_manager.haveObjectGroups());
object_groups_definitions +=
named_object_manager.getNamedObjectsDefinitions();
} else
info(" Nothing to compile in NAT");
}
@ -415,6 +428,15 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
{
c->compile();
c->epilog();
clear_commands += c->printClearCommands();
have_named_objects = (have_named_objects ||
named_object_manager.haveNamedObjects());
have_object_groups = (have_object_groups ||
named_object_manager.haveObjectGroups());
object_groups_definitions +=
named_object_manager.getNamedObjectsDefinitions();
} else
info(" Nothing to compile in Policy");
}
@ -449,9 +471,6 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
all_errors.push_front(getErrors("").c_str());
}
system_configuration_script = oscnf->getCompiledScript();
system_configuration_script +=
named_object_manager.getNamedObjectsDefinitions();
policy_script = c->getCompiledScript();
nat_script = n->getCompiledScript();
routing_script = r->getCompiledScript();
@ -463,17 +482,24 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
if (r->haveErrorsAndWarnings())
all_errors.push_back(r->getErrors("R ").c_str());
script_buffer = assembleFwScript(
cluster, fw, !cluster_id.empty(), oscnf.get());
if (single_rule_compile_on)
{
return formSingleRuleCompileOutput(
QString::fromUtf8(
(named_object_manager.getNamedObjectsDefinitions() +
(object_groups_definitions +
policy_script + nat_script + routing_script).c_str()));
}
system_configuration_script = oscnf->getCompiledScript();
if (have_object_groups) clear_commands += "clear conf object-group\n";
if (have_named_objects) clear_commands += "clear conf object\n";
system_configuration_script += clear_commands;
system_configuration_script += "\n";
system_configuration_script += object_groups_definitions;
script_buffer = assembleFwScript(
cluster, fw, !cluster_id.empty(), oscnf.get());
ofname = getAbsOutputFileName(ofname);
info("Output file name: " + ofname.toStdString());

2
src/cisco_lib/CompilerDriver_procurve_acl.cpp
View File

@ -31,6 +31,8 @@
#include "CompilerDriver_procurve_acl.h"
#include "PolicyCompiler_procurve_acl.h"
#include "fwbuilder/Resources.h"
using namespace std;
using namespace libfwbuilder;

15
src/cisco_lib/CompilerDriver_procurve_acl_run.cpp
View File

@ -192,6 +192,9 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
if (ipv4_run) ipv4_6_runs.push_back(AF_INET);
}
string clear_commands;
string object_groups_definitions;
for (vector<int>::iterator i=ipv4_6_runs.begin();
i!=ipv4_6_runs.end(); ++i)
{
@ -261,6 +264,10 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
}
policy_script += c.getCompiledScript();
clear_commands += c.printClearCommands();
object_groups_definitions +=
named_object_manager.getNamedObjectsDefinitions();
} else
info(" Nothing to compile in Policy");
}
@ -305,17 +312,17 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
all_errors.push_front(getErrors("").c_str());
}
system_configuration_script +=
named_object_manager.getNamedObjectsDefinitions();
if (single_rule_compile_on)
{
return formSingleRuleCompileOutput(
QString::fromUtf8(
(named_object_manager.getNamedObjectsDefinitions() +
(object_groups_definitions +
policy_script + routing_script).c_str()));
}
system_configuration_script += clear_commands;
system_configuration_script += object_groups_definitions;
QString script_buffer = assembleFwScript(
cluster, fw, !cluster_id.empty(), oscnf.get());

23
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -416,7 +416,7 @@ void NATCompiler_asa8::compile()
"check if we have objects with errors in rule elements"));
*/
add( new PrintClearCommands("Clear ACLs" ));
//add( new PrintClearCommands("Clear ACLs" ));
add( new createNamedObjectsForNAT(
"create named objects", named_objects_manager));
//add( new printObjectGroups(
@ -464,3 +464,24 @@ void NATCompiler_asa8::compile()
}
string NATCompiler_asa8::printClearCommands()
{
ostringstream output;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
if ( !fw->getOptionsObject()->getBool("pix_acl_no_clear") &&
!inSingleRuleCompileMode())
{
output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_xlate") << endl;
output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_nat") << endl;
}
output << endl;
return output.str();
}

23
src/cisco_lib/NATCompiler_asa8.h
View File

@ -86,27 +86,6 @@ namespace fwcompiler {
{}
};
/**
* this processor accumulates all rules fed to it by previous
* processors, then prints PIX commands to clear
* access-lists, then feeds all rules to the next
* processor. Usually this processor is in chain right
* before PrintRules.
*
* We use this processor to print "clear" commands because
* they need to be generated when all access lists have been
* created but before they are printed.
*
* "Clear" commands on ASA 8.3 are different from older PIX.
*/
class PrintClearCommands : public NATRuleProcessor
{
public:
PrintClearCommands(const std::string &n) : NATRuleProcessor(n) {}
virtual bool processNext();
};
friend class NATCompiler_pix::PrintClearCommands;
/**
* prints single policy rule, assuming all groups have been
* expanded, so source, destination and service hold exactly
@ -138,6 +117,8 @@ namespace fwcompiler {
virtual void compile();
virtual std::string printClearCommands();
};

28
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -52,34 +52,6 @@ using namespace fwcompiler;
using namespace std;
bool NATCompiler_asa8::PrintClearCommands::processNext()
{
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
slurp();
if (tmp_queue.size()==0) return false;
compiler->output << endl;
if ( !compiler->fw->getOptionsObject()->getBool("pix_acl_no_clear") &&
!compiler->inSingleRuleCompileMode())
{
compiler->output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_xlate") << endl;
compiler->output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_nat") << endl;
compiler->output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version+"/pix_commands/clear_object") << endl;
}
return true;
}
NATCompiler_asa8::PrintRule::PrintRule(const std::string &name) :
NATCompiler_pix::PrintRule(name)
{ }

32
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -1739,7 +1739,7 @@ void NATCompiler_pix::compile()
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new PrintClearCommands( "Clear ACLs" ));
//add( new PrintClearCommands( "Clear ACLs" ));
add( new PrintRule ("generate PIX code" ));
add( new storeProcessedRules ("store processed rules" ));
@ -1842,3 +1842,33 @@ void NATCompiler_pix::epilog()
regroup();
}
}
string NATCompiler_pix::printClearCommands()
{
ostringstream output;
string version = fw->getStr("version");
string platform = fw->getStr("platform");
if ( !fw->getOptionsObject()->getBool("pix_acl_no_clear") &&
!inSingleRuleCompileMode())
{
output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_xlate") << endl;
output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_static") << endl;
output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_global") << endl;
output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + version + "/pix_commands/clear_nat") << endl;
}
output << endl;
return output.str();
}

22
src/cisco_lib/NATCompiler_pix.h
View File

@ -348,26 +348,6 @@ namespace fwcompiler {
processMultiAddressObjectsInRE(n,libfwbuilder::RuleElementODst::TYPENAME) {}
};
/**
* this processor accumulates all rules fed to it by previous
* processors, then prints PIX commands to clear
* access-lists, then feeds all rules to the next
* processor. Usually this processor is in chain right
* before PrintRules.
*
* We use this processor to print "clear" commands because
* they need to be generated when all access lists have been
* created but before they are printed.
*/
class PrintClearCommands : public NATRuleProcessor
{
public:
PrintClearCommands(const std::string &n) : NATRuleProcessor(n) {}
virtual bool processNext();
};
friend class NATCompiler_pix::PrintClearCommands;
/**
* prints single policy rule, assuming all groups have been
* expanded, so source, destination and service hold exactly
@ -520,6 +500,8 @@ namespace fwcompiler {
void regroup();
virtual std::string printClearCommands();
/**
* scans all rules in combined_ruleset and finds rules (if
* any) that define DNAT translation for a combination of

32
src/cisco_lib/NATCompiler_pix_writers.cpp
View File

@ -49,38 +49,6 @@ using namespace fwcompiler;
using namespace std;
bool NATCompiler_pix::PrintClearCommands::processNext()
{
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
slurp();
if (tmp_queue.size()==0) return false;
compiler->output << endl;
if ( !compiler->fw->getOptionsObject()->getBool("pix_acl_no_clear") &&
!compiler->inSingleRuleCompileMode())
{
compiler->output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_xlate") << endl;
compiler->output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_static") << endl;
compiler->output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_global") << endl;
compiler->output << Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_nat") << endl;
}
return true;
}
string NATCompiler_pix::PrintRule::_printAddress(Address *a,bool print_netmask)
{
string addr = a->getAddressPtr()->toString();

16
src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
View File

@ -96,6 +96,16 @@ NamedObject* NamedObjectManager::getNamedObject(const FWObject *obj)
return named_objects[obj->getId()];
}
bool NamedObjectManager::haveNamedObjects()
{
return (named_objects.size() > 0);
}
bool NamedObjectManager::haveObjectGroups()
{
return (object_groups->size() > 0);
}
string NamedObjectManager::getNamedObjectsDefinitions()
{
QStringList output;
@ -108,16 +118,12 @@ string NamedObjectManager::getNamedObjectsDefinitions()
output << nobj->getCommand(fw);
}
output << "";
for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
if (og->size()==0) continue;
output << "";
output << og->toString(this);
output << og->toString(this); // ends with an empty line
}
return output.join("\n").toUtf8().constData();

3
src/cisco_lib/NamedObjectsAndGroupsSupport.h
View File

@ -57,6 +57,9 @@ public:
std::string getNamedObjectsDefinitions();
void init(libfwbuilder::FWObjectDatabase *db);
bool haveNamedObjects();
bool haveObjectGroups();
};
class CreateObjectGroups : public BasicRuleProcessor

5
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -814,3 +814,8 @@ void PolicyCompiler_cisco::epilog()
{
}
string PolicyCompiler_cisco::printClearCommands()
{
return "";
}

4
src/cisco_lib/PolicyCompiler_cisco.h
View File

@ -495,13 +495,13 @@ protected:
Helper helper;
NamedObjectManager *named_objects_manager;
std::map<std::string,ciscoACL*> acls;
virtual std::string myPlatformName();
std::string mangleInterfaceName(const std::string &interface_name);
public:
std::map<std::string,ciscoACL*> acls;
PolicyCompiler_cisco(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
@ -517,6 +517,8 @@ public:
virtual void compile();
virtual void epilog();
virtual std::string printClearCommands();
/**
* sort commands ('icmp', 'telnet', 'ssh') and access lists
* in some kind of 'natural' order. Useful for both IOS and PIX

46
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -472,10 +472,6 @@ void PolicyCompiler_iosacl::compile()
add( new simplePrintProgress());
add( new createNewCompilerPass("Creating object groups and ACLs"));
add( new printClearCommands("clear commands for object-groups and ACLs"));
//add( new printObjectGroups(
// "generate code for object groups", named_objects_manager));
// This processor prints each ACL separately in one block.
// It adds comments inside to denote original rules.
//
@ -532,3 +528,45 @@ string PolicyCompiler_iosacl::getAccessGroupCommandForAddressFamily(bool ipv6)
if (ipv6) return "traffic-filter";
return "access-group";
}
string PolicyCompiler_iosacl::printClearCommands()
{
ostringstream output;
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/iosacl_commands/" + xml_element);
assert( !clearACLCmd.empty());
// No need to output "clear" commands in single rule compile mode
if ( fw->getOptionsObject()->getBool("iosacl_acl_basic") ||
fw->getOptionsObject()->getBool("iosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl = (*i).second;
output << clearACLCmd << " " << acl->workName() << endl;
}
output << endl;
for (FWObject::iterator i=named_objects_manager->object_groups->begin();
i!=named_objects_manager->object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
output << "no " << og->getObjectGroupHeader() << endl;
}
}
output << endl;
return output.str();
}

11
src/cisco_lib/PolicyCompiler_iosacl.h
View File

@ -59,8 +59,6 @@ namespace fwcompiler {
virtual void addDefaultPolicyRule();
virtual void _printClearCommands();
/**
* dynamic interfaces can not be used in policy rules in IOS ACLs
*/
@ -194,13 +192,6 @@ namespace fwcompiler {
};
friend class PolicyCompiler_iosacl::ClearACLs;
/**
* printClearCommands prints "clear" commands for object-groups
* and ACLs
*/
DECLARE_POLICY_RULE_PROCESSOR(printClearCommands);
friend class PolicyCompiler_iosacl::printClearCommands;
/**
* "object-group service" does not seem to support matching of
* tcp flags and "established". Need to separate objects using
@ -295,6 +286,8 @@ namespace fwcompiler {
virtual void compile();
virtual void epilog();
virtual std::string printClearCommands();
static std::string getAccessGroupCommandForAddressFamily(bool ipv6);
};

52
src/cisco_lib/PolicyCompiler_iosacl_writers.cpp
View File

@ -112,58 +112,6 @@ bool PolicyCompiler_iosacl::ClearACLs::processNext()
return true;
}
bool PolicyCompiler_iosacl::printClearCommands::processNext()
{
PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
iosacl_comp->_printClearCommands();
return true;
}
void PolicyCompiler_iosacl::_printClearCommands()
{
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/iosacl_commands/" + xml_element);
assert( !clearACLCmd.empty());
if (!inSingleRuleCompileMode())
{
// No need to output "clear" commands in single rule compile mode
if ( fw->getOptionsObject()->getBool("iosacl_acl_basic") ||
fw->getOptionsObject()->getBool("iosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl = (*i).second;
output << clearACLCmd << " " << acl->workName() << endl;
}
output << endl;
for (FWObject::iterator i=named_objects_manager->object_groups->begin();
i!=named_objects_manager->object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
output << "no " << og->getObjectGroupHeader() << endl;
}
}
}
output << endl;
}
void PolicyCompiler_iosacl::PrintCompleteACLs::printRulesForACL::operator()(
Rule* rule)
{

50
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -652,7 +652,7 @@ void PolicyCompiler_pix::compile()
add( new createNewCompilerPass("Creating object groups and ACLs ..."));
add( new printClearCommands("Clear ACLs and object groups"));
//add( new printClearCommands("Clear ACLs and object groups"));
if (XMLTools::version_compare(vers, "8.3")>=0)
{
@ -719,3 +719,51 @@ void PolicyCompiler_pix::epilog()
}
}
string PolicyCompiler_pix::printClearCommands()
{
ostringstream output;
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + vers + "/pix_commands/clear_acl");
// string clearOGcmd = Resources::platform_res[platform]->getResourceStr(
// string("/FWBuilderResources/Target/options/") +
// "version_" + vers + "/pix_commands/clear_og");
string clearICMPcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + vers + "/pix_commands/clear_icmp");
string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/") +
"version_" + vers + "/pix_commands/clear_telnet");
if ( fw->getOptionsObject()->getBool("pix_acl_basic") )
{
output << clearACLcmd << endl;
//output << clearOGcmd << endl;
}
if (fw->getOptionsObject()->getBool("pix_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=acls.begin();
i!=acls.end(); ++i)
{
ciscoACL *acl = (*i).second;
output << clearACLcmd << " " << acl->workName() << endl;
}
//output << clearOGcmd << endl;
output << endl;
}
if ( !fw->getOptionsObject()->getBool("pix_acl_no_clear") )
{
output << clearICMPcmd << endl;
output << clearTelnetcmd << endl;
}
output << endl;
return output.str();
}

21
src/cisco_lib/PolicyCompiler_pix.h
View File

@ -252,26 +252,6 @@ namespace fwcompiler {
*/
DECLARE_POLICY_RULE_PROCESSOR( splitIfTelnetSSHICMPtoFw );
/**
* this processor accumulates all rules fed to it by previous
* * processors, then prints PIX commands to clear
* access-lists, object groups, icmp, ssh, telnet and prints
* all object groups, then feeds all rules to the next
* processor. Usually this processor is in chain right
* before PrintRules.
*
* We use this processor to print "clear" commands because
* they need to be generated when all access lists have been
* created but before they are printed.
*/
class printClearCommands : public PolicyRuleProcessor
{
public:
printClearCommands(const std::string &n) : PolicyRuleProcessor(n) {}
virtual bool processNext();
};
friend class PolicyCompiler_pix::printClearCommands;
class AvoidObjectGroup : public PolicyRuleProcessor
{
public:
@ -339,6 +319,7 @@ namespace fwcompiler {
virtual void compile();
virtual void epilog();
virtual std::string printClearCommands();
};

55
src/cisco_lib/PolicyCompiler_pix_writers.cpp
View File

@ -60,61 +60,6 @@ using namespace fwcompiler;
using namespace std;
bool PolicyCompiler_pix::printClearCommands::processNext()
{
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
string vers = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/pix_commands/clear_acl");
string clearOGcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/pix_commands/clear_og");
string clearICMPcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/pix_commands/clear_icmp");
string clearTelnetcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/pix_commands/clear_telnet");
slurp();
if (tmp_queue.size()==0) return false;
if (!compiler->inSingleRuleCompileMode())
{
// No need to output "clear" commands in single rule compile mode
if ( compiler->fw->getOptionsObject()->getBool("pix_acl_basic") )
{
compiler->output << clearACLcmd << endl;
compiler->output << clearOGcmd << endl;
}
if (compiler->fw->getOptionsObject()->getBool("pix_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=pix_comp->acls.begin();
i!=pix_comp->acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << clearACLcmd << " " << acl->workName() << endl;
}
compiler->output << clearOGcmd << endl;
compiler->output << endl;
}
if ( !compiler->fw->getOptionsObject()->getBool("pix_acl_no_clear") )
{
compiler->output << clearICMPcmd << endl;
compiler->output << clearTelnetcmd << endl;
}
}
return true;
}
string PolicyCompiler_pix::PrintRule::_printAction(PolicyRule *rule)
{
ostringstream str;

35
src/cisco_lib/PolicyCompiler_procurve_acl.cpp
View File

@ -30,6 +30,7 @@
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/RuleSet.h"
#include "fwbuilder/Resources.h"
#include <assert.h>
@ -89,3 +90,37 @@ ciscoACL* PolicyCompiler_procurve_acl::createACLObject(const string &acl_name,
}
string PolicyCompiler_procurve_acl::printClearCommands()
{
ostringstream output;
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/procurve_acl_commands/" + xml_element);
assert( !clearACLCmd.empty());
// No need to output "clear" commands in single rule compile mode
if ( fw->getOptionsObject()->getBool("procurve_acl_acl_basic") ||
fw->getOptionsObject()->getBool("procurve_acl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl = (*i).second;
output << printAccessGroupCmd(acl, true);
output << clearACLCmd << " " << acl->workName() << endl;
output << endl;
}
output << endl;
}
output << endl;
return output.str();
}

3
src/cisco_lib/PolicyCompiler_procurve_acl.h
View File

@ -47,7 +47,6 @@ namespace fwcompiler {
protected:
virtual std::string myPlatformName();
virtual void _printClearCommands();
virtual std::string printAccessGroupCmd(ciscoACL *acl, bool neg=false);
virtual ciscoACL* createACLObject(const std::string &n,
libfwbuilder::Interface *intf,
@ -63,6 +62,8 @@ namespace fwcompiler {
virtual ~PolicyCompiler_procurve_acl() {}
virtual int prolog();
virtual std::string printClearCommands();
};
}

33
src/cisco_lib/PolicyCompiler_procurve_acl_writers.cpp
View File

@ -42,39 +42,6 @@ using namespace fwcompiler;
using namespace std;
void PolicyCompiler_procurve_acl::_printClearCommands()
{
string vers = fw->getStr("version");
string platform = fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/procurve_acl_commands/" + xml_element);
assert( !clearACLCmd.empty());
if (!inSingleRuleCompileMode())
{
// No need to output "clear" commands in single rule compile mode
if ( fw->getOptionsObject()->getBool("procurve_acl_acl_basic") ||
fw->getOptionsObject()->getBool("procurve_acl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=acls.begin(); i!=acls.end(); ++i)
{
ciscoACL *acl = (*i).second;
output << printAccessGroupCmd(acl, true);
output << clearACLCmd << " " << acl->workName() << endl;
output << endl;
}
output << endl;
}
}
output << endl;
}
string PolicyCompiler_procurve_acl::printAccessGroupCmd(ciscoACL *acl, bool neg)
{
if (getSourceRuleSet()->isTop())

17
test/iosacl/Makefile Normal file
View File

@ -0,0 +1,17 @@
FW_OBJECTS := $(shell fwbedit list -f objects-for-regression-tests.fwb -o /User/Firewalls -c -F%name% | sort)
CL_OBJECTS := $(shell fwbedit list -f cluster-tests.fwb -o /User/Clusters -c -F%name% | sort)
$(FW_OBJECTS):
fwb_iosacl -f objects-for-regression-tests.fwb -xt $@
$(CL_OBJECTS):
fwb_iosacl -f cluster-tests.fwb -xt -xc $@
.PHONY: all firewalls clusters $(FW_OBJECTS) $(CL_OBJECTS)
all: firewalls clusters
firewalls: $(FW_OBJECTS)
clusters: $(CL_OBJECTS)

24
test/iosacl/auto-interface-test.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:23 2011 PST by vadim
! Generated Thu Jan 20 16:31:20 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -34,10 +34,6 @@ interface FastEthernet0/0
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended e1_0_in
no ip access-list extended e1_0_out
no ip access-list extended e1_1_in
@ -46,6 +42,16 @@ no ip access-list extended fe0_0_in
no ip access-list extended fe0_0_out
no ipv6 access-list ipv6_Policy_v6_e1_0_in
no ipv6 access-list ipv6_Policy_v6_e1_0_out
no ipv6 access-list ipv6_Policy_v6_e1_1_in
no ipv6 access-list ipv6_Policy_v6_e1_1_out
no ipv6 access-list ipv6_Policy_v6_fe0_0_in
no ipv6 access-list ipv6_Policy_v6_fe0_0_out
! ================ IPv4
ip access-list extended e1_0_in
!
! Rule 0 (global)
@ -152,14 +158,6 @@ exit
! ================ IPv6
no ipv6 access-list ipv6_Policy_v6_e1_0_in
no ipv6 access-list ipv6_Policy_v6_e1_0_out
no ipv6 access-list ipv6_Policy_v6_e1_1_in
no ipv6 access-list ipv6_Policy_v6_e1_1_out
no ipv6 access-list ipv6_Policy_v6_fe0_0_in
no ipv6 access-list ipv6_Policy_v6_fe0_0_out
ipv6 access-list ipv6_Policy_v6_e1_0_in
!
! Rule Policy_v6 0 (global)

9
test/iosacl/c3620.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:23 2011 PST by vadim
! Generated Thu Jan 20 16:31:20 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -24,11 +24,6 @@ no service timestamp log datetime localtime
logging buffered 6
logging console 6
! ================ IPv4
no ip access-list extended e1_0_in
no ip access-list extended e1_0_out
no ip access-list extended e1_1_in
@ -36,6 +31,8 @@ no ip access-list extended e1_1_out
no ip access-list extended fe0_0_in
no ip access-list extended fe0_0_out
! ================ IPv4
ip access-list extended e1_0_in
!

20
test/iosacl/ccie4u-r1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:23 2011 PST by vadim
! Generated Thu Jan 20 16:31:21 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -60,16 +60,20 @@ interface FastEthernet0/0
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended r1-ipv4_fe0_0_in
no ip access-list extended r1-ipv4_fe0_0_out
no ip access-list extended r1-ipv4_fe0_1_in
no ip access-list extended r1-ipv4_fe0_1_out
no ipv6 access-list ipv6_fe0_0_in
no ipv6 access-list ipv6_fe0_0_out
no ipv6 access-list ipv6_fe0_1_in
no ipv6 access-list ipv6_fe0_1_out
! ================ IPv4
ip access-list extended r1-ipv4_fe0_0_in
!
! Rule -1 backup ssh access rule (automatic)
@ -145,12 +149,6 @@ exit
! ================ IPv6
no ipv6 access-list ipv6_fe0_0_in
no ipv6 access-list ipv6_fe0_0_out
no ipv6 access-list ipv6_fe0_1_in
no ipv6 access-list ipv6_fe0_1_out
ipv6 access-list ipv6_fe0_0_in
!
! Rule r1-ipv6 0 (global)

18
test/iosacl/dynamips1-og.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:24 2011 PST by vadim
! Generated Thu Jan 20 16:31:21 2011 PST by vadim
!
! Compiled for iosacl 12.4
!
@ -23,11 +23,6 @@
! ================ IPv4
no ip access-list extended fe0_0_in
no ip access-list extended fe0_0_out
@ -36,6 +31,9 @@ no object-group service id29216X37699.srv.udp.0
no object-group network id18740X37673.dst.net.0
no object-group network id18964X37673.src.net.0
no ipv6 access-list ipv6_fe0_0_in
no ipv6 access-list ipv6_fe0_0_out
object-group network id29216X37699.src.net.0
host 61.150.47.112
@ -59,6 +57,10 @@ object-group network id18964X37673.src.net.0
host 192.0.2.2
host 192.0.2.3
exit
! ================ IPv4
ip access-list extended fe0_0_in
!
! Rule -1 backup ssh access rule (automatic)
@ -147,10 +149,6 @@ exit
! ================ IPv6
no ipv6 access-list ipv6_fe0_0_in
no ipv6 access-list ipv6_fe0_0_out
ipv6 access-list ipv6_fe0_0_in
!
! Rule 1 (FastEthernet0/0)

16
test/iosacl/firewall-ipv6-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:24 2011 PST by vadim
! Generated Thu Jan 20 16:31:21 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -59,14 +59,16 @@ interface Ethernet0/0
no ipv6 traffic-filter out
ipv6 traffic-filter tmp_acl in
exit
! ================ IPv4
no ip access-list extended fw-ipv6-1-ipv4_e0_0_in
no ip access-list extended fw-ipv6-1-ipv4_e0_0_out
no ipv6 access-list ipv6_e0_0_in
no ipv6 access-list ipv6_e0_0_out
! ================ IPv4
ip access-list extended fw-ipv6-1-ipv4_e0_0_in
!
! Rule fw-ipv6-1-ipv4 1 (global)
@ -86,10 +88,6 @@ exit
! ================ IPv6
no ipv6 access-list ipv6_e0_0_in
no ipv6 access-list ipv6_e0_0_out
ipv6 access-list ipv6_e0_0_in
!
! Rule fw-ipv6-1-ipv6 0 (global)

16
test/iosacl/firewall-ipv6-2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:25 2011 PST by vadim
! Generated Thu Jan 20 16:31:21 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -58,14 +58,16 @@ interface Ethernet0/0
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended fw-ipv6-2-ipv4_e0_0_in
no ip access-list extended fw-ipv6-2-ipv4_e0_0_out
no ipv6 access-list ipv6_e0_0_in
no ipv6 access-list ipv6_e0_0_out
! ================ IPv4
ip access-list extended fw-ipv6-2-ipv4_e0_0_in
!
! Rule -1 backup ssh access rule (automatic)
@ -93,10 +95,6 @@ exit
! ================ IPv6
no ipv6 access-list ipv6_e0_0_in
no ipv6 access-list ipv6_e0_0_out
ipv6 access-list ipv6_e0_0_in
!
! Rule fw-ipv6-2-ipv6 0 (global)

24
test/iosacl/firewall-ipv6-3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:25 2011 PST by vadim
! Generated Thu Jan 20 16:31:22 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -35,14 +35,20 @@ interface Ethernet0/0
no ipv6 traffic-filter out
ipv6 traffic-filter tmp_acl in
exit
! ================ IPv4
no ip access-list extended e0_0_in
no ip access-list extended e0_0_out
no ipv6 access-list ipv6_e0_0_in
no ipv6 access-list ipv6_e0_0_out
no ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_in
no ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_out
! ================ IPv4
ip access-list extended e0_0_in
!
! Rule fw-ipv6-3-ipv4 1 (global)
@ -68,10 +74,6 @@ exit
! ================ IPv6
no ipv6 access-list ipv6_e0_0_in
no ipv6 access-list ipv6_e0_0_out
ipv6 access-list ipv6_e0_0_in
!
! Rule fw-ipv6-3-ipv6-1 0 (global)
@ -107,10 +109,6 @@ exit
! ================ IPv6
no ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_in
no ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_out
ipv6 access-list ipv6_fw-ipv6-3-ipv6-2_e0_0_in
!
! Rule fw-ipv6-3-ipv6-2 0 (global)

8
test/iosacl/testios1-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:26 2011 PST by vadim
! Generated Thu Jan 20 16:31:22 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -34,15 +34,13 @@ interface ethernet0
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
no ip access-list extended e1_out
! ================ IPv4
ip access-list extended e0_in
!

8
test/iosacl/testios1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:25 2011 PST by vadim
! Generated Thu Jan 20 16:31:22 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -33,15 +33,13 @@ interface ethernet0
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
no ip access-list extended e1_out
! ================ IPv4
ip access-list extended e0_in
!

8
test/iosacl/testios2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:26 2011 PST by vadim
! Generated Thu Jan 20 16:31:22 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -36,15 +36,13 @@ interface ethernet1
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
no ip access-list extended e1_out
! ================ IPv4
ip access-list extended e0_in
!

9
test/iosacl/testios20-v12.3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:27 2011 PST by vadim
! Generated Thu Jan 20 16:31:23 2011 PST by vadim
!
! Compiled for iosacl 12.3
!
@ -26,16 +26,13 @@
hostname testios20-v12.3
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
no ip access-list extended e1_out
! ================ IPv4
ip access-list extended e0_in
!

9
test/iosacl/testios20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:26 2011 PST by vadim
! Generated Thu Jan 20 16:31:22 2011 PST by vadim
!
! Compiled for iosacl 12.4
!
@ -22,16 +22,13 @@
hostname testios20
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
no ip access-list extended e1_out
! ================ IPv4
ip access-list extended e0_in
!

8
test/iosacl/testios3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:27 2011 PST by vadim
! Generated Thu Jan 20 16:31:23 2011 PST by vadim
!
! Compiled for iosacl 12.1
!
@ -33,15 +33,13 @@ interface ethernet1
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
no ip access-list extended e1_out
! ================ IPv4
ip access-list extended e0_in
!

11
test/iosacl/testios4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:27 2011 PST by vadim
! Generated Thu Jan 20 16:31:23 2011 PST by vadim
!
! Compiled for iosacl 12.4
!
@ -34,10 +34,6 @@ interface ethernet1
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
@ -49,7 +45,6 @@ no object-group network id47180X84238.dst.net.0
no object-group network id47192X84238.dst.net.0
no object-group network id47204X84238.dst.net.0
object-group network .src.net.0
host 1.1.1.1
host 10.10.10.1
@ -185,6 +180,10 @@ object-group network id47204X84238.dst.net.0
222.121.118.144 /32
222.174.113.2 /32
exit
! ================ IPv4
ip access-list extended e0_in
!
! Rule -1 backup ssh access rule (automatic)

11
test/iosacl/testios5-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:28 2011 PST by vadim
! Generated Thu Jan 20 16:31:23 2011 PST by vadim
!
! Compiled for iosacl 12.4
!
@ -34,10 +34,6 @@ interface ethernet1
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
@ -49,7 +45,6 @@ no object-group network id115999X79820.dst.net.0
no object-group service id116125X79820.srv.tcp.0
no object-group service id91445X81725.srv.tcp.0
object-group network .src.net.0
host 1.1.1.1
host 10.10.10.1
@ -74,6 +69,10 @@ object-group service id91445X81725.srv.tcp.0
tcp range 0 65535
tcp eq 80
exit
! ================ IPv4
ip access-list extended e0_in
!
! Rule -1 backup ssh access rule (automatic)

8
test/iosacl/testios5.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_iosacl v4.2.0.3440
!
! Generated Thu Jan 20 14:41:27 2011 PST by vadim
! Generated Thu Jan 20 16:31:23 2011 PST by vadim
!
! Compiled for iosacl 12.4
!
@ -34,15 +34,13 @@ interface ethernet1
no ip access-group out
ip access-group tmp_acl in
exit
! ================ IPv4
no ip access-list extended e0_in
no ip access-list extended e0_out
no ip access-list extended e1_in
no ip access-list extended e1_out
! ================ IPv4
ip access-list extended e0_in
!

19
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:17 2011 PST by vadim
! Generated Thu Jan 20 17:13:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,12 +114,18 @@ policy-map global_policy
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
clear config nat
clear config access-list
clear config object-group
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object-group network id56590X61097.src.net.0
network-object host 10.3.14.206
network-object host 10.3.14.207
@ -141,6 +147,9 @@ object-group network id56627X61097.src.net.0
network-object host 172.17.1.253
network-object host 192.0.2.253
exit
!################
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
@ -191,10 +200,6 @@ access-group inside_in in interface inside
access-group inside_out out interface inside
access-group outside_in in interface outside
clear xlate
clear config static
clear config global
clear config nat
!
! Rule 0 (NAT)
global (outside) 1 interface

19
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:17 2011 PST by vadim
! Generated Thu Jan 20 17:13:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,12 +114,18 @@ policy-map global_policy
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
clear config nat
clear config access-list
clear config object-group
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object-group network id56590X61097.src.net.0
network-object host 10.3.14.206
network-object host 10.3.14.207
@ -141,6 +147,9 @@ object-group network id56627X61097.src.net.0
network-object host 172.17.1.253
network-object host 192.0.2.253
exit
!################
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
@ -191,10 +200,6 @@ access-group inside_in in interface inside
access-group inside_out out interface inside
access-group outside_in in interface outside
clear xlate
clear config static
clear config global
clear config nat
!
! Rule 0 (NAT)
global (outside) 1 interface

19
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:17 2011 PST by vadim
! Generated Thu Jan 20 17:13:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,12 +114,18 @@ policy-map global_policy
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
clear config nat
clear config access-list
clear config object-group
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object-group network id2913X78273.src.net.0
network-object host 10.3.14.206
network-object host 10.3.14.207
@ -141,6 +147,9 @@ object-group network id55439X897.src.net.0
network-object host 172.17.1.253
network-object host 192.0.2.253
exit
!################
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
@ -234,10 +243,6 @@ access-group inside_out out interface inside
access-group outside_in in interface outside
access-group outside_out out interface outside
clear xlate
clear config static
clear config global
clear config nat
!
! Rule 0 (NAT)
global (outside) 1 interface

19
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:17 2011 PST by vadim
! Generated Thu Jan 20 17:13:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,12 +114,18 @@ policy-map global_policy
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
clear config nat
clear config access-list
clear config object-group
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object-group network id2913X78273.src.net.0
network-object host 10.3.14.206
network-object host 10.3.14.207
@ -146,6 +152,9 @@ object-group network id3401X82678.dst.net.0
network-object host 172.17.1.254
network-object host 192.0.2.254
exit
!################
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
@ -239,10 +248,6 @@ access-group inside_out out interface inside
access-group outside_in in interface outside
access-group outside_out out interface outside
clear xlate
clear config static
clear config global
clear config nat
!
! Rule 0 (NAT)
global (outside) 1 interface

34
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:03 2011 PST by vadim
! Generated Thu Jan 20 17:13:02 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -261,24 +261,21 @@ fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
!################
clear access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear static
clear global
clear nat
clear access-list dmz_acl_in
clear access-list inside_acl_in
clear access-list outside_acl_in
clear object-group
clear icmp
clear telnet
clear conf object-group
clear conf object
object-group network id3C4E4C38.dst.net.0
network-object host 211.11.11.11
network-object host 211.22.22.22
@ -390,6 +387,17 @@ object-group service pol-firewall2-4.srv.tcp.0 tcp
port-object eq 111
port-object eq 7100
exit
!################
clear access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule -1 backup ssh access rule (automatic)
ssh 192.168.1.100 255.255.255.255 inside
@ -527,10 +535,6 @@ access-group dmz_acl_in in interface dmz
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear static
clear global
clear nat
!
! Rule 0 (NAT)
global (outside) 1 interface

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:02 2011 PST by vadim
! Generated Thu Jan 20 17:13:02 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

9
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:03 2011 PST by vadim
! Generated Thu Jan 20 17:13:03 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -92,7 +92,9 @@ fixup protocol smtp 25
fixup protocol sqlnet 1521
!################
clear conf object-group
clear conf object
object-group network id3DB0FA90.dst.net.0
network-object host 211.11.11.11
@ -221,6 +223,9 @@ object-group service id3DB0FA12.srv.tcp.0 tcp
port-object eq 111
port-object eq 7100
exit
!################
!
! Rule 3 (ethernet1)
! anti-spoofing rule

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:03 2011 PST by vadim
! Generated Thu Jan 20 17:13:03 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

11
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:04 2011 PST by vadim
! Generated Thu Jan 20 17:13:04 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -85,16 +85,21 @@ floodguard disable
fixup protocol dns maximum-length 65535
fixup protocol ftp 21
fixup protocol http 80
fixup protocol icmp error
fixup protocol icmp error
!################
clear conf object-group
clear conf object
object-group network id3F8F95CD.dst.net.0
network-object host 192.0.2.20
network-object host 192.0.2.21
network-object host 192.0.2.23
exit
!################
!
! Rule 0 (global)
access-list inside_acl_in remark 0 (global)

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:04 2011 PST by vadim
! Generated Thu Jan 20 17:13:04 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:05 2011 PST by vadim
! Generated Thu Jan 20 17:13:05 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

20
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:05 2011 PST by vadim
! Generated Thu Jan 20 17:13:05 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -62,12 +62,19 @@ no sysopt nodnsalias outbound
floodguard disable
!################
clear xlate
clear static
clear global
clear nat
clear access-list
clear object-group
clear icmp
clear telnet
clear conf object-group
clear conf object
object-group service id3D6EF08C.srv.tcp.0 tcp
port-object eq 80
port-object eq 119
@ -77,6 +84,9 @@ object-group network id3D8FCCDE.src.net.0
network-object host 192.168.1.10
network-object host 192.168.1.20
exit
!################
!
! Rule 0 (eth1)
! Anti-spoofing rule
@ -112,10 +122,6 @@ access-group dmz_acl_in in interface dmz
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear static
clear global
clear nat
!
! Rule 0 (NAT)

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:06 2011 PST by vadim
! Generated Thu Jan 20 17:13:06 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:07 2011 PST by vadim
! Generated Thu Jan 20 17:13:07 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:06 2011 PST by vadim
! Generated Thu Jan 20 17:13:06 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:07 2011 PST by vadim
! Generated Thu Jan 20 17:13:07 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

8
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:07 2011 PST by vadim
! Generated Thu Jan 20 17:13:07 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -72,11 +72,13 @@ no sysopt route dnat
floodguard disable
!################
clear access-list
clear object-group
clear icmp
clear telnet
!################
!
! Rule 0 (eth0)
ssh 0.0.0.0 0.0.0.0 inside

11
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:08 2011 PST by vadim
! Generated Thu Jan 20 17:13:08 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -65,7 +65,11 @@ no sysopt nodnsalias outbound
floodguard disable
!################
clear conf object-group
clear conf object
object-group network id43867C2418346.src.net.0
network-object host 157.166.224.25
@ -89,6 +93,9 @@ object-group network id438728A918346.dst.net.0
network-object host 157.166.255.18
network-object host 157.166.255.19
exit
!################
!
! Rule 0 (eth0.100)
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any

11
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:08 2011 PST by vadim
! Generated Thu Jan 20 17:13:08 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -60,7 +60,11 @@ no sysopt nodnsalias outbound
floodguard disable
!################
clear conf object-group
clear conf object
object-group network id16988X10208.dst.net.0
network-object 192.168.1.1 255.255.255.255
@ -186,6 +190,9 @@ object-group network id21263X16880.src.net.0
network-object 10.1.3.0 255.255.255.0
network-object 10.1.4.0 255.255.255.0
exit
!################
!
! Rule 0 (global)
access-list outside_acl_in permit ip any 192.168.2.128 255.255.255.128

20
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:08 2011 PST by vadim
! Generated Thu Jan 20 17:13:08 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -74,12 +74,19 @@ no sysopt route dnat
floodguard disable
!################
clear xlate
clear static
clear global
clear nat
clear access-list
clear object-group
clear icmp
clear telnet
clear conf object-group
clear conf object
object-group service id3D79A1C2.srv.tcp.0 tcp
port-object eq 22
port-object eq 80
@ -89,6 +96,9 @@ object-group network id3D79A1E4.dst.net.0
network-object host 192.168.1.10
network-object host 192.168.1.20
exit
!################
!
! Rule 0 (global)
access-list inside_acl_in permit tcp any host 192.168.1.10 eq 22
@ -131,10 +141,6 @@ access-group dmz2_acl_in in interface dmz2
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear static
clear global
clear nat
!
! Rule 0 (NAT)
static (inside,outside) tcp interface 22 192.168.1.10 22 0 0

33
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:09 2011 PST by vadim
! Generated Thu Jan 20 17:13:09 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -112,23 +112,21 @@ policy-map global_policy
service-policy global_policy global
!################
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear config static
clear config global
clear config nat
clear config access-list dmz_acl_in
clear config access-list inside_acl_in
clear config access-list outside_acl_in
clear config object-group
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object-group network id45142FA628543.dst.net.0
network-object host 211.11.11.11
network-object host 211.22.22.22
@ -240,6 +238,17 @@ object-group service id4514304928543.srv.tcp.0 tcp
port-object eq 111
port-object eq 7100
exit
!################
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule 2 (ethernet1)
icmp permit any 3 outside
@ -382,10 +391,6 @@ access-group dmz_acl_in in interface dmz
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config static
clear config global
clear config nat
!
! Rule 0 (NAT)
global (outside) 1 interface

17
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:09 2011 PST by vadim
! Generated Thu Jan 20 17:13:09 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -75,11 +75,18 @@ no sysopt route dnat
floodguard disable
!################
clear xlate
clear static
clear global
clear nat
clear access-list
clear object-group
clear icmp
clear telnet
!################
!
! Rule 0 (eth1)
access-list outside_acl_in deny ip any host 22.22.22.22
@ -94,10 +101,6 @@ access-group dmz_acl_in in interface dmz
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear static
clear global
clear nat
!
! Rule 0 (NAT)
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:10 2011 PST by vadim
! Generated Thu Jan 20 17:13:10 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

15
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:11 2011 PST by vadim
! Generated Thu Jan 20 17:13:11 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported
@ -86,12 +86,18 @@ parameters
router-alert action clear
!################
clear xlate
clear config static
clear config global
clear config nat
clear config access-list
clear config object-group
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object-group icmp-type id19186X29796.srv.icmp.0
icmp-object 8
icmp-object 0
@ -111,6 +117,9 @@ object-group icmp-type id21447X11252.srv.icmp.0
icmp-object 8
icmp-object 3
exit
!################
!
! Rule 0 (FastEthernet1)
ssh 0.0.0.0 0.0.0.0 inside

25
test/pix/firewall81.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:11 2011 PST by vadim
! Generated Thu Jan 20 17:13:11 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -89,6 +89,22 @@ parameters
router-alert action clear
clear xlate
clear config nat
clear config access-list
clear config icmp
clear config telnet
clear conf object
object service http.0
service tcp destination eq 80
quit
object network hostA:eth0.0
host 192.168.1.10
quit
object service http.0
service tcp destination eq 80
quit
@ -99,10 +115,6 @@ quit
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp
@ -151,9 +163,6 @@ access-list outside_acl_in deny ip any any
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"

25
test/pix/firewall82.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:11 2011 PST by vadim
! Generated Thu Jan 20 17:13:11 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -89,6 +89,22 @@ parameters
router-alert action clear
clear xlate
clear config nat
clear config access-list
clear config icmp
clear config telnet
clear conf object
object service http.0
service tcp destination eq 80
quit
object network hostA:eth0.0
host 192.168.1.10
quit
object service http.0
service tcp destination eq 80
quit
@ -99,10 +115,6 @@ quit
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp
@ -137,9 +149,6 @@ access-list outside_acl_in deny ip any any
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"

25
test/pix/firewall83.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:12 2011 PST by vadim
! Generated Thu Jan 20 17:13:12 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -87,6 +87,22 @@ parameters
router-alert action clear
clear xlate
clear config nat
clear config access-list
clear config icmp
clear config telnet
clear conf object
object service http.0
service tcp destination eq 80
quit
object network hostA:eth0.0
host 192.168.1.10
quit
object service http.0
service tcp destination eq 80
quit
@ -97,10 +113,6 @@ quit
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp
@ -132,9 +144,6 @@ access-list outside_acl_in deny ip any any
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (inside,outside) source static hostA:eth0.0 interface service http.0 http.0 description "0 (NAT)"

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:12 2011 PST by vadim
! Generated Thu Jan 20 17:13:12 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

162
test/pix/firewall90.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:13 2011 PST by vadim
! Generated Thu Jan 20 17:13:13 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -90,6 +90,16 @@ parameters
router-alert action clear
clear xlate
clear config nat
clear config access-list
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object service http.0
service tcp destination eq 80
quit
@ -166,47 +176,6 @@ object network firewall90:FastEthernet1:ip-1.0
host 22.22.22.23
quit
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
object-group network id78630X30274.src.net.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
exit
!
! Rule 0 (global)
access-list outside_acl_in deny ip object-group id78630X30274.src.net.0 any
!
! Rule 1 (global)
! for #1942
! using custom service
access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
!
! Rule 2 (global)
! for #1942
! using custom service
access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
access-list inside_acl_in deny tcp any object hostA:eth0.0 eq 3128
access-list outside_acl_in deny tcp any object hostA:eth0.0 eq 3128
!
! Rule 3 (global)
access-list inside_acl_in deny ip any any
access-list outside_acl_in deny ip any any
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
object-group network id178211X29963.osrc.net.0
network-object object internal_subnet_1.0
network-object object internal_subnet_2.0
@ -260,6 +229,115 @@ object-group network id77971X5929.tsrc.net.1
network-object object outside_range-1.0
network-object object external_gw2.0
exit
object service http.0
service tcp destination eq 80
quit
object service smtp.0
service tcp destination eq 25
quit
object service smtps.0
service tcp destination eq 465
quit
object service squid.0
service tcp destination eq 3128
quit
object network spamhost1.0
host 61.150.47.112
quit
object network external_gw_1.0
host 22.22.22.254
quit
object network external_gw2.0
host 22.22.22.100
quit
object network spamhost2.0
host 61.150.47.113
quit
object network hostA:eth0.0
host 192.168.1.10
quit
object network Internal_net.0
subnet 192.168.1.0 255.255.255.0
quit
object network internal_subnet_1.0
subnet 192.168.1.0 255.255.255.192
quit
object network internal_subnet_2.0
subnet 192.168.1.64 255.255.255.192
quit
object network ext_subnet.0
subnet 22.22.22.128 255.255.255.224
quit
object network ext_subnet-192.0
subnet 22.22.22.128 255.255.255.192
quit
object network test_range_1.0
range 192.168.1.11 192.168.1.15
quit
object network outside_range.0
range 22.22.22.21 22.22.22.25
quit
object network outside_range-1.0
range 22.22.22.30 22.22.22.40
quit
object network firewall90:FastEthernet1:ip.0
host 22.22.22.22
quit
object network firewall90:FastEthernet1:ip-1.0
host 22.22.22.23
quit
object-group network id78630X30274.src.net.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
exit
!################
!
! Rule 0 (global)
access-list outside_acl_in deny ip object-group id78630X30274.src.net.0 any
!
! Rule 1 (global)
! for #1942
! using custom service
access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
!
! Rule 2 (global)
! for #1942
! using custom service
access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080
access-list inside_acl_in deny tcp any object hostA:eth0.0 eq 3128
access-list outside_acl_in deny tcp any object hostA:eth0.0 eq 3128
!
! Rule 3 (global)
access-list inside_acl_in deny ip any any
access-list outside_acl_in deny ip any any
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic Internal_net.0 interface service http.0 http.0 description "0 (NAT)"

49
test/pix/firewall91.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:13 2011 PST by vadim
! Generated Thu Jan 20 17:13:13 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -92,6 +92,46 @@ parameters
router-alert action clear
clear xlate
clear config nat
clear config access-list
clear config icmp
clear config telnet
clear conf object
object service http.0
service tcp destination eq 80
quit
object service https.0
service tcp destination eq 443
quit
object service squid.0
service tcp destination eq 3128
quit
object network external_gw2.0
host 22.22.22.100
quit
object network hostA:eth0.0
host 192.168.1.10
quit
object network internal_subnet_1.0
subnet 192.168.1.0 255.255.255.192
quit
object network test_range_1.0
range 192.168.1.11 192.168.1.15
quit
object network outside_range.0
range 22.22.22.21 22.22.22.25
quit
object service http.0
service tcp destination eq 80
quit
@ -126,10 +166,6 @@ quit
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any
@ -139,9 +175,6 @@ access-list outside_acl_in deny ip any any
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "0 (NAT)"

60
test/pix/firewall92.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:13 2011 PST by vadim
! Generated Thu Jan 20 17:13:13 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -87,6 +87,52 @@ parameters
router-alert action clear
clear xlate
clear config nat
clear config access-list
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object service http.0
service tcp destination eq 80
quit
object service smtp.0
service tcp destination eq 25
quit
object network spamhost1.0
host 61.150.47.112
quit
object network hostA:eth0.0
host 192.168.1.10
quit
object network Internal_net.0
subnet 192.168.1.0 255.255.255.0
quit
object network internal_subnet_1.0
subnet 192.168.1.0 255.255.255.192
quit
object network internal_subnet_2.0
subnet 192.168.1.64 255.255.255.192
quit
object network test_range_1.0
range 192.168.1.11 192.168.1.15
quit
object-group network id20655X6113.osrc.net.0
network-object object internal_subnet_1.0
network-object object internal_subnet_2.0
exit
object service http.0
service tcp destination eq 80
quit
@ -121,10 +167,6 @@ quit
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any
@ -134,14 +176,6 @@ access-list outside_acl_in deny ip any any
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
object-group network id20655X6113.osrc.net.0
network-object object internal_subnet_1.0
network-object object internal_subnet_2.0
exit
!
! Rule 0 (NAT)
nat (inside,outside) source static Internal_net.0 Internal_net.0 service http.0 http.0 description "0 (NAT)"

10
test/pix/firewall93.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:14 2011 PST by vadim
! Generated Thu Jan 20 17:13:14 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -89,6 +89,11 @@ service-policy global_policy global
clear xlate
clear config nat
clear conf object
object network dmz-range-1.0
range 172.16.0.10 172.16.0.15
quit
@ -100,9 +105,6 @@ quit
!################
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic inside-range-1.0 interface description "0 (NAT)"

19
test/pix/firewall94.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:14 2011 PST by vadim
! Generated Thu Jan 20 17:13:14 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -74,6 +74,13 @@ service-policy global_policy global
clear config access-list
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object network inside-range-1.0
range 10.0.0.5 10.0.0.10
quit
@ -82,17 +89,13 @@ object network inside-range-2.0
range 10.0.0.8 10.0.0.15
quit
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
object-group network id26782X14355.src.net.0
network-object object inside-range-1.0
network-object object inside-range-2.0
exit
!################
!
! Rule 0 (global)
access-list inside_acl_in remark 0 (global)

36
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:15 2011 PST by vadim
! Generated Thu Jan 20 17:13:15 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported
@ -94,25 +94,21 @@ fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
!################
access-list mode auto
clear access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear static
clear global
clear nat
clear access-list dmz_acl_in
clear access-list inside_acl_in
clear access-list outside_acl_in
clear object-group
clear icmp
clear telnet
clear conf object-group
clear conf object
object-group network id444A03DE9567.dst.net.0
network-object host 211.11.11.11
network-object host 211.22.22.22
@ -224,6 +220,18 @@ object-group service id444A04819567.srv.tcp.0 tcp
port-object eq 111
port-object eq 7100
exit
!################
access-list mode auto
clear access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule 2 (ethernet1)
icmp permit any 3 outside
@ -349,10 +357,6 @@ access-group dmz_acl_in in interface dmz
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear static
clear global
clear nat
!
! Rule 0 (NAT)
global (outside) 1 interface

34
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:15 2011 PST by vadim
! Generated Thu Jan 20 17:13:15 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported
@ -106,24 +106,22 @@ policy-map global_policy
service-policy global_policy global
!################
access-list mode auto
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear config static
clear config global
clear config nat
clear config access-list dmz_acl_in
clear config access-list inside_acl_in
clear config access-list outside_acl_in
clear config object-group
clear config icmp
clear config telnet
clear conf object-group
clear conf object
object-group network id17298X54624.dst.net.0
network-object host 211.11.11.11
network-object host 211.22.22.22
@ -235,6 +233,18 @@ object-group service id17461X54624.srv.tcp.0 tcp
port-object eq 111
port-object eq 7100
exit
!################
access-list mode auto
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule 2 (ethernet1)
icmp permit any 3 outside
@ -360,10 +370,6 @@ access-group dmz_acl_in in interface dmz
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config static
clear config global
clear config nat
!
! Rule 0 (NAT)
global (outside) 1 interface

24
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:16 2011 PST by vadim
! Generated Thu Jan 20 17:13:16 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -84,6 +84,18 @@ policy-map global_policy
service-policy global_policy global
clear xlate
clear config static
clear config global
clear config nat
clear config access-list inside_acl_in
clear config access-list outside_acl_in
clear config icmp
clear config telnet
!################
clear config access-list tmp_acl
@ -93,12 +105,6 @@ access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear config access-list inside_acl_in
clear config access-list outside_acl_in
clear config object-group
clear config icmp
clear config telnet
!
! Rule -1 backup ssh access rule (automatic)
ssh 10.3.14.42 255.255.255.255 inside
@ -136,10 +142,6 @@ access-list inside_acl_in deny ip any any log 6 interval 300
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear config static
clear config global
clear config nat
!
! Rule 0 (NAT)
global (outside) 1 interface

21
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:16 2011 PST by vadim
! Generated Thu Jan 20 17:13:16 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -84,14 +84,19 @@ floodguard disable
fixup protocol dns maximum-length 65535
fixup protocol ftp 21
fixup protocol http 80
fixup protocol icmp error
fixup protocol icmp error
clear xlate
clear static
clear global
clear nat
clear access-list
clear icmp
clear telnet
!################
clear access-list
clear object-group
clear icmp
clear telnet
!
! Rule 0 (global)
access-list inside_acl_in remark 0 (global)
@ -124,10 +129,6 @@ access-list inside_acl_in deny ip any any log 5 interval 120
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
clear xlate
clear static
clear global
clear nat
!
! Rule 0 (NAT)
global (outside) 1 interface

10
test/procurve_acl/testhp1.fw.orig
View File

@ -1,9 +1,9 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3435
; Firewall Builder fwb_procurve_acl v4.2.0.3440
;
; Generated Sun Jan 16 23:00:19 2011 PST by vadim
; Generated Thu Jan 20 16:26:46 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;
@ -22,11 +22,6 @@
; ================ IPv4
interface a1
no ip access-group a1_in in
exit
@ -97,6 +92,7 @@ no ip access-list extended vlan_40_in
no vlan 40 ip access-group vlan_40_out out
no ip access-list extended vlan_40_out
; ================ IPv4
ip access-list extended a1_in

5
test/procurve_acl/testhp2.fw.orig
View File

@ -1,9 +1,9 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3435
; Firewall Builder fwb_procurve_acl v4.2.0.3440
;
; Generated Sun Jan 16 23:00:20 2011 PST by vadim
; Generated Thu Jan 20 16:26:47 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;
@ -28,7 +28,6 @@
; ================ IPv4
ip access-list extended vlan_10_in
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22

9
test/procurve_acl/testhp3.fw.orig
View File

@ -1,9 +1,9 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3435
; Firewall Builder fwb_procurve_acl v4.2.0.3440
;
; Generated Sun Jan 16 23:00:20 2011 PST by vadim
; Generated Thu Jan 20 16:26:47 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;
@ -31,10 +31,6 @@ ip access-list extended tmp_acl
deny ip any any
exit
vlan 40 ip access-group tmp_acl in
; ================ IPv4
no vlan 10 ip access-group vlan_10_in in
no ip access-list extended vlan_10_in
@ -65,6 +61,7 @@ no ip access-list extended vlan_40_in
no vlan 40 ip access-group vlan_40_out out
no ip access-list extended vlan_40_out
; ================ IPv4
ip access-list extended vlan_10_in

9
test/procurve_acl/testhp4.fw.orig
View File

@ -1,9 +1,9 @@
;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3435
; Firewall Builder fwb_procurve_acl v4.2.0.3440
;
; Generated Sun Jan 16 23:00:21 2011 PST by vadim
; Generated Thu Jan 20 16:26:47 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;
@ -35,10 +35,6 @@ exit
interface a1
ip access-group tmp_acl in
exit
; ================ IPv4
interface a1
no ip access-group a1_in in
exit
@ -79,6 +75,7 @@ no ip access-list extended vlan_40_in
no vlan 40 ip access-group vlan_40_out out
no ip access-list extended vlan_40_out
; ================ IPv4
ip access-list extended a1_in