onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 09:47:20 +01:00
Code Issues Releases Wiki Activity

* PIXImporterNat.cpp (buildDNATRule): import of PIX/ASA "static"

Browse Source 
commands works for the most part. Needs more testing.
This commit is contained in:
Vadim Kurland 2011-03-30 19:30:52 -07:00
parent 4f811091f5
commit 2e7377bbf6
20 changed files with 2889 additions and 1329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/ChangeLog
View File

@ -1,3 +1,8 @@
2011-03-30 vadim <vadim@netcitadel.com>
* PIXImporterNat.cpp (buildDNATRule): import of PIX/ASA "static"
commands works for the most part. Needs more testing.
2011-03-28 vadim <vadim@netcitadel.com>
* ObjectManipulator.cpp (getDeleteMenuState): see #2226 fixed GUI

8
src/import/Importer.cpp
View File

@ -490,6 +490,8 @@ void Importer::setDefaultAction(const std::string &iptables_action_name)
void Importer::newPolicyRule()
{
if (fwbdebug) qDebug() << "Importer::newPolicyRule()";
FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
FWObject *nobj = dbroot->create(PolicyRule::TYPENAME);
current_rule = Rule::cast(nobj);
@ -502,9 +504,13 @@ void Importer::newPolicyRule()
void Importer::newNATRule()
{
if (fwbdebug) qDebug() << "Importer::newNATRule()";
FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
FWObject *nobj = dbroot->create(NATRule::TYPENAME);
current_rule = Rule::cast(nobj);
if (fwbdebug) qDebug() << "current_rule=" << current_rule;
}
void Importer::pushRule()
@ -533,6 +539,8 @@ void Importer::pushRule()
ropt->setBool("stateless", true);
}
rule->setDirection(PolicyRule::Both);
addSrc();
addDst();
addSrv();

52
src/import/PIXImporter.cpp
View File

@ -132,19 +132,27 @@ void PIXImporter::clearTempVars()
Importer::clear();
}
FWObject* PIXImporter::makeSrcObj()
{
if (src_nm == "interface")
Interface* PIXImporter::getInterfaceByLabel(const string &label)
{
map<const string,Interface*>::iterator it;
for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it)
{
Interface *intf = it->second;
if (intf->getLabel() == src_a)
if (intf->getLabel() == label)
{
return intf;
}
}
return NULL;
}
FWObject* PIXImporter::makeSrcObj()
{
if (src_nm == "interface")
{
Interface *intf = getInterfaceByLabel(src_a);
if (intf) return intf;
throw ImporterException(
QString("Cannot find interface with label '%1'").arg(src_a.c_str()));
}
@ -160,15 +168,8 @@ FWObject* PIXImporter::makeDstObj()
{
if (dst_nm == "interface")
{
map<const string,Interface*>::iterator it;
for (it=all_interfaces.begin(); it!=all_interfaces.end(); ++it)
{
Interface *intf = it->second;
if (intf->getLabel() == dst_a)
{
return intf;
}
}
Interface *intf = getInterfaceByLabel(dst_a);
if (intf) return intf;
throw ImporterException(
QString("Cannot find interface with label '%1'").arg(dst_a.c_str()));
}
@ -378,6 +379,9 @@ Firewall* PIXImporter::finalize()
FWObject *policy = getFirewallObject()->getFirstByType(Policy::TYPENAME);
assert( policy!=NULL );
FWObject *nat = getFirewallObject()->getFirstByType(NAT::TYPENAME);
assert( nat!=NULL );
if (all_rulesets.size()!=0)
{
if (fwbdebug)
@ -400,7 +404,10 @@ Firewall* PIXImporter::finalize()
list<string>::iterator it;
for (it=ruleset_names.begin(); it!=ruleset_names.end(); ++it)
{
UnidirectionalRuleSet *irs = all_rulesets[*it];
string ruleset_name = *it;
if (ruleset_name == "nat") continue;
UnidirectionalRuleSet *irs = all_rulesets[ruleset_name];
if (fwbdebug)
{
@ -531,6 +538,23 @@ Firewall* PIXImporter::finalize()
rs->renumberRules();
}
// Deal with NAT ruleset
UnidirectionalRuleSet *nat_rs = all_rulesets["nat"];
if (nat_rs)
{
while (nat_rs->ruleset->size() > 0)
{
FWObject *r = nat_rs->ruleset->front();
nat->reparent(r);
}
NAT::cast(nat)->renumberRules();
nat_rs->ruleset->clearChildren(false);
getFirewallObject()->remove(nat_rs->ruleset, false);
delete nat_rs->ruleset;
}
return fw;
}
else

4
src/import/PIXImporter.h
View File

@ -93,6 +93,9 @@ class PIXImporter : public IOSImporter
void pushPolicyRule();
void pushNATRule();
void buildDNATRule();
void buildSNATRule();
virtual void pushRule();
// this method actually adds interfaces to the firewall object
@ -155,6 +158,7 @@ class PIXImporter : public IOSImporter
void addTCPUDPServiceToObjectGroup();
void addICMPServiceToObjectGroup();
libfwbuilder::Interface* getInterfaceByLabel(const std::string &label);
void rearrangeVlanInterfaces();
};

166
src/import/PIXImporterNat.cpp
View File

@ -43,7 +43,7 @@
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Library.h"
@ -54,9 +54,173 @@
extern int fwbdebug;
using namespace libfwbuilder;
using namespace std;
/*
Variables used to build nat rules
libfwbuilder::NATRule::NATRuleTypes rule_type;
std::string prenat_interface;
std::string postnat_interface;
std::string real_a;
std::string real_nm;
std::string mapped_a;
std::string mapped_nm;
std::string real_addr_acl;
std::string mapped_port_spec;
std::string real_port_spec;
std::string static_max_conn;
std::string static_max_emb_conn;
std::string nat_num;
std::string nat_a;
std::string nat_nm;
std::string nat_acl;
std::string global_pool_num;
std::string global_interface;
*/
void PIXImporter::pushNATRule()
{
assert(current_ruleset!=NULL);
assert(current_rule!=NULL);
NATRule *rule = NATRule::cast(current_rule);
switch (rule_type)
{
case NATRule::DNAT:
buildDNATRule();
break;
case NATRule::SNAT:
buildSNATRule();
break;
default:
assert(rule_type!=NATRule::DNAT && rule_type!=NATRule::SNAT);
}
// then add it to the current ruleset
current_ruleset->ruleset->add(current_rule);
addStandardImportComment(current_rule, QString::fromUtf8(rule_comment.c_str()));
current_rule = NULL;
rule_comment = "";
clear();
}
/*
* DNAT rule.
*
* Using real_a, real_nm, mapped_a, mapped_nm, real_addr_acl,
* real_port_spec, mapped_port_spec, prenat_interface,
* postnat_interface
*/
void PIXImporter::buildDNATRule()
{
NATRule *rule = NATRule::cast(current_rule);
Interface *pre_intf = getInterfaceByLabel(prenat_interface);
Interface *post_intf = getInterfaceByLabel(postnat_interface);
rule->setAction(NATRule::Translate);
if (real_nm.empty()) real_nm = InetAddr::getAllOnes().toString();
if (mapped_nm.empty()) mapped_nm = InetAddr::getAllOnes().toString();
if ( ! mapped_a.empty())
{
if (mapped_a == "interface")
{
RuleElementODst* odst = rule->getODst();
assert(odst!=NULL);
odst->addRef(post_intf);
} else
{
dst_a = mapped_a;
dst_nm = mapped_nm;
addODst();
}
}
if ( ! real_a.empty())
{
dst_a = real_a;
dst_nm = real_nm;
RuleElement* tdst = rule->getTDst();
assert(tdst!=NULL);
FWObject *s = makeDstObj();
if (s) tdst->addRef( s );
}
if ( ! real_addr_acl.empty())
{
UnidirectionalRuleSet *rs = all_rulesets[real_addr_acl];
if (rs)
{
RuleElement* tdst = rule->getTDst();
assert(tdst!=NULL);
PolicyRule *policy_rule = PolicyRule::cast(
rs->ruleset->getFirstByType(PolicyRule::TYPENAME));
if (policy_rule)
{
RuleElement *src = policy_rule->getSrc();
for (FWObject::iterator it=src->begin(); it!=src->end(); ++it)
{
FWObject *o = FWReference::getObject(*it);
tdst->addRef(o);
}
}
}
}
if ( ! mapped_port_spec.empty())
{
src_port_spec = "";
dst_port_op = "eq";
dst_port_spec = mapped_port_spec;
RuleElement* osrv = rule->getOSrv();
assert(osrv!=NULL);
FWObject *s = Importer::makeSrvObj();
if (s) osrv->addRef( s );
}
if ( ! real_port_spec.empty())
{
src_port_spec = "";
dst_port_op = "eq";
dst_port_spec = real_port_spec;
RuleElement* tsrv = rule->getTSrv();
assert(tsrv!=NULL);
FWObject *s = Importer::makeSrvObj();
if (s) tsrv->addRef( s );
}
RuleElement *itf_i_re = rule->getItfInb();
assert(itf_i_re!=NULL);
itf_i_re->addRef(post_intf);
RuleElement *itf_o_re = rule->getItfOutb();
assert(itf_o_re!=NULL);
itf_o_re->addRef(pre_intf);
}
void PIXImporter::buildSNATRule()
{
}

569
src/parsers/PIXCfgLexer.cpp
View File

@ -44,137 +44,141 @@ PIXCfgLexer::PIXCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState&
void PIXCfgLexer::initLiterals()
{
literals["full"] = 119;
literals["parameter-problem"] = 85;
literals["full"] = 120;
literals["parameter-problem"] = 86;
literals["port-object"] = 53;
literals["notifications"] = 105;
literals["duplex"] = 125;
literals["no"] = 55;
literals["static"] = 147;
literals["notifications"] = 106;
literals["duplex"] = 126;
literals["dns"] = 55;
literals["no"] = 56;
literals["static"] = 148;
literals["esp"] = 16;
literals["time-range"] = 111;
literals["time-range"] = 112;
literals["gre"] = 17;
literals["timestamp-request"] = 92;
literals["echo"] = 72;
literals["speed"] = 124;
literals["warnings"] = 106;
literals["timestamp-request"] = 93;
literals["echo"] = 73;
literals["speed"] = 125;
literals["warnings"] = 107;
literals["timeout"] = 8;
literals["eigrp"] = 15;
literals["icmp-type"] = 50;
literals["permit"] = 65;
literals["remark"] = 141;
literals["permit"] = 66;
literals["remark"] = 143;
literals["network"] = 29;
literals["igmp"] = 18;
literals["range"] = 34;
literals["destination"] = 43;
literals["setroute"] = 152;
literals["vlan"] = 123;
literals["debugging"] = 101;
literals["controller"] = 112;
literals["interface"] = 95;
literals["dhcp"] = 137;
literals["aui"] = 116;
literals["Version"] = 59;
literals["auto"] = 117;
literals["setroute"] = 153;
literals["vlan"] = 124;
literals["debugging"] = 102;
literals["controller"] = 113;
literals["interface"] = 96;
literals["dhcp"] = 138;
literals["aui"] = 117;
literals["Version"] = 60;
literals["auto"] = 118;
literals["subnet"] = 35;
literals["time-exceeded"] = 90;
literals["outside"] = 113;
literals["shutdown"] = 135;
literals["time-exceeded"] = 91;
literals["outside"] = 114;
literals["shutdown"] = 136;
literals["group-object"] = 45;
literals["eq"] = 68;
literals["fragments"] = 110;
literals["unreachable"] = 94;
literals["delay"] = 128;
literals["eq"] = 69;
literals["fragments"] = 111;
literals["unreachable"] = 95;
literals["norandomseq"] = 150;
literals["delay"] = 129;
literals["ip"] = 6;
literals["security-level"] = 134;
literals["mobile-redirect"] = 84;
literals["security-level"] = 135;
literals["mobile-redirect"] = 85;
literals["ospf"] = 23;
literals["name"] = 10;
literals["errors"] = 103;
literals["mask-request"] = 83;
literals["PIX"] = 57;
literals["any"] = 96;
literals["ASA"] = 58;
literals["errors"] = 104;
literals["mask-request"] = 84;
literals["PIX"] = 58;
literals["any"] = 97;
literals["ASA"] = 59;
literals["pptp"] = 26;
literals["redirect"] = 86;
literals["forward"] = 127;
literals["redirect"] = 87;
literals["forward"] = 128;
literals["description"] = 32;
literals["timestamp-reply"] = 91;
literals["alerts"] = 99;
literals["lt"] = 70;
literals["bnc"] = 118;
literals["global"] = 146;
literals["timestamp-reply"] = 92;
literals["alerts"] = 100;
literals["netmask"] = 151;
literals["lt"] = 71;
literals["bnc"] = 119;
literals["global"] = 147;
literals["nos"] = 22;
literals["extended"] = 64;
literals["certificate"] = 56;
literals["extended"] = 65;
literals["certificate"] = 57;
literals["service"] = 36;
literals["telnet"] = 75;
literals["telnet"] = 76;
literals["udp"] = 41;
literals["hold-time"] = 129;
literals["baseT"] = 120;
literals["hold-time"] = 130;
literals["baseT"] = 121;
literals["ipinip"] = 20;
literals["standby"] = 138;
literals["standby"] = 139;
literals["crypto"] = 54;
literals["pim"] = 25;
literals["secondary"] = 151;
literals["emergencies"] = 102;
literals["disable"] = 107;
literals["mask-reply"] = 82;
literals["secondary"] = 152;
literals["emergencies"] = 103;
literals["disable"] = 108;
literals["mask-reply"] = 83;
literals["tcp"] = 40;
literals["tcp-udp"] = 51;
literals["source"] = 42;
literals["names"] = 9;
literals["icmp"] = 37;
literals["log"] = 97;
literals["log"] = 98;
literals["snp"] = 27;
literals["mac-address"] = 131;
literals["established"] = 76;
literals["deny"] = 66;
literals["information-request"] = 81;
literals["ssh"] = 74;
literals["mac-address"] = 132;
literals["established"] = 77;
literals["deny"] = 67;
literals["information-request"] = 82;
literals["ssh"] = 75;
literals["protocol-object"] = 48;
literals["gt"] = 69;
literals["gt"] = 70;
literals["ah"] = 14;
literals["interval"] = 109;
literals["ddns"] = 126;
literals["ipv6"] = 130;
literals["rip"] = 73;
literals["baseTX"] = 121;
literals["access-group"] = 142;
literals["critical"] = 100;
literals["standard"] = 67;
literals["interval"] = 110;
literals["ddns"] = 127;
literals["ipv6"] = 131;
literals["rip"] = 74;
literals["baseTX"] = 122;
literals["access-group"] = 144;
literals["critical"] = 101;
literals["standard"] = 68;
literals["quit"] = 5;
literals["community-list"] = 7;
literals["network-object"] = 46;
literals["hostname"] = 61;
literals["information-reply"] = 80;
literals["hostname"] = 62;
literals["information-reply"] = 81;
literals["icmp6"] = 39;
literals["switchport"] = 139;
literals["switchport"] = 140;
literals["ipsec"] = 21;
literals["conversion-error"] = 78;
literals["conversion-error"] = 79;
literals["host"] = 33;
literals["echo-reply"] = 79;
literals["nameif"] = 122;
literals["echo-reply"] = 80;
literals["nameif"] = 123;
literals["pcp"] = 24;
literals["service-object"] = 52;
literals["nat"] = 30;
literals["access-list"] = 63;
literals["informational"] = 104;
literals["access-list"] = 64;
literals["informational"] = 105;
literals["igrp"] = 19;
literals["traceroute"] = 93;
literals["address"] = 136;
literals["log-input"] = 98;
literals["router-advertisement"] = 87;
literals["router-solicitation"] = 88;
literals["access"] = 140;
literals["traceroute"] = 94;
literals["address"] = 137;
literals["log-input"] = 99;
literals["router-advertisement"] = 88;
literals["router-solicitation"] = 89;
literals["access"] = 141;
literals["icmp-object"] = 49;
literals["source-quench"] = 89;
literals["source-quench"] = 90;
literals["scopy"] = 142;
literals["protocol"] = 47;
literals["inactive"] = 108;
literals["multicast"] = 132;
literals["exit"] = 115;
literals["neq"] = 71;
literals["alternate-address"] = 77;
literals["inactive"] = 109;
literals["multicast"] = 133;
literals["exit"] = 116;
literals["neq"] = 72;
literals["alternate-address"] = 78;
}
ANTLR_USE_NAMESPACE(antlr)RefToken PIXCfgLexer::nextToken()
@ -488,11 +492,11 @@ void PIXCfgLexer::mLINE_COMMENT(bool _createToken) {
}
}
else {
goto _loop263;
goto _loop268;
}
}
_loop263:;
_loop268:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -524,9 +528,9 @@ void PIXCfgLexer::mNEWLINE(bool _createToken) {
}
if ( inputState->guessing==0 ) {
#line 2228 "pix.g"
#line 2266 "pix.g"
newline();
#line 530 "PIXCfgLexer.cpp"
#line 534 "PIXCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -550,11 +554,11 @@ void PIXCfgLexer::mCOLON_COMMENT(bool _createToken) {
}
}
else {
goto _loop267;
goto _loop272;
}
}
_loop267:;
_loop272:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -648,9 +652,9 @@ void PIXCfgLexer::mWhitespace(bool _createToken) {
}
}
if ( inputState->guessing==0 ) {
#line 2223 "pix.g"
#line 2261 "pix.g"
_ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP;
#line 654 "PIXCfgLexer.cpp"
#line 658 "PIXCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -772,10 +776,10 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex;
{
bool synPredMatched328 = false;
bool synPredMatched333 = false;
if (((LA(1) == 0x6f /* 'o' */ ) && (LA(2) == 0x62 /* 'b' */ ) && (LA(3) == 0x6a /* 'j' */ ))) {
int _m328 = mark();
synPredMatched328 = true;
int _m333 = mark();
synPredMatched333 = true;
inputState->guessing++;
try {
{
@ -784,12 +788,12 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched328 = false;
synPredMatched333 = false;
}
rewind(_m328);
rewind(_m333);
inputState->guessing--;
}
if ( synPredMatched328 ) {
if ( synPredMatched333 ) {
{
match("object");
{
@ -799,17 +803,17 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
match("oup");
}
if ( inputState->guessing==0 ) {
#line 2280 "pix.g"
#line 2318 "pix.g"
_ttype = OBJECT_GROUP;
#line 805 "PIXCfgLexer.cpp"
#line 809 "PIXCfgLexer.cpp"
}
}
else {
match("");
if ( inputState->guessing==0 ) {
#line 2282 "pix.g"
#line 2320 "pix.g"
_ttype = OBJECT;
#line 813 "PIXCfgLexer.cpp"
#line 817 "PIXCfgLexer.cpp"
}
}
@ -817,61 +821,12 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
else {
bool synPredMatched318 = false;
bool synPredMatched323 = false;
if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (true))) {
int _m318 = mark();
synPredMatched318 = true;
int _m323 = mark();
synPredMatched323 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt317=0;
for (;;) {
switch ( LA(1)) {
case 0x61 /* 'a' */ :
case 0x62 /* 'b' */ :
case 0x63 /* 'c' */ :
case 0x64 /* 'd' */ :
case 0x65 /* 'e' */ :
case 0x66 /* 'f' */ :
{
matchRange('a','f');
break;
}
case 0x30 /* '0' */ :
case 0x31 /* '1' */ :
case 0x32 /* '2' */ :
case 0x33 /* '3' */ :
case 0x34 /* '4' */ :
case 0x35 /* '5' */ :
case 0x36 /* '6' */ :
case 0x37 /* '7' */ :
case 0x38 /* '8' */ :
case 0x39 /* '9' */ :
{
matchRange('0','9');
break;
}
default:
{
if ( _cnt317>=1 ) { goto _loop317; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
}
_cnt317++;
}
_loop317:;
} // ( ... )+
mCOLON(false);
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched318 = false;
}
rewind(_m318);
inputState->guessing--;
}
if ( synPredMatched318 ) {
{
{
{ // ( ... )+
int _cnt322=0;
@ -910,8 +865,57 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
_loop322:;
} // ( ... )+
mCOLON(false);
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched323 = false;
}
rewind(_m323);
inputState->guessing--;
}
if ( synPredMatched323 ) {
{
{
{ // ( ... )+
int _cnt326=0;
int _cnt327=0;
for (;;) {
switch ( LA(1)) {
case 0x61 /* 'a' */ :
case 0x62 /* 'b' */ :
case 0x63 /* 'c' */ :
case 0x64 /* 'd' */ :
case 0x65 /* 'e' */ :
case 0x66 /* 'f' */ :
{
matchRange('a','f');
break;
}
case 0x30 /* '0' */ :
case 0x31 /* '1' */ :
case 0x32 /* '2' */ :
case 0x33 /* '3' */ :
case 0x34 /* '4' */ :
case 0x35 /* '5' */ :
case 0x36 /* '6' */ :
case 0x37 /* '7' */ :
case 0x38 /* '8' */ :
case 0x39 /* '9' */ :
{
matchRange('0','9');
break;
}
default:
{
if ( _cnt327>=1 ) { goto _loop327; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
}
_cnt327++;
}
_loop327:;
} // ( ... )+
{ // ( ... )+
int _cnt331=0;
for (;;) {
if ((LA(1) == 0x3a /* ':' */ )) {
mCOLON(false);
@ -944,34 +948,34 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
goto _loop325;
goto _loop330;
}
}
}
_loop325:;
_loop330:;
} // ( ... )*
}
else {
if ( _cnt326>=1 ) { goto _loop326; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt331>=1 ) { goto _loop331; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt326++;
_cnt331++;
}
_loop326:;
_loop331:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2273 "pix.g"
#line 2311 "pix.g"
_ttype = IPV6;
#line 967 "PIXCfgLexer.cpp"
#line 971 "PIXCfgLexer.cpp"
}
}
}
else {
bool synPredMatched283 = false;
bool synPredMatched288 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true))) {
int _m283 = mark();
synPredMatched283 = true;
int _m288 = mark();
synPredMatched288 = true;
inputState->guessing++;
try {
{
@ -979,149 +983,105 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched283 = false;
synPredMatched288 = false;
}
rewind(_m283);
rewind(_m288);
inputState->guessing--;
}
if ( synPredMatched283 ) {
if ( synPredMatched288 ) {
{
bool synPredMatched292 = false;
bool synPredMatched297 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m292 = mark();
synPredMatched292 = true;
int _m297 = mark();
synPredMatched297 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt287=0;
int _cnt292=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt287>=1 ) { goto _loop287; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt292>=1 ) { goto _loop292; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt287++;
_cnt292++;
}
_loop287:;
_loop292:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt289=0;
int _cnt294=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt289>=1 ) { goto _loop289; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt294>=1 ) { goto _loop294; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt289++;
_cnt294++;
}
_loop289:;
_loop294:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt291=0;
int _cnt296=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt291>=1 ) { goto _loop291; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt296>=1 ) { goto _loop296; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt291++;
_cnt296++;
}
_loop291:;
_loop296:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched292 = false;
synPredMatched297 = false;
}
rewind(_m292);
rewind(_m297);
inputState->guessing--;
}
if ( synPredMatched292 ) {
if ( synPredMatched297 ) {
{
{ // ( ... )+
int _cnt295=0;
int _cnt300=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt295>=1 ) { goto _loop295; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt300>=1 ) { goto _loop300; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt295++;
_cnt300++;
}
_loop295:;
_loop300:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt297=0;
int _cnt302=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt297>=1 ) { goto _loop297; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt302>=1 ) { goto _loop302; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt297++;
_cnt302++;
}
_loop297:;
_loop302:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt299=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt299>=1 ) { goto _loop299; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt299++;
}
_loop299:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt301=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt301>=1 ) { goto _loop301; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt301++;
}
_loop301:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2261 "pix.g"
_ttype = IPV4;
#line 1114 "PIXCfgLexer.cpp"
}
}
else {
bool synPredMatched307 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m307 = mark();
synPredMatched307 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt304=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
@ -1151,70 +1111,114 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
_loop306:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2299 "pix.g"
_ttype = IPV4;
#line 1118 "PIXCfgLexer.cpp"
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched307 = false;
}
rewind(_m307);
inputState->guessing--;
}
if ( synPredMatched307 ) {
else {
bool synPredMatched312 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m312 = mark();
synPredMatched312 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt310=0;
int _cnt309=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt310>=1 ) { goto _loop310; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt309>=1 ) { goto _loop309; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt310++;
_cnt309++;
}
_loop310:;
_loop309:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt312=0;
int _cnt311=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt312>=1 ) { goto _loop312; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt311>=1 ) { goto _loop311; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt312++;
_cnt311++;
}
_loop312:;
_loop311:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched312 = false;
}
rewind(_m312);
inputState->guessing--;
}
if ( synPredMatched312 ) {
{
{ // ( ... )+
int _cnt315=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt315>=1 ) { goto _loop315; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt315++;
}
_loop315:;
} // ( ... )+
mDOT(false);
{ // ( ... )+
int _cnt317=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt317>=1 ) { goto _loop317; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt317++;
}
_loop317:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 2264 "pix.g"
#line 2302 "pix.g"
_ttype = NUMBER;
#line 1197 "PIXCfgLexer.cpp"
#line 1201 "PIXCfgLexer.cpp"
}
}
else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) {
{ // ( ... )+
int _cnt314=0;
int _cnt319=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt314>=1 ) { goto _loop314; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt319>=1 ) { goto _loop319; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt314++;
_cnt319++;
}
_loop314:;
_loop319:;
} // ( ... )+
if ( inputState->guessing==0 ) {
#line 2266 "pix.g"
#line 2304 "pix.g"
_ttype = INT_CONST;
#line 1218 "PIXCfgLexer.cpp"
#line 1222 "PIXCfgLexer.cpp"
}
}
else {
@ -1312,13 +1316,28 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
break;
}
case 0x2a /* '*' */ :
{
match('*' /* charlit */ );
break;
}
case 0x2b /* '+' */ :
case 0x2c /* ',' */ :
{
match('+' /* charlit */ );
break;
}
case 0x2d /* '-' */ :
{
match('-' /* charlit */ );
break;
}
case 0x2e /* '.' */ :
{
match('.' /* charlit */ );
break;
}
case 0x2f /* '/' */ :
{
matchRange('*','/');
match('/' /* charlit */ );
break;
}
case 0x30 /* '0' */ :
@ -1452,16 +1471,16 @@ void PIXCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
goto _loop334;
goto _loop339;
}
}
}
_loop334:;
_loop339:;
} // ( ... )*
if ( inputState->guessing==0 ) {
#line 2289 "pix.g"
#line 2329 "pix.g"
_ttype = WORD;
#line 1465 "PIXCfgLexer.cpp"
#line 1484 "PIXCfgLexer.cpp"
}
}
else {
@ -1503,11 +1522,11 @@ void PIXCfgLexer::mSTRING(bool _createToken) {
matchNot('\"' /* charlit */ );
}
else {
goto _loop337;
goto _loop342;
}
}
_loop337:;
_loop342:;
} // ( ... )*
match('\"' /* charlit */ );
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -1889,7 +1908,7 @@ const unsigned long PIXCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL,
// 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f
// 0x90 0x91 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d
// 0x9e 0x9f 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab
// 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7
// 0xac 0xad 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_0(_tokenSet_0_data_,16);
const unsigned long PIXCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14
@ -1900,7 +1919,7 @@ const unsigned long PIXCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 429496729
// 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91
// 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f
// 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad
// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7
// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_1(_tokenSet_1_data_,16);
const unsigned long PIXCfgLexer::_tokenSet_2_data_[] = { 0UL, 67043328UL, 0UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// 0 1 2 3 4 5 6 7 8 9 a b c d e f
@ -1924,6 +1943,6 @@ const unsigned long PIXCfgLexer::_tokenSet_6_data_[] = { 4294967288UL, 429496729
// 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91
// 0x92 0x93 0x94 0x95 0x96 0x97 0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f
// 0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7 0xa8 0xa9 0xaa 0xab 0xac 0xad
// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7
// 0xae 0xaf 0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7 0xb8
const ANTLR_USE_NAMESPACE(antlr)BitSet PIXCfgLexer::_tokenSet_6(_tokenSet_6_data_,16);

1610
src/parsers/PIXCfgParser.cpp
View File

File diff suppressed because it is too large Load Diff

14
src/parsers/PIXCfgParser.hpp
View File

@ -120,6 +120,7 @@ public:
public: void crypto();
public: void no_commands();
public: void timeout_command();
public: void dns_command();
public: void unknown_command();
public: void ip_protocol_names();
public: void named_object_nat();
@ -129,6 +130,7 @@ public:
public: void range_addr();
public: void subnet_addr();
public: void interface_label();
public: void single_addr();
public: void named_object_service_parameters();
public: void service_icmp();
public: void service_icmp6();
@ -215,10 +217,10 @@ protected:
private:
static const char* tokenNames[];
#ifndef NO_STATIC_CONSTS
static const int NUM_TOKENS = 184;
static const int NUM_TOKENS = 185;
#else
enum {
NUM_TOKENS = 184
NUM_TOKENS = 185
};
#endif
@ -300,6 +302,14 @@ private:
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_37;
static const unsigned long _tokenSet_38_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_38;
static const unsigned long _tokenSet_39_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_39;
static const unsigned long _tokenSet_40_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_40;
static const unsigned long _tokenSet_41_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_41;
static const unsigned long _tokenSet_42_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_42;
};
#endif /*INC_PIXCfgParser_hpp_*/

259
src/parsers/PIXCfgParserTokenTypes.hpp
View File

@ -63,135 +63,136 @@ struct CUSTOM_API PIXCfgParserTokenTypes {
SERVICE_OBJECT = 52,
PORT_OBJECT = 53,
CRYPTO = 54,
NO = 55,
CERTIFICATE = 56,
PIX_WORD = 57,
ASA_WORD = 58,
VERSION_WORD = 59,
NUMBER = 60,
HOSTNAME = 61,
STRING = 62,
ACCESS_LIST = 63,
EXTENDED = 64,
PERMIT = 65,
DENY = 66,
STANDARD = 67,
P_EQ = 68,
P_GT = 69,
P_LT = 70,
P_NEQ = 71,
ECHO = 72,
RIP = 73,
SSH = 74,
TELNET = 75,
ESTABLISHED = 76,
ALTERNATE_ADDRESS = 77,
CONVERSION_ERROR = 78,
ECHO_REPLY = 79,
INFORMATION_REPLY = 80,
INFORMATION_REQUEST = 81,
MASK_REPLY = 82,
MASK_REQUEST = 83,
MOBILE_REDIRECT = 84,
PARAMETER_PROBLEM = 85,
REDIRECT = 86,
ROUTER_ADVERTISEMENT = 87,
ROUTER_SOLICITATION = 88,
SOURCE_QUENCH = 89,
TIME_EXCEEDED = 90,
TIMESTAMP_REPLY = 91,
TIMESTAMP_REQUEST = 92,
TRACEROUTE = 93,
UNREACHABLE = 94,
INTRFACE = 95,
ANY = 96,
LOG = 97,
LOG_INPUT = 98,
LOG_LEVEL_ALERTS = 99,
LOG_LEVEL_CRITICAL = 100,
LOG_LEVEL_DEBUGGING = 101,
LOG_LEVEL_EMERGENCIES = 102,
LOG_LEVEL_ERRORS = 103,
LOG_LEVEL_INFORMATIONAL = 104,
LOG_LEVEL_NOTIFICATIONS = 105,
LOG_LEVEL_WARNINGS = 106,
LOG_LEVEL_DISABLE = 107,
LOG_LEVEL_INACTIVE = 108,
INTERVAL = 109,
FRAGMENTS = 110,
TIME_RANGE = 111,
CONTROLLER = 112,
OUTSIDE = 113,
LINE_COMMENT = 114,
EXIT = 115,
AUI = 116,
AUTO = 117,
BNC = 118,
FULL = 119,
BASET = 120,
BASETX = 121,
NAMEIF = 122,
VLAN = 123,
SPEED = 124,
DUPLEX = 125,
DDNS = 126,
FORWARD = 127,
DELAY = 128,
HOLD_TIME = 129,
IPV6_C = 130,
MAC_ADDRESS = 131,
MULTICAST = 132,
PPPOE = 133,
SEC_LEVEL = 134,
SHUTDOWN = 135,
ADDRESS = 136,
DHCP = 137,
STANDBY = 138,
SWITCHPORT = 139,
ACCESS = 140,
REMARK = 141,
ACCESS_GROUP = 142,
COLON_COMMENT = 143,
CLOSING_PAREN = 144,
DNS = 145,
GLOBAL = 146,
STATIC = 147,
COMMA = 148,
NETMASK = 149,
IPv4 = 150,
SECONDARY = 151,
SETROUTE = 152,
Whitespace = 153,
HEX_CONST = 154,
NEG_INT_CONST = 155,
DIGIT = 156,
HEXDIGIT = 157,
NUMBER_ADDRESS_OR_WORD = 158,
PIPE_CHAR = 159,
NUMBER_SIGN = 160,
PERCENT = 161,
AMPERSAND = 162,
APOSTROPHE = 163,
STAR = 164,
PLUS = 165,
MINUS = 166,
DOT = 167,
SLASH = 168,
COLON = 169,
SEMICOLON = 170,
LESS_THAN = 171,
EQUALS = 172,
GREATER_THAN = 173,
QUESTION = 174,
COMMERCIAL_AT = 175,
OPENING_SQUARE = 176,
CLOSING_SQUARE = 177,
CARET = 178,
UNDERLINE = 179,
OPENING_BRACE = 180,
CLOSING_BRACE = 181,
TILDE = 182,
EXLAMATION = 183,
DNS = 55,
NO = 56,
CERTIFICATE = 57,
PIX_WORD = 58,
ASA_WORD = 59,
VERSION_WORD = 60,
NUMBER = 61,
HOSTNAME = 62,
STRING = 63,
ACCESS_LIST = 64,
EXTENDED = 65,
PERMIT = 66,
DENY = 67,
STANDARD = 68,
P_EQ = 69,
P_GT = 70,
P_LT = 71,
P_NEQ = 72,
ECHO = 73,
RIP = 74,
SSH = 75,
TELNET = 76,
ESTABLISHED = 77,
ALTERNATE_ADDRESS = 78,
CONVERSION_ERROR = 79,
ECHO_REPLY = 80,
INFORMATION_REPLY = 81,
INFORMATION_REQUEST = 82,
MASK_REPLY = 83,
MASK_REQUEST = 84,
MOBILE_REDIRECT = 85,
PARAMETER_PROBLEM = 86,
REDIRECT = 87,
ROUTER_ADVERTISEMENT = 88,
ROUTER_SOLICITATION = 89,
SOURCE_QUENCH = 90,
TIME_EXCEEDED = 91,
TIMESTAMP_REPLY = 92,
TIMESTAMP_REQUEST = 93,
TRACEROUTE = 94,
UNREACHABLE = 95,
INTRFACE = 96,
ANY = 97,
LOG = 98,
LOG_INPUT = 99,
LOG_LEVEL_ALERTS = 100,
LOG_LEVEL_CRITICAL = 101,
LOG_LEVEL_DEBUGGING = 102,
LOG_LEVEL_EMERGENCIES = 103,
LOG_LEVEL_ERRORS = 104,
LOG_LEVEL_INFORMATIONAL = 105,
LOG_LEVEL_NOTIFICATIONS = 106,
LOG_LEVEL_WARNINGS = 107,
LOG_LEVEL_DISABLE = 108,
LOG_LEVEL_INACTIVE = 109,
INTERVAL = 110,
FRAGMENTS = 111,
TIME_RANGE = 112,
CONTROLLER = 113,
OUTSIDE = 114,
LINE_COMMENT = 115,
EXIT = 116,
AUI = 117,
AUTO = 118,
BNC = 119,
FULL = 120,
BASET = 121,
BASETX = 122,
NAMEIF = 123,
VLAN = 124,
SPEED = 125,
DUPLEX = 126,
DDNS = 127,
FORWARD = 128,
DELAY = 129,
HOLD_TIME = 130,
IPV6_C = 131,
MAC_ADDRESS = 132,
MULTICAST = 133,
PPPOE = 134,
SEC_LEVEL = 135,
SHUTDOWN = 136,
ADDRESS = 137,
DHCP = 138,
STANDBY = 139,
SWITCHPORT = 140,
ACCESS = 141,
SCOPY = 142,
REMARK = 143,
ACCESS_GROUP = 144,
COLON_COMMENT = 145,
CLOSING_PAREN = 146,
GLOBAL = 147,
STATIC = 148,
COMMA = 149,
NORANDOMSEQ = 150,
NETMASK = 151,
SECONDARY = 152,
SETROUTE = 153,
Whitespace = 154,
HEX_CONST = 155,
NEG_INT_CONST = 156,
DIGIT = 157,
HEXDIGIT = 158,
NUMBER_ADDRESS_OR_WORD = 159,
PIPE_CHAR = 160,
NUMBER_SIGN = 161,
PERCENT = 162,
AMPERSAND = 163,
APOSTROPHE = 164,
STAR = 165,
PLUS = 166,
MINUS = 167,
DOT = 168,
SLASH = 169,
COLON = 170,
SEMICOLON = 171,
LESS_THAN = 172,
EQUALS = 173,
GREATER_THAN = 174,
QUESTION = 175,
COMMERCIAL_AT = 176,
OPENING_SQUARE = 177,
CLOSING_SQUARE = 178,
CARET = 179,
UNDERLINE = 180,
OPENING_BRACE = 181,
CLOSING_BRACE = 182,
TILDE = 183,
EXLAMATION = 184,
NULL_TREE_LOOKAHEAD = 3
};
#ifdef __cplusplus

259
src/parsers/PIXCfgParserTokenTypes.txt
View File

@ -51,132 +51,133 @@ TCP_UDP="tcp-udp"=51
SERVICE_OBJECT="service-object"=52
PORT_OBJECT="port-object"=53
CRYPTO="crypto"=54
NO="no"=55
CERTIFICATE="certificate"=56
PIX_WORD="PIX"=57
ASA_WORD="ASA"=58
VERSION_WORD="Version"=59
NUMBER=60
HOSTNAME="hostname"=61
STRING=62
ACCESS_LIST="access-list"=63
EXTENDED="extended"=64
PERMIT="permit"=65
DENY="deny"=66
STANDARD="standard"=67
P_EQ="eq"=68
P_GT="gt"=69
P_LT="lt"=70
P_NEQ="neq"=71
ECHO="echo"=72
RIP="rip"=73
SSH="ssh"=74
TELNET="telnet"=75
ESTABLISHED="established"=76
ALTERNATE_ADDRESS="alternate-address"=77
CONVERSION_ERROR="conversion-error"=78
ECHO_REPLY="echo-reply"=79
INFORMATION_REPLY="information-reply"=80
INFORMATION_REQUEST="information-request"=81
MASK_REPLY="mask-reply"=82
MASK_REQUEST="mask-request"=83
MOBILE_REDIRECT="mobile-redirect"=84
PARAMETER_PROBLEM="parameter-problem"=85
REDIRECT="redirect"=86
ROUTER_ADVERTISEMENT="router-advertisement"=87
ROUTER_SOLICITATION="router-solicitation"=88
SOURCE_QUENCH="source-quench"=89
TIME_EXCEEDED="time-exceeded"=90
TIMESTAMP_REPLY="timestamp-reply"=91
TIMESTAMP_REQUEST="timestamp-request"=92
TRACEROUTE="traceroute"=93
UNREACHABLE="unreachable"=94
INTRFACE="interface"=95
ANY="any"=96
LOG="log"=97
LOG_INPUT="log-input"=98
LOG_LEVEL_ALERTS="alerts"=99
LOG_LEVEL_CRITICAL="critical"=100
LOG_LEVEL_DEBUGGING="debugging"=101
LOG_LEVEL_EMERGENCIES="emergencies"=102
LOG_LEVEL_ERRORS="errors"=103
LOG_LEVEL_INFORMATIONAL="informational"=104
LOG_LEVEL_NOTIFICATIONS="notifications"=105
LOG_LEVEL_WARNINGS="warnings"=106
LOG_LEVEL_DISABLE="disable"=107
LOG_LEVEL_INACTIVE="inactive"=108
INTERVAL="interval"=109
FRAGMENTS="fragments"=110
TIME_RANGE="time-range"=111
CONTROLLER="controller"=112
OUTSIDE="outside"=113
LINE_COMMENT=114
EXIT="exit"=115
AUI="aui"=116
AUTO="auto"=117
BNC="bnc"=118
FULL="full"=119
BASET="baseT"=120
BASETX="baseTX"=121
NAMEIF="nameif"=122
VLAN="vlan"=123
SPEED="speed"=124
DUPLEX="duplex"=125
DDNS="ddns"=126
FORWARD="forward"=127
DELAY="delay"=128
HOLD_TIME="hold-time"=129
IPV6_C="ipv6"=130
MAC_ADDRESS="mac-address"=131
MULTICAST="multicast"=132
PPPOE=133
SEC_LEVEL="security-level"=134
SHUTDOWN="shutdown"=135
ADDRESS="address"=136
DHCP="dhcp"=137
STANDBY="standby"=138
SWITCHPORT="switchport"=139
ACCESS="access"=140
REMARK="remark"=141
ACCESS_GROUP="access-group"=142
COLON_COMMENT=143
CLOSING_PAREN=144
DNS=145
GLOBAL="global"=146
STATIC="static"=147
COMMA=148
NETMASK=149
IPv4=150
SECONDARY="secondary"=151
SETROUTE="setroute"=152
Whitespace=153
HEX_CONST=154
NEG_INT_CONST=155
DIGIT=156
HEXDIGIT=157
NUMBER_ADDRESS_OR_WORD=158
PIPE_CHAR=159
NUMBER_SIGN=160
PERCENT=161
AMPERSAND=162
APOSTROPHE=163
STAR=164
PLUS=165
MINUS=166
DOT=167
SLASH=168
COLON=169
SEMICOLON=170
LESS_THAN=171
EQUALS=172
GREATER_THAN=173
QUESTION=174
COMMERCIAL_AT=175
OPENING_SQUARE=176
CLOSING_SQUARE=177
CARET=178
UNDERLINE=179
OPENING_BRACE=180
CLOSING_BRACE=181
TILDE=182
EXLAMATION=183
DNS="dns"=55
NO="no"=56
CERTIFICATE="certificate"=57
PIX_WORD="PIX"=58
ASA_WORD="ASA"=59
VERSION_WORD="Version"=60
NUMBER=61
HOSTNAME="hostname"=62
STRING=63
ACCESS_LIST="access-list"=64
EXTENDED="extended"=65
PERMIT="permit"=66
DENY="deny"=67
STANDARD="standard"=68
P_EQ="eq"=69
P_GT="gt"=70
P_LT="lt"=71
P_NEQ="neq"=72
ECHO="echo"=73
RIP="rip"=74
SSH="ssh"=75
TELNET="telnet"=76
ESTABLISHED="established"=77
ALTERNATE_ADDRESS="alternate-address"=78
CONVERSION_ERROR="conversion-error"=79
ECHO_REPLY="echo-reply"=80
INFORMATION_REPLY="information-reply"=81
INFORMATION_REQUEST="information-request"=82
MASK_REPLY="mask-reply"=83
MASK_REQUEST="mask-request"=84
MOBILE_REDIRECT="mobile-redirect"=85
PARAMETER_PROBLEM="parameter-problem"=86
REDIRECT="redirect"=87
ROUTER_ADVERTISEMENT="router-advertisement"=88
ROUTER_SOLICITATION="router-solicitation"=89
SOURCE_QUENCH="source-quench"=90
TIME_EXCEEDED="time-exceeded"=91
TIMESTAMP_REPLY="timestamp-reply"=92
TIMESTAMP_REQUEST="timestamp-request"=93
TRACEROUTE="traceroute"=94
UNREACHABLE="unreachable"=95
INTRFACE="interface"=96
ANY="any"=97
LOG="log"=98
LOG_INPUT="log-input"=99
LOG_LEVEL_ALERTS="alerts"=100
LOG_LEVEL_CRITICAL="critical"=101
LOG_LEVEL_DEBUGGING="debugging"=102
LOG_LEVEL_EMERGENCIES="emergencies"=103
LOG_LEVEL_ERRORS="errors"=104
LOG_LEVEL_INFORMATIONAL="informational"=105
LOG_LEVEL_NOTIFICATIONS="notifications"=106
LOG_LEVEL_WARNINGS="warnings"=107
LOG_LEVEL_DISABLE="disable"=108
LOG_LEVEL_INACTIVE="inactive"=109
INTERVAL="interval"=110
FRAGMENTS="fragments"=111
TIME_RANGE="time-range"=112
CONTROLLER="controller"=113
OUTSIDE="outside"=114
LINE_COMMENT=115
EXIT="exit"=116
AUI="aui"=117
AUTO="auto"=118
BNC="bnc"=119
FULL="full"=120
BASET="baseT"=121
BASETX="baseTX"=122
NAMEIF="nameif"=123
VLAN="vlan"=124
SPEED="speed"=125
DUPLEX="duplex"=126
DDNS="ddns"=127
FORWARD="forward"=128
DELAY="delay"=129
HOLD_TIME="hold-time"=130
IPV6_C="ipv6"=131
MAC_ADDRESS="mac-address"=132
MULTICAST="multicast"=133
PPPOE=134
SEC_LEVEL="security-level"=135
SHUTDOWN="shutdown"=136
ADDRESS="address"=137
DHCP="dhcp"=138
STANDBY="standby"=139
SWITCHPORT="switchport"=140
ACCESS="access"=141
SCOPY="scopy"=142
REMARK="remark"=143
ACCESS_GROUP="access-group"=144
COLON_COMMENT=145
CLOSING_PAREN=146
GLOBAL="global"=147
STATIC="static"=148
COMMA=149
NORANDOMSEQ="norandomseq"=150
NETMASK="netmask"=151
SECONDARY="secondary"=152
SETROUTE="setroute"=153
Whitespace=154
HEX_CONST=155
NEG_INT_CONST=156
DIGIT=157
HEXDIGIT=158
NUMBER_ADDRESS_OR_WORD=159
PIPE_CHAR=160
NUMBER_SIGN=161
PERCENT=162
AMPERSAND=163
APOSTROPHE=164
STAR=165
PLUS=166
MINUS=167
DOT=168
SLASH=169
COLON=170
SEMICOLON=171
LESS_THAN=172
EQUALS=173
GREATER_THAN=174
QUESTION=175
COMMERCIAL_AT=176
OPENING_SQUARE=177
CLOSING_SQUARE=178
CARET=179
UNDERLINE=180
OPENING_BRACE=181
CLOSING_BRACE=182
TILDE=183
EXLAMATION=184

82
src/parsers/pix.g
View File

@ -174,6 +174,8 @@ cfgfile :
no_commands
|
timeout_command
|
dns_command
|
unknown_command
|
@ -299,7 +301,10 @@ named_object_description : DESCRIPTION
}
;
host_addr : (HOST (h:IPV4 | v6:IPV6))
host_addr : HOST single_addr
;
single_addr : (h:IPV4 | v6:IPV6)
{
importer->setCurrentLineNumber(LT(0)->getLine());
if (h)
@ -802,6 +807,13 @@ unknown_command : WORD
}
;
//****************************************************************
dns_command : DNS
{
consumeUntil(NEWLINE);
}
;
//****************************************************************
no_commands : NO
{
@ -1635,7 +1647,13 @@ ssh_command : SSH
importer->clear();
}
(
( TIMEOUT INT_CONST ) |
( TIMEOUT INT_CONST )
{
// set ssh timeout here
}
|
SCOPY
|
(
hostaddr_expr
{
@ -1895,16 +1913,21 @@ global_top_level_command :
;
static_top_level_command :
STATIC OPENING_PAREN prenat_intf:WORD
COMMA postnat_intf:WORD CLOSING_PAREN
STATIC
{
importer->clear();
}
OPENING_PAREN
interface_label { importer->prenat_interface = LT(0)->getText(); }
COMMA
interface_label { importer->postnat_interface = LT(0)->getText(); }
CLOSING_PAREN
{
importer->setCurrentLineNumber(LT(0)->getLine());
importer->newUnidirRuleSet("nat", libfwbuilder::NAT::TYPENAME );
*dbg << " DNAT rule " << std::endl;
importer->newNATRule();
*dbg << " DNAT rule ";
importer->rule_type = libfwbuilder::NATRule::DNAT;
importer->prenat_interface = prenat_intf->getText();
importer->postnat_interface = postnat_intf->getText();
}
// Hostname or A.B.C.D Global or mapped address
// interface Global address overload from interface
@ -1918,6 +1941,7 @@ static_top_level_command :
NEWLINE
{
importer->pushNATRule();
*dbg << std::endl;
}
;
@ -1929,12 +1953,12 @@ static_starts_with_hostaddr :
static_real_addr_match
static_command_common_last_parameters
( static_command_common_last_parameters )*
;
static_mapped_addr_match :
(
host_addr
single_addr
{
importer->mapped_a = importer->tmp_a;
importer->mapped_nm = importer->tmp_nm;
@ -1950,7 +1974,7 @@ static_mapped_addr_match :
static_real_addr_match :
(
host_addr // real
single_addr // real
{
importer->real_a = importer->tmp_a;
importer->real_nm = importer->tmp_nm;
@ -1980,7 +2004,7 @@ static_starts_with_tcp_udp : ( TCP | UDP )
tcp_udp_port_spec
{
importer->mapped_port_spec = importer->tmp_port_spec_2;
*dbg << "mapped port " << importer->mapped_port_spec;
*dbg << "mapped port " << importer->mapped_port_spec << " ";
}
// Hostname or A.B.C.D Real IP address of the host or hosts
@ -1995,10 +2019,10 @@ static_starts_with_tcp_udp : ( TCP | UDP )
tcp_udp_port_spec
{
importer->real_port_spec = importer->tmp_port_spec_2;
*dbg << "real port " << importer->real_port_spec;
*dbg << "real port " << importer->real_port_spec << " ";
}
static_command_common_last_parameters
( static_command_common_last_parameters )*
;
static_command_common_last_parameters :
@ -2008,17 +2032,26 @@ static_command_common_last_parameters :
// norandomseq Disable TCP sequence number randomization
// tcp Configure TCP specific parameters
// udp Configure UDP specific parameters
NETMASK nm:IPv4
// <cr>
DNS
{
importer->addMessageToLog(
"Warning: 'static' command option 'dns' is not supported");
}
|
NORANDOMSEQ
{
importer->addMessageToLog(
"Warning: 'static' command option 'norandomseq' is not supported");
}
|
NETMASK nm:IPV4
{
importer->mapped_nm = nm->getText();
}
|
(TCP | UDP)
{
// <0-65535> The maximum number of simultaneous tcp connections
}
|
(TCP | UDP)?
max_conn:INT_CONST (max_emb_conn:INT_CONST)?
{
importer->static_max_conn = max_conn->getText();
@ -2055,12 +2088,14 @@ tokens
SPEED = "speed";
DUPLEX = "duplex";
DELAY = "delay";
DNS = "dns";
DDNS = "ddns";
FORWARD = "forward";
HOLD_TIME = "hold-time";
IPV6_C = "ipv6";
MAC_ADDRESS = "mac-address";
MULTICAST = "multicast";
NETMASK = "netmask";
INTERVAL = "interval";
@ -2209,6 +2244,9 @@ tokens
TRACEROUTE = "traceroute";
UNREACHABLE = "unreachable";
NORANDOMSEQ = "norandomseq";
SCOPY = "scopy";
}
LINE_COMMENT : "!" (~('\r' | '\n'))* NEWLINE ;
@ -2283,8 +2321,10 @@ NUMBER_ADDRESS_OR_WORD :
)
)
|
// making sure ',' '(' ')' are not part of WORD
( 'a'..'z' | 'A'..'Z' | '$' )
( '!'..'\'' | '*'..'/' | '0'..'9' | ':' | ';' | '<' | '=' | '>' |
( '!'..'\'' | '*' | '+' | '-' | '.' | '/' | '0'..'9' | ':' |
';' | '<' | '=' | '>' |
'?' | '@' | 'A'..'Z' | '\\' | '^' | '_' | '`' | 'a'..'z' )*
{ _ttype = WORD; }
)

17
src/unit_tests/PIXImporterTest/PIXImporterTest.cpp
View File

@ -230,6 +230,23 @@ void PIXImporterTest::PIX_7_Test()
compareFwbFiles("test_data/pix7.fwb", "pix7.fwb");
}
void PIXImporterTest::PIX_7_NAT_Test()
{
platform = "pix";
std::istringstream instream(openTestFile("test_data/pix7-nat.test"));
Importer* imp = new PIXImporter(lib, instream, logger, "test_fw");
CPPUNIT_ASSERT_NO_THROW( imp->run() );
imp->finalize();
db->setPredictableIds();
db->saveFile("pix7-nat.fwb");
compareResults(logger, "test_data/pix7-nat.output", "pix7-nat.output");
compareFwbFiles("test_data/pix7-nat.fwb", "pix7-nat.fwb");
}
void PIXImporterTest::ASA_8_0_Test()
{
platform = "pix";

2
src/unit_tests/PIXImporterTest/PIXImporterTest.h
View File

@ -60,6 +60,7 @@ public:
void PIX_6_Test();
void PIX_7_Test();
void PIX_7_NAT_Test();
void ASA_8_0_Test();
void ASA_8_3_Test();
void ObjectsAndGroupsTest();
@ -69,6 +70,7 @@ public:
CPPUNIT_TEST_SUITE(PIXImporterTest);
CPPUNIT_TEST(PIX_6_Test);
CPPUNIT_TEST(PIX_7_Test);
CPPUNIT_TEST(PIX_7_NAT_Test);
CPPUNIT_TEST(ASA_8_0_Test);
CPPUNIT_TEST(ASA_8_3_Test);
CPPUNIT_TEST(ObjectsAndGroupsTest);

1
src/unit_tests/PIXImporterTest/test_data/asa8.3.output
View File

@ -34,7 +34,6 @@ Warning: interface Ethernet0/6 was not imported because it is in "shutdown" mode
New interface: Ethernet0/7
Warning: interface Ethernet0/7 was not imported because it is in "shutdown" mode
Named object (address) internal_subnet_1Named object (address) internal_subnet_2Named object (address) Internal_netNamed object (address) hostA:eth0Ruleset: outside_acl_in
Parser error: line 91:5: unexpected token: scopy
Ruleset: ssh_commands_inside
Interface Vlan1 ruleset ssh_commands_inside direction 'in'
Ruleset: ssh_commands_inside

2
src/unit_tests/PIXImporterTest/test_data/pix6.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301462978" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301531481" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

1174
src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb Normal file
View File

@ -0,0 +1,1174 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1301538587" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
<ObjectGroup id="stdid16" name="Addresses" comment="" ro="False">
<IPv4 id="id2001X88798" name="all-hosts" comment="" ro="False" address="224.0.0.1" netmask="0.0.0.0"/>
<IPv4 id="id2002X88798" name="all-routers" comment="" ro="False" address="224.0.0.2" netmask="0.0.0.0"/>
<IPv4 id="id2003X88798" name="all DVMRP" comment="" ro="False" address="224.0.0.4" netmask="0.0.0.0"/>
<IPv4 id="id2117X88798" name="OSPF (all routers)" comment="RFC2328" ro="False" address="224.0.0.5" netmask="0.0.0.0"/>
<IPv4 id="id2128X88798" name="OSPF (designated routers)" comment="RFC2328" ro="False" address="224.0.0.6" netmask="0.0.0.0"/>
<IPv4 id="id2430X88798" name="RIP" comment="RFC1723" ro="False" address="224.0.0.9" netmask="0.0.0.0"/>
<IPv4 id="id2439X88798" name="EIGRP" comment="" ro="False" address="224.0.0.10" netmask="0.0.0.0"/>
<IPv4 id="id2446X88798" name="DHCP server, relay agent" comment="RFC 1884" ro="False" address="224.0.0.12" netmask="0.0.0.0"/>
<IPv4 id="id2455X88798" name="PIM" comment="" ro="False" address="224.0.0.13" netmask="0.0.0.0"/>
<IPv4 id="id2462X88798" name="RSVP" comment="" ro="False" address="224.0.0.14" netmask="0.0.0.0"/>
<IPv4 id="id2469X88798" name="VRRP" comment="RFC3768" ro="False" address="224.0.0.18" netmask="0.0.0.0"/>
<IPv4 id="id2777X88798" name="IGMP" comment="" ro="False" address="224.0.0.22" netmask="0.0.0.0"/>
<IPv4 id="id2784X88798" name="OSPFIGP-TE" comment="RFC4973" ro="False" address="224.0.0.24" netmask="0.0.0.0"/>
<IPv4 id="id3094X88798" name="HSRP" comment="" ro="False" address="224.0.0.102" netmask="0.0.0.0"/>
<IPv4 id="id3403X88798" name="mDNS" comment="" ro="False" address="224.0.0.251" netmask="0.0.0.0"/>
<IPv4 id="id3410X88798" name="LLMNR" comment="Link-Local Multicast Name Resolution, RFC4795" ro="False" address="224.0.0.252" netmask="0.0.0.0"/>
<IPv4 id="id3411X88798" name="Teredo" comment="" ro="False" address="224.0.0.253" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid17" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="stdid18" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="stdid04" name="Groups" comment="" ro="False">
<ObjectGroup id="id3DC75CE8" name="rfc1918-nets" comment="" ro="False">
<ObjectRef ref="id3DC75CE5"/>
<ObjectRef ref="id3DC75CE6"/>
<ObjectRef ref="id3DC75CE7"/>
</ObjectGroup>
<ObjectGroup id="id3292X75851" name="ipv6 private" comment="These are various ipv6 networks that should not be routed on the Internet&#10;" ro="False">
<ObjectRef ref="id2088X75851"/>
<ObjectRef ref="id2986X75851"/>
<ObjectRef ref="id2383X75851"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EED2" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EED3" name="ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EEE3" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.2.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
</ObjectGroup>
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
<Network id="id3DC75CEC" name="all multicasts" comment="224.0.0.0/4 - This block, formerly known as the Class D address&#10;space, is allocated for use in IPv4 multicast address assignments.&#10;The IANA guidelines for assignments from this space are described in&#10;[RFC3171].&#10;" ro="False" address="224.0.0.0" netmask="240.0.0.0"/>
<Network id="id3F4ECE3E" name="link-local" comment="169.254.0.0/16 - This is the &quot;link local&quot; block. It is allocated for&#10;communication between hosts on a single link. Hosts obtain these&#10;addresses by auto-configuration, such as when a DHCP server may not&#10;be found.&#10;" ro="False" address="169.254.0.0" netmask="255.255.0.0"/>
<Network id="id3F4ECE3D" name="loopback-net" comment="127.0.0.0/8 - This block is assigned for use as the Internet host&#10;loopback address. A datagram sent by a higher level protocol to an&#10;address anywhere within this block should loop back inside the host.&#10;This is ordinarily implemented using only 127.0.0.1/32 for loopback,&#10;but no addresses within this block should ever appear on any network&#10;anywhere [RFC1700, page 5].&#10;" ro="False" address="127.0.0.0" netmask="255.0.0.0"/>
<Network id="id3DC75CE5" name="net-10.0.0.0" comment="10.0.0.0/8 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918]. Addresses within this&#10;block should not appear on the public Internet." ro="False" address="10.0.0.0" netmask="255.0.0.0"/>
<Network id="id3DC75CE7" name="net-172.16.0.0" comment="172.16.0.0/12 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918]. Addresses within this&#10;block should not appear on the public Internet.&#10;" ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
<Network id="id3DC75CE6" name="net-192.168.0.0" comment="192.168.0.0/16 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918]. Addresses within this&#10;block should not appear on the public Internet.&#10;" ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
<Network id="id3F4ECE3F" name="test-net" comment="192.0.2.0/24 - This block is assigned as &quot;TEST-NET&quot; for use in&#10;documentation and example code. It is often used in conjunction with&#10;domain names example.com or example.net in vendor and protocol&#10;documentation. Addresses within this block should not appear on the&#10;public Internet.&#10;" ro="False" address="192.0.2.0" netmask="255.255.255.0"/>
<Network id="id3F4ECE40" name="this-net" comment="0.0.0.0/8 - Addresses in this block refer to source hosts on &quot;this&quot;&#10;network. Address 0.0.0.0/32 may be used as a source address for this&#10;host on this network; other addresses within 0.0.0.0/8 may be used to&#10;refer to specified hosts on this network [RFC1700, page 4]." ro="False" address="0.0.0.0" netmask="255.0.0.0"/>
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
<NetworkIPv6 id="id2088X75851" name="documentation net" comment="RFC3849" ro="False" address="2001:db8::" netmask="32"/>
<NetworkIPv6 id="id2383X75851" name="link-local ipv6" comment="RFC4291 Link-local unicast net" ro="False" address="fe80::" netmask="10"/>
<NetworkIPv6 id="id2685X75851" name="multicast ipv6" comment="RFC4291 ipv6 multicast addresses" ro="False" address="ff00::" netmask="8"/>
<NetworkIPv6 id="id2986X75851" name="experimental ipv6" comment="RFC2928, RFC4773 &#10;&#10;&quot;The block of Sub-TLA IDs assigned to the IANA&#10;(i.e., 2001:0000::/29 - 2001:01F8::/29) is for&#10;assignment for testing and experimental usage to&#10;support activities such as the 6bone, and&#10;for new approaches like exchanges.&quot; [RFC2928]&#10;&#10;" ro="False" address="2001::" netmask="23"/>
</ObjectGroup>
<ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
<AddressRange id="id3F6D115D" name="old-broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
<ServiceRef ref="udp-bootpc"/>
<ServiceRef ref="udp-bootps"/>
</ServiceGroup>
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
<ServiceGroup id="id3CB1279B" name="IPSEC" comment="" ro="False">
<ServiceRef ref="id3CB12797"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
<ServiceGroup id="sg-NETBIOS" name="NETBIOS" comment="" ro="False">
<ServiceRef ref="udp-netbios-dgm"/>
<ServiceRef ref="udp-netbios-ns"/>
<ServiceRef ref="id3E755609"/>
</ServiceGroup>
<ServiceGroup id="id3CB131CC" name="PCAnywhere" comment="" ro="False">
<ServiceRef ref="id3CB131CA"/>
<ServiceRef ref="id3CB131C8"/>
</ServiceGroup>
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages" comment="" ro="False">
<ServiceRef ref="idE0D27650"/>
<ServiceRef ref="idCFE27650"/>
<ServiceRef ref="idE0B27650"/>
<ServiceRef ref="id1519Z388"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="id3B4FEDA9"/>
<ServiceRef ref="id3B4FEDA7"/>
<ServiceRef ref="id3B4FEDAB"/>
<ServiceRef ref="id3B4FEDA3"/>
<ServiceRef ref="id3B4FEE21"/>
<ServiceRef ref="id3B4FEE23"/>
<ServiceRef ref="id3E7E3EA2"/>
</ServiceGroup>
<ServiceGroup id="id3B4FF35E" name="nfs" comment="" ro="False">
<ServiceRef ref="id3B4FEE7A"/>
<ServiceRef ref="id3B4FEE78"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEFFA" name="quake" comment="" ro="False">
<ServiceRef ref="id3B4FEF7C"/>
<ServiceRef ref="id3B4FEF7E"/>
</ServiceGroup>
<ServiceGroup id="id3D703C9A" name="Real Player" comment="" ro="False">
<ServiceRef ref="id3D703C99"/>
<ServiceRef ref="id3D703C8B"/>
</ServiceGroup>
<ServiceGroup id="id3E7E3E95" name="WinNT" comment="" ro="False">
<ServiceRef ref="sg-NETBIOS"/>
<ServiceRef ref="id3DC8C8BB"/>
<ServiceRef ref="id3E7E3D58"/>
</ServiceGroup>
<ServiceGroup id="id3E7E3E9A" name="Win2000" comment="" ro="False">
<ServiceRef ref="id3E7E3E95"/>
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="id3DC8C8BC"/>
<ServiceRef ref="id3E7E3EA2"/>
<ServiceRef ref="id3AECF778"/>
<ServiceRef ref="id3D703C90"/>
<ServiceRef ref="id3E7E4039"/>
<ServiceRef ref="id3E7E403A"/>
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
<ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
<ServiceRef ref="id41291784"/>
<ServiceRef ref="id41291785"/>
<ServiceRef ref="id41291783"/>
<ServiceRef ref="id412Z18A9"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
<ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
<ICMPService id="icmp-Host_unreach" code="1" type="3" name="host_unreach" comment="" ro="False"/>
<ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
<ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
<ICMPService id="icmp-Port_unreach" code="3" type="3" name="port unreach" comment="Port unreachable" ro="False"/>
<ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
<ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
<ICMP6Service id="ipv6-icmp-ping_request" code="0" type="128" name="ipv6 ping request" comment="IPv6 ping request" ro="False"/>
<ICMP6Service id="ipv6-icmp-ping_reply" code="0" type="129" name="ipv6 ping reply" comment="IPv6 ping reply" ro="False"/>
<ICMP6Service id="ipv6-icmp-routersol" code="0" type="133" name="ipv6 routersol" comment="IPv6 router solicitation" ro="False"/>
<ICMP6Service id="ipv6-icmp-routeradv" code="0" type="134" name="ipv6 routeradv" comment="IPv6 router advertisement" ro="False"/>
<ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
<ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
<ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
<ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
<ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
<ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
<ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
<ICMP6Service id="idE0D27650" code="-1" type="1" name="ipv6 all dest unreachable" comment="All icmpv6 codes for type &quot;destination unreachable&quot;&#10;" ro="False"/>
<ICMP6Service id="idCFE27660" code="-1" type="-1" name="ipv6 any ICMP6" comment="any ICMPv6" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid06" name="IP" comment="" ro="False">
<IPService id="id3CB12797" fragm="False" lsrr="False" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False" name="AH" comment="IPSEC Authentication Header Protocol" ro="False"/>
<IPService id="ip-IPSEC" fragm="False" lsrr="False" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False" name="ESP" comment="IPSEC Encapsulating Security Payload Protocol" ro="False"/>
<IPService id="ip-RR" fragm="False" lsrr="False" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False" name="RR" comment="Route recording packets" ro="False"/>
<IPService id="ip-SRR" fragm="False" lsrr="True" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False" name="SRR" comment="All sorts of Source Routing Packets" ro="False"/>
<IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
<IPService id="id3D703C8E" fragm="False" lsrr="False" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False" name="SKIP" comment="IPSEC Simple Key Management for Internet Protocols" ro="False"/>
<IPService id="id3D703C8F" fragm="False" lsrr="False" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False" name="GRE" comment="Generic Routing Encapsulation&#10;" ro="False"/>
<IPService id="id3D703C95" fragm="False" lsrr="False" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False" name="vrrp" comment="Virtual Router Redundancy Protocol" ro="False"/>
<IPService id="ip-IGMP" fragm="False" lsrr="False" protocol_num="2" rr="False" rtralt="True" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="IGMP" comment="Internet Group Management Protocol, Version 3, RFC 3376" ro="False"/>
<IPService id="ip-PIM" fragm="False" lsrr="False" protocol_num="103" rr="False" rtralt="False" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="PIM" comment="Protocol Independent Multicast - Dense Mode (PIM-DM), RFC 3973, or Protocol Independent Multicast-Sparse Mode (PIM-SM) RFC 2362" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
<TCPService id="tcp-ALL_TCP_Masqueraded" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ALL TCP Masqueraded" comment="ipchains used to use this range of port numbers for masquerading. " ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id3D703C94" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="AOL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5190" dst_range_end="5190"/>
<TCPService id="tcp-All_TCP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id3CB131C4" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Citrix-ICA" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1494" dst_range_end="1494"/>
<TCPService id="id3D703C91" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-Admin" comment="Entrust CA Administration Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="709" dst_range_end="709"/>
<TCPService id="id3D703C92" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-KeyMgmt" comment="Entrust CA Key Management Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="710" dst_range_end="710"/>
<TCPService id="id3AEDBEAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="H323" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1720" dst_range_end="1720"/>
<TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
<TCPService id="id3E7E4039" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3268" dst_range_end="3268"/>
<TCPService id="id3E7E403A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC SSL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3269" dst_range_end="3269"/>
<TCPService id="id3D703C83" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="OpenWindows" comment="Open Windows" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2000" dst_range_end="2000"/>
<TCPService id="id3CB131C8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="PCAnywhere-data" comment="data channel for PCAnywhere v7.52 and later " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5631" dst_range_end="5631"/>
<TCPService id="id3D703C8B" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Real-Audio" comment="RealNetworks PNA Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7070" dst_range_end="7070"/>
<TCPService id="id3D703C93" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="RealSecure" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2998" dst_range_end="2998"/>
<TCPService id="id3DC8C8BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="SMB" comment="SMB over TCP (without NETBIOS)&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="445" dst_range_end="445"/>
<TCPService id="id3D703C8D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TACACSplus" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="49" dst_range_end="49"/>
<TCPService id="id3D703C84" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TCP high ports" comment="TCP high ports" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
<TCPService id="id3E7E3D58" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="WINS replication" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="42" dst_range_end="42"/>
<TCPService id="id3D703C82" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="X11" comment="X Window System" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6000" dst_range_end="6063"/>
<TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="id3AEDBE6E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
<TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="id3B4FEDA3" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="eklogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
<TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
<TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
<TCPService id="tcp-FTP_data" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data" comment="FTP data channel.&#10; Note: FTP protocol does not really require server to use source port 20 for the data channel, &#10; but many ftp server implementations do so." ro="False" src_range_start="20" src_range_end="20" dst_range_start="1024" dst_range_end="65535"/>
<TCPService id="id3E7553BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data passive" comment="FTP data channel for passive mode transfers&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="20" dst_range_end="20"/>
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="id3B4FED69" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="https" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="443" dst_range_end="443"/>
<TCPService id="id3AECF776" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="143" dst_range_end="143"/>
<TCPService id="id3B4FED9F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imaps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="993" dst_range_end="993"/>
<TCPService id="id3B4FF13C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
<TCPService id="id3E7E3EA2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
<TCPService id="id3B4FEE21" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="klogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="543" dst_range_end="543"/>
<TCPService id="id3B4FEE23" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ksh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="544" dst_range_end="544"/>
<TCPService id="id3AECF778" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="389" dst_range_end="389"/>
<TCPService id="id3D703C90" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldaps" comment="Lightweight Directory Access Protocol over TLS/SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="636" dst_range_end="636"/>
<TCPService id="id3B4FF000" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="linuxconf" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="98" dst_range_end="98"/>
<TCPService id="id3D703C97" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="lpr" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
<TCPService id="id3DC8C8BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
<TCPService id="id3D703C98" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ms-sql" comment="Microsoft SQL Server" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1433" dst_range_end="1433"/>
<TCPService id="id3B4FEEEE" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="mysql" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3306" dst_range_end="3306"/>
<TCPService id="id3E755609" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
<TCPService id="id3B4FEE7A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
<TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
<TCPService id="id3E7553BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntps" comment="NNTP over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="563" dst_range_end="563"/>
<TCPService id="id3B4FEE1D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="110" dst_range_end="110"/>
<TCPService id="id3E7553BA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3s" comment="POP-3 over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="995" dst_range_end="995"/>
<TCPService id="id3B4FF0EA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="postgres" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5432" dst_range_end="5432"/>
<TCPService id="id3AECF782" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="printer" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
<TCPService id="id3B4FEF7C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
<TCPService id="id3AECF77A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rexec" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="512" dst_range_end="512"/>
<TCPService id="id3AECF77C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rlogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
<TCPService id="id3AECF77E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rshell" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
<TCPService id="id3D703C99" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtsp" comment="Real Time Streaming Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="554" dst_range_end="554"/>
<TCPService id="id3B4FEF34" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rwhois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4321" dst_range_end="4321"/>
<TCPService id="id3D703C89" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="securidprop" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5510" dst_range_end="5510"/>
<TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
<TCPService id="id3B4FF04C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="465" dst_range_end="465"/>
<TCPService id="id3B4FEE76" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="socks" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
<TCPService id="id3D703C87" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sqlnet1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1521" dst_range_end="1521"/>
<TCPService id="id3B4FF09A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
<TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="id3AEDBE00" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
<TCPService id="tcp-TCP-SYN" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="tcp-syn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="tcp-Telnet" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="telnet" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
<TCPService id="tcp-uucp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="uucp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
<TCPService id="id3CB131C6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="winterm" comment="Windows Terminal Services" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3389" dst_range_end="3389"/>
<TCPService id="id3B4FF1B8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7100" dst_range_end="7100"/>
<TCPService id="id3C685B2B" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan - full" comment="This service object matches TCP packet with all six flags set." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id4127E949" ack_flag="False" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan" comment="This service object matches TCP packet with flags FIN, PSH and URG set and other flags cleared. This is a &quot;christmas scan&quot; as defined in snort rules. Nmap can generate this scan, too." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id4127EA72" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
<TCPService id="id4127EBAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="distcc" comment="distributed compiler" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3632" dst_range_end="3632"/>
<TCPService id="id4127ECF1" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvspserver" comment="CVS client/server operations" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2401" dst_range_end="2401"/>
<TCPService id="id4127ECF2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvsup" comment="CVSup file transfer/John Polstra/FreeBSD" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5999" dst_range_end="5999"/>
<TCPService id="id4127ED5E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="afp" comment="AFP (Apple file sharing) over TCP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="548" dst_range_end="548"/>
<TCPService id="id4127EDF6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="whois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="43" dst_range_end="43"/>
<TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="179" dst_range_end="179"/>
<TCPService id="id4127F146" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius" comment="Radius protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1812" dst_range_end="1812"/>
<TCPService id="id4127F147" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius acct" comment="Radius Accounting" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1813" dst_range_end="1813"/>
<TCPService id="id41291784" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
<TCPService id="id41291785" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
<TCPService id="id41291787" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-0" comment="Java VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5800" dst_range_end="5800"/>
<TCPService id="id41291788" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-0" comment="Regular VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5900" dst_range_end="5900"/>
<TCPService id="id41291887" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-1" comment="Java VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5801" dst_range_end="5801"/>
<TCPService id="id41291888" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-1" comment="Regular VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5901" dst_range_end="5901"/>
<TCPService id="id463FE5FE11008" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP established" comment="Some firewall platforms can match TCP packets with flags ACK or RST set; the option is usually called &quot;established&quot;.&#10;&#10;Note that you can use this object only in the policy rules of the firewall that supports this option.&#10;&#10;If you need to match reply packets for a specific TCP service and wish to use option &quot;established&quot;, make a copy of this object and set source port range to match the service.&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id1577X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtmp" comment="Real Time Messaging Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1935" dst_range_end="1935"/>
<TCPService id="id1590X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5222" dst_range_end="5222"/>
<TCPService id="id1609X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5269" dst_range_end="5269"/>
<TCPService id="id1622X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client-ssl" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5223" dst_range_end="5223"/>
<TCPService id="id1631X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server-ssl" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5270" dst_range_end="5270"/>
<TCPService id="id1644X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nrpe" comment="NRPE add-on for Nagios http://www.nagios.org/&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5666" dst_range_end="5666"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
<UDPService id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" comment="ipchains used to use this port range for masqueraded packets" ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
<UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id3D703C96" name="ICQ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4000"/>
<UDPService id="id3CB129D2" name="IKE" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="500" dst_range_end="500"/>
<UDPService id="id3CB131CA" name="PCAnywhere-status" comment="status channel for PCAnywhere v7.52 and later" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5632" dst_range_end="5632"/>
<UDPService id="id3AED0D6B" name="RIP" comment="routing protocol RIP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="520" dst_range_end="520"/>
<UDPService id="id3D703C8C" name="Radius" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1645" dst_range_end="1645"/>
<UDPService id="id3D703C85" name="UDP high ports" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
<UDPService id="id3D703C86" name="Who" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
<UDPService id="id3B4FEDA1" name="afs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7000" dst_range_end="7009"/>
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
<UDPService id="udp-bootps" name="bootps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
<UDPService id="id3AEDBE70" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="id3D703C8A" name="interphone" comment="VocalTec Internet Phone" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22555" dst_range_end="22555"/>
<UDPService id="id3B4FEDA5" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
<UDPService id="id3B4FEDA9" name="kerberos-adm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="749" dst_range_end="750"/>
<UDPService id="id3B4FEDA7" name="kpasswd" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="464" dst_range_end="464"/>
<UDPService id="id3B4FEDAB" name="krb524" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4444" dst_range_end="4444"/>
<UDPService id="id3F865B0D" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
<UDPService id="udp-netbios-dgm" name="netbios-dgm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="138" dst_range_end="138"/>
<UDPService id="udp-netbios-ns" name="netbios-ns" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="137" dst_range_end="137"/>
<UDPService id="udp-netbios-ssn" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
<UDPService id="id3B4FEE78" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
<UDPService id="udp-ntp" name="ntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="123" dst_range_end="123"/>
<UDPService id="id3B4FEF7E" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
<UDPService id="id3D703C88" name="secureid-udp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="1024"/>
<UDPService id="udp-SNMP" name="snmp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="161" dst_range_end="161"/>
<UDPService id="id3AED0D69" name="snmp-trap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="162" dst_range_end="162"/>
<UDPService id="id3AEDBE19" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
<UDPService id="id3AECF780" name="syslog" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
<UDPService id="id3AED0D67" name="tftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="69" dst_range_end="69"/>
<UDPService id="id3AED0D8C" name="traceroute" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="33434" dst_range_end="33524"/>
<UDPService id="id4127EA73" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
<UDPService id="id41291883" name="OpenVPN" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1194" dst_range_end="1194"/>
</ServiceGroup>
<ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
<CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC.&#10;Works on iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/&#10;" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and requires patch-o-matic &#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="stdid20" name="UserServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="stdid12" name="Firewalls" comment="" ro="False"/>
<ObjectGroup id="stdid21" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="stdid11" name="Time" comment="" ro="False">
<Interval id="int-workhours" days_of_week="1,2,3,4,5" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1" name="workhours" comment="any day, 9:00am through 5:00pm" ro="False"/>
<Interval id="int-weekends" days_of_week="6,0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="weekends" comment="weekends: Saturday 0:00 through Sunday 23:59 " ro="False"/>
<Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
<Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1" name="Sat" comment="" ro="False"/>
<Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="Sun" comment="" ro="False"/>
</IntervalGroup>
</Library>
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="id0" name="User" comment="" ro="False">
<ObjectGroup id="id1" name="Objects" comment="" ro="False">
<ObjectGroup id="id2" name="Addresses" comment="" ro="False">
<IPv4 id="id3" name="h-10.1.1.206" comment="Created during import of line 72" ro="False" address="10.1.1.206" netmask="255.255.255.255"/>
<IPv4 id="id4" name="h-10.1.1.207" comment="Created during import of line 73" ro="False" address="10.1.1.207" netmask="255.255.255.255"/>
<IPv4 id="id5" name="h-172.17.1.253" comment="Created during import of line 75" ro="False" address="172.17.1.253" netmask="255.255.255.255"/>
<IPv4 id="id6" name="h-172.17.1.254" comment="Created during import of line 76" ro="False" address="172.17.1.254" netmask="255.255.255.255"/>
<IPv4 id="id7" name="h-192.0.2.253" comment="Created during import of line 77" ro="False" address="192.0.2.253" netmask="255.255.255.255"/>
<IPv4 id="id8" name="h-192.0.2.254" comment="Created during import of line 78" ro="False" address="192.0.2.254" netmask="255.255.255.255"/>
<IPv4 id="id9" name="h-10.0.0.253" comment="Created during import of line 80" ro="False" address="10.0.0.253" netmask="255.255.255.255"/>
<IPv4 id="id10" name="h-10.0.0.254" comment="Created during import of line 81" ro="False" address="10.0.0.254" netmask="255.255.255.255"/>
<IPv4 id="id11" name="h-10.1.1.43" comment="Created during import of line 106" ro="False" address="10.1.1.43" netmask="255.255.255.255"/>
<IPv4 id="id12" name="h-10.0.0.16" comment="Created during import of line 136" ro="False" address="10.0.0.16" netmask="255.255.255.255"/>
<IPv4 id="id13" name="h-10.1.1.16" comment="Created during import of line 136" ro="False" address="10.1.1.16" netmask="255.255.255.255"/>
<IPv4 id="id14" name="h-10.0.0.100" comment="Created during import of line 137" ro="False" address="10.0.0.100" netmask="255.255.255.255"/>
<IPv4 id="id15" name="h-10.1.1.100" comment="Created during import of line 137" ro="False" address="10.1.1.100" netmask="255.255.255.255"/>
<IPv4 id="id16" name="h-10.1.1.111" comment="Created during import of line 138" ro="False" address="10.1.1.111" netmask="255.255.255.255"/>
<IPv4 id="id17" name="h-10.5.80.16" comment="Created during import of line 139" ro="False" address="10.5.80.16" netmask="255.255.255.255"/>
<IPv4 id="id18" name="h-10.5.80.200" comment="Created during import of line 140" ro="False" address="10.5.80.200" netmask="255.255.255.255"/>
<IPv4 id="id19" name="h-10.10.1.200" comment="Created during import of line 140" ro="False" address="10.10.1.200" netmask="255.255.255.255"/>
<IPv4 id="id20" name="h-192.0.2.100" comment="Created during import of line 193" ro="False" address="192.0.2.100" netmask="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="id21" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id22" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id23" name="Groups" comment="" ro="False">
<ObjectGroup id="id24" name="outside.id12051X6282.src.net.0" comment="Created during import of line 71" ro="False">
<ObjectRef ref="id3"/>
<ObjectRef ref="id4"/>
</ObjectGroup>
<ObjectGroup id="id27" name="outside.id12051X6282.src.net.1" comment="Created during import of line 74" ro="False">
<ObjectRef ref="id5"/>
<ObjectRef ref="id6"/>
<ObjectRef ref="id7"/>
<ObjectRef ref="id8"/>
</ObjectGroup>
<ObjectGroup id="id32" name="outside.id12051X6282.src.net.2" comment="Created during import of line 79" ro="False">
<ObjectRef ref="id9"/>
<ObjectRef ref="id10"/>
</ObjectGroup>
<ObjectGroup id="id35" name="network-zone-inside" comment="Created during import of line 83" ro="False">
<ObjectRef ref="id41"/>
</ObjectGroup>
<ObjectGroup id="id37" name="network-zone-dmz20" comment="Created during import of line 85" ro="False">
<ObjectRef ref="id42"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="id39" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id40" name="Networks" comment="" ro="False">
<Network id="id41" name="net-10.1.1.0/255.255.255.0" comment="Created during import of line 84" ro="False" address="10.1.1.0" netmask="255.255.255.0"/>
<Network id="id42" name="net-10.0.0.0/255.255.255.0" comment="Created during import of line 86" ro="False" address="10.0.0.0" netmask="255.255.255.0"/>
<Network id="id43" name="net-10.0.0.16/255.255.255.240" comment="Created during import of line 136" ro="False" address="10.0.0.16" netmask="255.255.255.240"/>
<Network id="id44" name="net-10.5.80.16/255.255.255.240" comment="Created during import of line 139" ro="False" address="10.5.80.16" netmask="255.255.255.240"/>
<Network id="id45" name="net-10.1.2.0/255.255.255.0" comment="Created during import of line 192" ro="False" address="10.1.2.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="id46" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id47" name="Services" comment="" ro="False">
<ServiceGroup id="id48" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id49" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id50" name="IP" comment="" ro="False">
<IPService id="id51" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" rtralt_value="False" short_fragm="False" ssrr="False" tos="" ts="False" name="ip" comment="Created during import of line 89" ro="False"/>
</ServiceGroup>
<ServiceGroup id="id52" name="TCP" comment="" ro="False">
<TCPService id="id53" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 80:80 / 0:0" comment="Created during import of line 106" ro="False" src_range_start="80" src_range_end="80" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id54" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 80:80" comment="Created during import of line 139" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="id55" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 8080:8080" comment="Created during import of line 139" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8080" dst_range_end="8080"/>
<TCPService id="id56" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 0:0" comment="Created during import of line 142" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
</ServiceGroup>
<ServiceGroup id="id57" name="UDP" comment="" ro="False">
<UDPService id="id58" name="udp 0:0 / 53:53" comment="Created during import of line 93" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
</ServiceGroup>
<ServiceGroup id="id59" name="Users" comment="" ro="False"/>
<ServiceGroup id="id60" name="Custom" comment="" ro="False"/>
<ServiceGroup id="id61" name="TagServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id62" name="Firewalls" comment="" ro="False">
<Firewall id="id63" host_OS="pix_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pix" version="7.0" name="pix1" comment="Created during import of line 6" ro="False">
<NAT id="id271" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id274" disabled="False" group="" position="0" action="Translate" comment="Created during import of line 136">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id43"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id13"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<ItfInb neg="False">
<ObjectRef ref="id425"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id428"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id292" disabled="False" group="" position="1" action="Translate" comment="Created during import of line 137">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id14"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id15"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<ItfInb neg="False">
<ObjectRef ref="id425"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id428"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id310" disabled="False" group="" position="2" action="Translate" comment="Created during import of line 138">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id425"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id16"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<ItfInb neg="False">
<ObjectRef ref="id425"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id428"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id328" disabled="False" group="" position="3" action="Translate" comment="Created during import of line 139">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id44"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id54"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id13"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id55"/>
</TSrv>
<ItfInb neg="False">
<ObjectRef ref="id422"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id428"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id346" disabled="False" group="" position="4" action="Translate" comment="Created during import of line 140">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id18"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id54"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id19"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id55"/>
</TSrv>
<ItfInb neg="False">
<ObjectRef ref="id422"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id428"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id364" disabled="False" group="" position="5" action="Translate" comment="Created during import of line 142">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id422"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id54"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id11"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id56"/>
</TSrv>
<ItfInb neg="False">
<ObjectRef ref="id422"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id428"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id382" disabled="False" group="" position="6" action="Translate" comment="Created during import of line 143">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id422"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id54"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id11"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id56"/>
</TSrv>
<ItfInb neg="False">
<ObjectRef ref="id422"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id428"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id400" disabled="False" group="" position="7" action="Translate" comment="Created during import of line 144">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id422"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id11"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<ItfInb neg="False">
<ObjectRef ref="id422"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id428"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id65" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id67" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="Imported from ssh_commands_outside&#10;Created during import of line 193">
<Src neg="False">
<ObjectRef ref="id20"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id63"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id422"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79" disabled="False" group="" log="False" position="1" action="Accept" direction="Inbound" comment="Imported from ssh_commands_inside&#10;Created during import of line 191">
<Src neg="False">
<ObjectRef ref="id41"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id63"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id91" disabled="False" group="" log="False" position="2" action="Accept" direction="Inbound" comment="Imported from ssh_commands_inside&#10;Created during import of line 192">
<Src neg="False">
<ObjectRef ref="id45"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id63"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id103" disabled="False" group="" log="True" position="3" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 98">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id24"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id115" disabled="False" group="" log="True" position="4" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 99">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id27"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id127" disabled="False" group="" log="True" position="5" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 100">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id32"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id139" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 101">
<Src neg="False">
<ObjectRef ref="id41"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id151" disabled="False" group="" log="True" position="7" action="Deny" direction="Inbound" comment="Imported from inside_in&#10;Created during import of line 102">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id163" disabled="False" group="" log="True" position="8" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 93">
<Src neg="False">
<ObjectRef ref="id24"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id41"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id58"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id175" disabled="False" group="" log="True" position="9" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 94">
<Src neg="False">
<ObjectRef ref="id27"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id41"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id58"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id187" disabled="False" group="" log="True" position="10" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 95">
<Src neg="False">
<ObjectRef ref="id32"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id41"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id58"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id199" disabled="False" group="" log="False" position="11" action="Accept" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 96">
<Src neg="False">
<ObjectRef ref="id41"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id211" disabled="False" group="" log="True" position="12" action="Deny" direction="Outbound" comment="Imported from inside_out&#10;Created during import of line 97">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id428"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id223" disabled="False" group="" log="True" position="13" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 89">
<Src neg="False">
<ObjectRef ref="id24"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id422"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id235" disabled="False" group="" log="True" position="14" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 90">
<Src neg="False">
<ObjectRef ref="id27"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id422"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id247" disabled="False" group="" log="True" position="15" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 91">
<Src neg="False">
<ObjectRef ref="id32"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id422"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id259" disabled="False" group="" log="True" position="16" action="Deny" direction="Inbound" comment="Imported from outside_in&#10;Created during import of line 92">
<Src neg="False">
<ObjectRef ref="id41"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id422"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_level">warning</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id431" name="id12251X6282.0" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id433" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="Created during import of line 104">
<Src neg="False">
<ObjectRef ref="id41"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id51"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id445" name="id12594X2458.0" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id447" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="Created during import of line 106">
<Src neg="False">
<ObjectRef ref="id11"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id53"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id418" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id420" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet0" comment="Created during import of line 16" ro="False">
<InterfaceOptions/>
<Interface id="id422" dedicated_failover="False" dyn="False" label="outside" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="Created during import of line 21" ro="False">
<IPv4 id="id424" name="pix1:Ethernet0.101:ip" comment="Created during import of line 24" ro="False" address="192.0.2.253" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">101</Option>
</InterfaceOptions>
</Interface>
<Interface id="id425" dedicated_failover="False" dyn="False" label="dmz20" security_level="20" unnum="False" unprotected="False" name="Ethernet0.102" comment="Created during import of line 27" ro="False">
<IPv4 id="id427" name="pix1:Ethernet0.102:ip" comment="Created during import of line 30" ro="False" address="10.0.0.253" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">102</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id428" dedicated_failover="False" dyn="False" label="inside" security_level="100" unnum="False" unprotected="False" name="Ethernet1" comment="Created during import of line 33" ro="False">
<IPv4 id="id429" name="pix1:Ethernet1:ip" comment="Created during import of line 37" ro="False" address="10.1.1.206" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<FirewallOptions>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_default_loglevel">info</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_generate_out_acl">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<ObjectGroup id="id459" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="id460" name="Time" comment="" ro="False"/>
</Library>
</FWObjectDatabase>

63
src/unit_tests/PIXImporterTest/test_data/pix7-nat.output Normal file
View File

@ -0,0 +1,63 @@
Version: 7.2
Host name: pix1
Parser warning: "names" section detected. Import of configuration that uses "names" is not supported at this time
Name 1.2.3.4 gw
Name 192.168.3.0 fake_network
Name 192.168.4.1 inside_ip
New interface: Ethernet0
New interface: Ethernet0.101
Interface parameters: outside
Interface label: outside
Interface address: 192.0.2.253/255.255.255.0
New interface: Ethernet0.102
Interface parameters: dmz20
Interface label: dmz20
Interface address: 10.0.0.253/255.255.255.0
Parser warning: failover IP detected. Failover is not supported by import at this time
New interface: Ethernet1
Interface parameters: inside
Interface label: inside
Interface address: 10.1.1.206/255.255.255.0
New interface: Ethernet2
Warning: interface Ethernet2 was not imported because it is in "shutdown" mode
New interface: Ethernet3
Warning: interface Ethernet3 was not imported because it is in "shutdown" mode
New interface: Ethernet4
Warning: interface Ethernet4 was not imported because it is in "shutdown" mode
New interface: Ethernet5
Warning: interface Ethernet5 was not imported because it is in "shutdown" mode
New interface: Ethernet6
Warning: interface Ethernet6 was not imported because it is in "shutdown" mode
Object Group (network) outside.id12051X6282.src.net.0Object Group (network) outside.id12051X6282.src.net.1Object Group (network) outside.id12051X6282.src.net.2Object Group (network) network-zone-insideObject Group (network) network-zone-dmz20Ruleset: outside_in
Ruleset: outside_in
Ruleset: outside_in
Ruleset: outside_in
Ruleset: inside_out
Ruleset: inside_out
Ruleset: inside_out
Ruleset: inside_out
Ruleset: inside_out
Ruleset: inside_in
Ruleset: inside_in
Ruleset: inside_in
Ruleset: inside_in
Ruleset: inside_in
Ruleset: id12251X6282.0
Ruleset: id12594X2458.0
Ruleset: nat
Ruleset: nat
Ruleset: nat
Ruleset: nat
Ruleset: nat
Ruleset: nat
Ruleset: nat
Ruleset: nat
Interface Ethernet0.101 ruleset outside_in direction 'in'
Interface Ethernet1 ruleset inside_in direction 'in'
Interface Ethernet1 ruleset inside_out direction 'out'
Ruleset: ssh_commands_inside
Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
Ruleset: ssh_commands_inside
Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
Ruleset: ssh_commands_outside
Interface Ethernet0.101 ruleset ssh_commands_outside direction 'in'

34
src/unit_tests/PIXImporterTest/test_data/pix7-nat.test
View File

@ -38,6 +38,7 @@ interface Ethernet1
ip address 10.1.1.206 255.255.255.0
!
interface Ethernet2
shutdown
description LAN/STATE Failover Interface
speed 10
!
@ -78,6 +79,13 @@ object-group network outside.id12051X6282.src.net.1
object-group network outside.id12051X6282.src.net.2
network-object host 10.0.0.253
network-object host 10.0.0.254
object-group network network-zone-inside
network-object 10.1.1.0 255.255.255.0
object-group network network-zone-dmz20
network-object 10.0.0.0 255.255.255.0
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.0 any log warnings
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.1 any log warnings
access-list outside_in extended deny ip object-group outside.id12051X6282.src.net.2 any log warnings
@ -92,10 +100,10 @@ access-list inside_in extended deny ip any object-group outside.id12051X6282.src
access-list inside_in extended deny ip any object-group outside.id12051X6282.src.net.2 log warnings
access-list inside_in extended permit ip 10.1.1.0 255.255.255.0 any
access-list inside_in extended deny ip any any log warnings
access-list id12251X6282.0 extended permit ip 10.1.1.0 255.255.255.0 any
access-group inside_in in interface inside
access-group outside_in in interface outside
access-list id12594X2458.0 permit tcp host 10.1.1.43 eq www any
pager lines 24
logging enable
@ -120,12 +128,28 @@ failover link failover Ethernet2
failover interface ip failover 172.17.1.253 255.255.255.252 standby 172.17.1.254
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 access-list id12251X6282.0
! nat-control
! global (outside) 1 interface
! nat (inside) 1 access-list id12251X6282.0
static (inside,dmz20) 10.0.0.16 10.1.1.16 netmask 255.255.255.240
static (inside,dmz20) 10.0.0.100 10.1.1.100 netmask 255.255.255.255
static (inside,dmz20) interface 10.1.1.111
static (inside,outside) tcp 10.5.80.16 80 10.1.1.16 8080 netmask 255.255.255.240 0 0
static (inside,outside) tcp 10.5.80.200 80 10.10.1.200 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www access-list id12594X2458.0 0 0
static (inside,outside) tcp interface 80 access-list id12594X2458.0 0 0
static (inside,outside) interface access-list id12594X2458.0 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group inside_out out interface inside
route inside 192.168.10.0 255.255.255.0 10.1.1.254 1
route inside 10.1.2.0 255.255.255.0 10.1.1.201 1
timeout xlate 3:00:00

1
src/unit_tests/PIXImporterTest/test_data/pix7.output
View File

@ -48,7 +48,6 @@ Interface Ethernet0.101 ruleset outside_in direction 'in'
Interface Ethernet0.101 ruleset outside_in direction 'in'
Interface Ethernet1 ruleset inside_in direction 'in'
Interface Ethernet1 ruleset inside_out direction 'out'
Parser error: line 163:5: unexpected token: scopy
Ruleset: ssh_commands_inside
Interface Ethernet1 ruleset ssh_commands_inside direction 'in'
Ruleset: ssh_commands_inside