onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 01:37:17 +01:00
Code Issues Releases Wiki Activity

see #1959 ASA Policy - ranges are broken into composite network instead of using range command. I now create named objects to represent address ranges and put them into object-group, whcih I can then use in access-list commands

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-20 14:34:00 -08:00
parent 7058a72f3e
commit 34630953cc
45 changed files with 291 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/ChangeLog
View File

@ -1,5 +1,11 @@
2011-01-20 vadim <vadim@netcitadel.com>
* NamedObjectsAndGroupsSupport.cpp (printObjectsForRE): See #1959
"ASA Policy - ranges are broken into composite network instead of
using range command". I have to create named objects for address
ranges and put them into an object-group, which I can then use in
access-list commands.
* PolicyCompiler_pix.cpp (compile): See #1965 "ASA Policy - PIX
6.1 configurations use object groups". Policy compiler for PIX is
now aware that object-group statement was introduced in PIX v6.2

43
src/cisco_lib/BaseObjectGroup.cpp
View File

@ -39,6 +39,7 @@
#include <sstream>
#include <QStringList>
#include <QtDebug>
using namespace libfwbuilder;
@ -50,29 +51,37 @@ map<QString,int> BaseObjectGroup::name_disambiguation;
const char *BaseObjectGroup::TYPENAME={"BaseObjectGroup"};
string BaseObjectGroup::registerGroupName(const string &prefix,
object_group_type gt)
QString BaseObjectGroup::registerGroupName(const QString &prefix,
object_group_type gt)
{
QStringList str;
str << QString::fromUtf8(prefix.c_str());
QString type_suffix;
switch (gt)
{
case UNKNOWN: str << "unknown"; break;
case NETWORK: str << "net"; break;
case PROTO: str << "proto"; break;
case ICMP_TYPE: str << "icmp"; break;
case TCP_SERVICE: str << "tcp"; break;
case UDP_SERVICE: str << "udp"; break;
case TCP_UDP_SERVICE: str << "tcpudp"; break;
case MIXED_SERVICE: str << "mixed"; break;
case UNKNOWN: type_suffix = "unknown"; break;
case NETWORK: type_suffix = "net"; break;
case PROTO: type_suffix = "proto"; break;
case ICMP_TYPE: type_suffix = "icmp"; break;
case TCP_SERVICE: type_suffix = "tcp"; break;
case UDP_SERVICE: type_suffix = "udp"; break;
case TCP_UDP_SERVICE: type_suffix = "tcpudp"; break;
case MIXED_SERVICE: type_suffix = "mixed"; break;
default: type_suffix = "unknown"; break;
}
QString name_prefix = str.join(".");
int n = name_disambiguation[name_prefix];
name_disambiguation[name_prefix] = n + 1;
str << QString().setNum(n);
return str.join(".").toUtf8().constData();
int n = 0;
while (true)
{
QString full_name =
QString("%1.%2.%3").arg(prefix).arg(type_suffix).arg(n);
if (name_disambiguation.count(full_name) == 0)
{
name_disambiguation[full_name] = 0;
return full_name;
}
n++;
}
return "";
}
BaseObjectGroup::object_group_type BaseObjectGroup::getObjectGroupTypeFromFWObject(

4
src/cisco_lib/BaseObjectGroup.h
View File

@ -59,8 +59,8 @@ public:
static std::map<QString,int> name_disambiguation;
static std::string registerGroupName(const std::string &prefix,
object_group_type gt);
static QString registerGroupName(const QString &prefix,
object_group_type gt);
BaseObjectGroup(object_group_type _gt=UNKNOWN) : libfwbuilder::Group()
{

4
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -499,7 +499,9 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
}
catch (FWException &ex)
{
return QString::fromUtf8(ex.toString().c_str());
QString err = QString::fromUtf8(ex.toString().c_str());
qDebug() << err;
return err;
}
return "";

14
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -44,6 +44,7 @@
#include <sstream>
#include <QStringList>
#include <QtDebug>
using namespace libfwbuilder;
@ -108,25 +109,18 @@ QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj)
NamedObject* asa8_object = pix_comp->named_objects_manager->getNamedObject(obj);
if (asa8_object) return asa8_object->getCommandWord();
for (FWObject::iterator i=CreateObjectGroups::object_groups->begin();
i!=CreateObjectGroups::object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
if (og->getId() == obj->getId()) return obj->getName().c_str();
}
if (BaseObjectGroup::cast(obj)!=NULL) return obj->getName().c_str();
if (Interface::isA(obj) && obj->isChildOf(compiler->fw)) return "interface";
QString err("Found unknown object '%1' in the NAT rule: it is not "
"an ASA8 object, object group or an interface of the firewall");
throw FWException(err.arg(obj->getName().c_str()).toStdString());
compiler->abort(err.arg(obj->getName().c_str()).toStdString());
return "";
}
void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
{
//NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
FWOptions *ropt = rule->getOptionsObject();
QStringList cmd;

74
src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
View File

@ -54,6 +54,7 @@
#include <QString>
#include <QStringList>
#include <QtDebug>
using namespace libfwbuilder;
@ -80,29 +81,17 @@ NamedObjectManager::~NamedObjectManager()
named_objects.clear();
}
string NamedObjectManager::addNamedObject(const FWObject *obj)
void NamedObjectManager::addNamedObject(const FWObject *obj)
{
string res;
if (BaseObjectGroup::constcast(obj)!=NULL)
{
for (FWObject::const_iterator i=obj->begin(); i!=obj->end(); ++i)
{
res += addNamedObject(FWReference::getObject(*i));
}
return res;
}
if (named_objects[obj->getId()] == NULL)
{
NamedObject *asa8obj = new NamedObject(obj);
res = asa8obj->getCommand(fw).toUtf8().constData();
named_objects[obj->getId()] = asa8obj;
}
return res;
if (getNamedObject(obj) == NULL)
named_objects[obj->getId()] = new NamedObject(obj);
}
NamedObject* NamedObjectManager::getNamedObject(const FWObject *obj)
{
return named_objects[obj->getId()];
if (named_objects.count(obj->getId()) == 0) return NULL;
else
return named_objects[obj->getId()];
}
string NamedObjectManager::getNamedObjectsDefinitions()
@ -183,7 +172,6 @@ bool CreateObjectGroups::processNext()
BaseObjectGroup *obj_group = findObjectGroup(re);
if (obj_group==NULL)
{
//obj_group= new BaseObjectGroup();
obj_group = ObjectGroupFactory::createObjectGroup(compiler->fw);
object_groups->add(obj_group);
@ -192,26 +180,20 @@ bool CreateObjectGroups::processNext()
obj_group->setObjectGroupTypeFromMembers(named_objects_manager);
QStringList group_name_prefix;
// if (!rule_iface->getLabel().empty())
// group_name_prefix.push_back(rule_iface->getLabel().c_str());
group_name_prefix.push_back(rule->getUniqueId().c_str());
group_name_prefix.push_back(name_suffix.c_str());
string group_name = BaseObjectGroup::registerGroupName(
group_name_prefix.join(".").toStdString(),
QString reg_name = BaseObjectGroup::registerGroupName(
group_name_prefix.join("."),
obj_group->getObjectGroupType());
obj_group->setName(group_name);
obj_group->setName(reg_name.toUtf8().constData());
} else
{
re->clearChildren(false); //do not want to destroy children objects
re->addRef(obj_group);
}
// assert(re->size()==1);
tmp_queue.push_back(rule);
return true;
}
@ -289,16 +271,34 @@ bool printObjectGroups::processNext()
return true;
}
void printNamedObjectsCommon::printObjectsForRE(RuleElement *re)
void printNamedObjectsCommon::printObjectsForRE(FWObject *re)
{
if (re->isAny()) return;
if (RuleElement::cast(re)!=NULL && RuleElement::cast(re)->isAny()) return;
for (FWObject::iterator it=re->begin(); it!=re->end(); ++it)
{
FWObject *obj = FWReference::getObject(*it);
if (Interface::isA(obj)) continue;
//compiler->output << named_objects_manager->addNamedObject(obj);
named_objects_manager->addNamedObject(obj);
if (BaseObjectGroup::cast(obj)!=NULL) printObjectsForRE(obj);
else named_objects_manager->addNamedObject(obj);
}
}
/*
* We only need named objects for address ranges in policy. At least
* at this time, we have decided to not create named objects for
* everything and use them only in cases where it is inevitable.
*/
void printNamedObjectsForPolicy::printObjectsForRE(FWObject *re)
{
if (RuleElement::cast(re)!=NULL && RuleElement::cast(re)->isAny()) return;
for (FWObject::iterator it=re->begin(); it!=re->end(); ++it)
{
FWObject *obj = FWReference::getObject(*it);
if (Interface::isA(obj)) continue;
if (BaseObjectGroup::cast(obj)!=NULL) printObjectsForRE(obj);
if (AddressRange::isA(obj)) named_objects_manager->addNamedObject(obj);
}
}
@ -314,20 +314,16 @@ bool printNamedObjectsForPolicy::processNext()
slurp();
if (tmp_queue.size()==0) return false;
compiler->output << endl;
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
PolicyRule *policy_rule = PolicyRule::cast( *k );
if (policy_rule)
{
RuleElementSrc *src_re = policy_rule->getSrc(); assert(src_re);
FWObject *srcobj = FWReference::getObject(src_re->front());
if (AddressRange::isA(srcobj)) printObjectsForRE(src_re);
printObjectsForRE(src_re);
RuleElementDst *dst_re = policy_rule->getDst(); assert(dst_re);
FWObject *dstobj = FWReference::getObject(dst_re->front());
if (AddressRange::isA(srcobj)) printObjectsForRE(dst_re);
printObjectsForRE(dst_re);
//RuleElementSrv *srv_re = policy_rule->getSrv(); assert(srv_re);
//printObjectsForRE(srv_re);
@ -343,8 +339,6 @@ bool printNamedObjectsForNAT::processNext()
slurp();
if (tmp_queue.size()==0) return false;
compiler->output << endl;
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *nat_rule = NATRule::cast( *k );

6
src/cisco_lib/NamedObjectsAndGroupsSupport.h
View File

@ -49,7 +49,7 @@ public:
NamedObjectManager(const libfwbuilder::Firewall *_fw);
virtual ~NamedObjectManager();
std::string addNamedObject(const libfwbuilder::FWObject *obj);
void addNamedObject(const libfwbuilder::FWObject *obj);
NamedObject* getNamedObject(const libfwbuilder::FWObject *obj);
std::string getNamedObjectsDefinitions();
@ -174,7 +174,7 @@ public:
class printNamedObjectsCommon : public BasicRuleProcessor
{
protected:
void printObjectsForRE(libfwbuilder::RuleElement *re);
virtual void printObjectsForRE(libfwbuilder::FWObject *re);
NamedObjectManager *named_objects_manager;
public:
printNamedObjectsCommon(const std::string &n,
@ -186,6 +186,8 @@ public:
class printNamedObjectsForPolicy : public printNamedObjectsCommon
{
protected:
virtual void printObjectsForRE(libfwbuilder::FWObject *re);
public:
printNamedObjectsForPolicy(const std::string &n,
NamedObjectManager *m) : printNamedObjectsCommon(n, m) {}

2
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:20 2011 PST by vadim
! Generated Thu Jan 20 14:33:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:20 2011 PST by vadim
! Generated Thu Jan 20 14:33:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:20 2011 PST by vadim
! Generated Thu Jan 20 14:33:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:20 2011 PST by vadim
! Generated Thu Jan 20 14:33:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:05 2011 PST by vadim
! Generated Thu Jan 20 14:33:03 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:05 2011 PST by vadim
! Generated Thu Jan 20 14:33:02 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

2
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:06 2011 PST by vadim
! Generated Thu Jan 20 14:33:03 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:06 2011 PST by vadim
! Generated Thu Jan 20 14:33:03 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:07 2011 PST by vadim
! Generated Thu Jan 20 14:33:04 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:07 2011 PST by vadim
! Generated Thu Jan 20 14:33:04 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:08 2011 PST by vadim
! Generated Thu Jan 20 14:33:05 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:08 2011 PST by vadim
! Generated Thu Jan 20 14:33:05 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:09 2011 PST by vadim
! Generated Thu Jan 20 14:33:06 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:09 2011 PST by vadim
! Generated Thu Jan 20 14:33:07 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:09 2011 PST by vadim
! Generated Thu Jan 20 14:33:06 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:10 2011 PST by vadim
! Generated Thu Jan 20 14:33:07 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:10 2011 PST by vadim
! Generated Thu Jan 20 14:33:07 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:10 2011 PST by vadim
! Generated Thu Jan 20 14:33:08 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:11 2011 PST by vadim
! Generated Thu Jan 20 14:33:08 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:11 2011 PST by vadim
! Generated Thu Jan 20 14:33:08 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:12 2011 PST by vadim
! Generated Thu Jan 20 14:33:09 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:12 2011 PST by vadim
! Generated Thu Jan 20 14:33:09 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:13 2011 PST by vadim
! Generated Thu Jan 20 14:33:10 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:13 2011 PST by vadim
! Generated Thu Jan 20 14:33:11 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported

4
test/pix/firewall81.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:14 2011 PST by vadim
! Generated Thu Jan 20 14:33:11 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -103,7 +103,6 @@ clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp
@ -155,7 +154,6 @@ access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"

4
test/pix/firewall82.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:14 2011 PST by vadim
! Generated Thu Jan 20 14:33:11 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -103,7 +103,6 @@ clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp
@ -141,7 +140,6 @@ access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)"

4
test/pix/firewall83.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:14 2011 PST by vadim
! Generated Thu Jan 20 14:33:12 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -101,7 +101,6 @@ clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp
@ -136,7 +135,6 @@ access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (inside,outside) source static hostA:eth0.0 interface service http.0 http.0 description "0 (NAT)"

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:15 2011 PST by vadim
! Generated Thu Jan 20 14:33:12 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall90.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:15 2011 PST by vadim
! Generated Thu Jan 20 14:33:13 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -173,7 +173,6 @@ clear config object-group
clear config icmp
clear config telnet
object-group network id78630X30274.src.net.0
network-object 10.1.2.0 255.255.255.0
network-object 10.1.3.0 255.255.255.0
@ -208,7 +207,6 @@ clear xlate
clear config nat
clear config object
object-group network id178211X29963.osrc.net.0
network-object object internal_subnet_1.0
network-object object internal_subnet_2.0

4
test/pix/firewall91.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:16 2011 PST by vadim
! Generated Thu Jan 20 14:33:13 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -130,7 +130,6 @@ clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any
@ -143,7 +142,6 @@ access-group outside_acl_in in interface outside
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "0 (NAT)"

4
test/pix/firewall92.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:16 2011 PST by vadim
! Generated Thu Jan 20 14:33:13 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -125,7 +125,6 @@ clear config access-list
clear config object-group
clear config icmp
clear config telnet
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any
@ -139,7 +138,6 @@ clear xlate
clear config nat
clear config object
object-group network id20655X6113.osrc.net.0
network-object object internal_subnet_1.0
network-object object internal_subnet_2.0

3
test/pix/firewall93.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:16 2011 PST by vadim
! Generated Thu Jan 20 14:33:14 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -103,7 +103,6 @@ quit
clear xlate
clear config nat
clear config object
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic inside-range-1.0 interface description "0 (NAT)"

113
test/pix/firewall94.fw.orig Executable file
View File

@ -0,0 +1,113 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 14:33:14 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
! Emulate outbound ACLs: yes
! Generating outbound ACLs: no
! Assume firewall is part of any: yes
!
!# files: * firewall94.fw
!
! test using address ranges in policy rule
!
! Prolog script:
!
!
! End of prolog script:
!
interface Ethernet0/0
nameif outside
security-level 0
exit
interface Ethernet0/1
nameif inside
security-level 100
exit
no logging buffered
no logging console
no logging timestamp
no logging on
telnet timeout -1
clear config ssh
aaa authentication ssh console LOCAL
ssh timeout -1
clear config snmp-server
no snmp-server enable traps
clear config ntp
no service resetinbound
no service resetoutside
no sysopt connection timewait
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
service-policy global_policy global
object network inside-range-1.0
range 10.0.0.5 10.0.0.10
quit
object network inside-range-2.0
range 10.0.0.8 10.0.0.15
quit
!################
clear config access-list
clear config object-group
clear config icmp
clear config telnet
object-group network id26782X14355.src.net.0
network-object object inside-range-1.0
network-object object inside-range-2.0
exit
!
! Rule 0 (global)
access-list inside_acl_in remark 0 (global)
access-list inside_acl_in deny ip object-group id26782X14355.src.net.0 any log 6 interval 300
access-group inside_acl_in in interface inside
!
! Epilog script:
!
! End of epilog script:
!

2
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:17 2011 PST by vadim
! Generated Thu Jan 20 14:33:15 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

2
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:17 2011 PST by vadim
! Generated Thu Jan 20 14:33:15 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

63
test/pix/objects-for-regression-tests.fwb
View File

@ -1259,6 +1259,7 @@
<Network id="id26248X5313" name="Network-0" comment="" ro="False" address="10.0.0.0" netmask="255.255.255.0"/>
<Network id="id26250X5313" name="Network-1" comment="" ro="False" address="10.1.0.0" netmask="255.255.255.0"/>
<Network id="id354409X25872" name="ext_subnet-192" comment="" ro="False" address="22.22.22.128" netmask="255.255.255.192"/>
<Network id="id26771X14355" name="Network-0" comment="" ro="False" address="10.0.0.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
@ -1268,6 +1269,8 @@
<AddressRange id="id26252X5313" name="inside-range-3" comment="" ro="False" start_address="172.16.0.1" end_address="172.16.0.2"/>
<AddressRange id="id26287X5313" name="dmz-range-1" comment="" ro="False" start_address="172.16.0.10" end_address="172.16.0.15"/>
<AddressRange id="id26289X5313" name="inside-range-1" comment="" ro="False" start_address="10.0.0.1" end_address="10.0.0.5"/>
<AddressRange id="id26796X14355" name="inside-range-1" comment="" ro="False" start_address="10.0.0.5" end_address="10.0.0.10"/>
<AddressRange id="id26798X14355" name="inside-range-2" comment="" ro="False" start_address="10.0.0.8" end_address="10.0.0.15"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05_1" name="Services" comment="" ro="False">
@ -20398,6 +20401,66 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id26760X14355" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295562655" platform="pix" version="8.3" name="firewall94" comment="test using address ranges in policy rule" ro="False">
<NAT id="id26814X14355" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id26780X14355" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id26782X14355" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id26796X14355"/>
<ObjectRef ref="id26798X14355"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id26817X14355" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id26768X14355" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
<IPv4 id="id26769X14355" name="firewall94:Ethernet0/0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id26772X14355" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id26771X14355" security_level="100" unnum="False" unprotected="False" name="Ethernet0/1" comment="" ro="False">
<IPv4 id="id26773X14355" name="firewall94:Ethernet0/1:ip" comment="" ro="False" address="10.0.0.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="pix_acl_basic">True</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
</Library>

2
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:18 2011 PST by vadim
! Generated Thu Jan 20 14:33:16 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3440
!
! Generated Thu Jan 20 10:08:18 2011 PST by vadim
! Generated Thu Jan 20 14:33:16 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported