From 34630953cca6c8c52d33acda3692b6a7ca595a35 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Thu, 20 Jan 2011 14:34:00 -0800 Subject: [PATCH] see #1959 ASA Policy - ranges are broken into composite network instead of using range command. I now create named objects to represent address ranges and put them into object-group, whcih I can then use in access-list commands --- doc/ChangeLog | 6 + src/cisco_lib/BaseObjectGroup.cpp | 43 ++++--- src/cisco_lib/BaseObjectGroup.h | 4 +- src/cisco_lib/CompilerDriver_pix_run.cpp | 4 +- src/cisco_lib/NATCompiler_asa8_writers.cpp | 14 +-- .../NamedObjectsAndGroupsSupport.cpp | 74 ++++++------ src/cisco_lib/NamedObjectsAndGroupsSupport.h | 6 +- test/pix/cluster1-1_pix1.fw.orig | 2 +- test/pix/cluster1-1_pix2.fw.orig | 2 +- test/pix/cluster1_pix1.fw.orig | 2 +- test/pix/cluster1_pix2.fw.orig | 2 +- test/pix/firewall.fw.orig | 2 +- test/pix/firewall1.fw.orig | 2 +- test/pix/firewall10.fw.orig | 2 +- test/pix/firewall11.fw.orig | 2 +- test/pix/firewall12.fw.orig | 2 +- test/pix/firewall13.fw.orig | 2 +- test/pix/firewall14.fw.orig | 2 +- test/pix/firewall2.fw.orig | 2 +- test/pix/firewall20.fw.orig | 2 +- test/pix/firewall21-1.fw.orig | 2 +- test/pix/firewall21.fw.orig | 2 +- test/pix/firewall22.fw.orig | 2 +- test/pix/firewall3.fw.orig | 2 +- test/pix/firewall33.fw.orig | 2 +- test/pix/firewall34.fw.orig | 2 +- test/pix/firewall4.fw.orig | 2 +- test/pix/firewall50.fw.orig | 2 +- test/pix/firewall6.fw.orig | 2 +- test/pix/firewall8.fw.orig | 2 +- test/pix/firewall80.fw.orig | 2 +- test/pix/firewall81.fw.orig | 4 +- test/pix/firewall82.fw.orig | 4 +- test/pix/firewall83.fw.orig | 4 +- test/pix/firewall9.fw.orig | 2 +- test/pix/firewall90.fw.orig | 4 +- test/pix/firewall91.fw.orig | 4 +- test/pix/firewall92.fw.orig | 4 +- test/pix/firewall93.fw.orig | 3 +- test/pix/firewall94.fw.orig | 113 ++++++++++++++++++ test/pix/fwsm1.fw.orig | 2 +- test/pix/fwsm2.fw.orig | 2 +- test/pix/objects-for-regression-tests.fwb | 63 ++++++++++ test/pix/pix515.fw.orig | 2 +- test/pix/real.fw.orig | 2 +- 45 files changed, 291 insertions(+), 121 deletions(-) create mode 100755 test/pix/firewall94.fw.orig diff --git a/doc/ChangeLog b/doc/ChangeLog index a4e357edb..738dfc160 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,11 @@ 2011-01-20 vadim + * NamedObjectsAndGroupsSupport.cpp (printObjectsForRE): See #1959 + "ASA Policy - ranges are broken into composite network instead of + using range command". I have to create named objects for address + ranges and put them into an object-group, which I can then use in + access-list commands. + * PolicyCompiler_pix.cpp (compile): See #1965 "ASA Policy - PIX 6.1 configurations use object groups". Policy compiler for PIX is now aware that object-group statement was introduced in PIX v6.2 diff --git a/src/cisco_lib/BaseObjectGroup.cpp b/src/cisco_lib/BaseObjectGroup.cpp index e716a3234..e182199b0 100644 --- a/src/cisco_lib/BaseObjectGroup.cpp +++ b/src/cisco_lib/BaseObjectGroup.cpp @@ -39,6 +39,7 @@ #include #include +#include using namespace libfwbuilder; @@ -50,29 +51,37 @@ map BaseObjectGroup::name_disambiguation; const char *BaseObjectGroup::TYPENAME={"BaseObjectGroup"}; -string BaseObjectGroup::registerGroupName(const string &prefix, - object_group_type gt) +QString BaseObjectGroup::registerGroupName(const QString &prefix, + object_group_type gt) { - QStringList str; - str << QString::fromUtf8(prefix.c_str()); + QString type_suffix; switch (gt) { - case UNKNOWN: str << "unknown"; break; - case NETWORK: str << "net"; break; - case PROTO: str << "proto"; break; - case ICMP_TYPE: str << "icmp"; break; - case TCP_SERVICE: str << "tcp"; break; - case UDP_SERVICE: str << "udp"; break; - case TCP_UDP_SERVICE: str << "tcpudp"; break; - case MIXED_SERVICE: str << "mixed"; break; + case UNKNOWN: type_suffix = "unknown"; break; + case NETWORK: type_suffix = "net"; break; + case PROTO: type_suffix = "proto"; break; + case ICMP_TYPE: type_suffix = "icmp"; break; + case TCP_SERVICE: type_suffix = "tcp"; break; + case UDP_SERVICE: type_suffix = "udp"; break; + case TCP_UDP_SERVICE: type_suffix = "tcpudp"; break; + case MIXED_SERVICE: type_suffix = "mixed"; break; + default: type_suffix = "unknown"; break; } - QString name_prefix = str.join("."); - int n = name_disambiguation[name_prefix]; - name_disambiguation[name_prefix] = n + 1; - str << QString().setNum(n); - return str.join(".").toUtf8().constData(); + int n = 0; + while (true) + { + QString full_name = + QString("%1.%2.%3").arg(prefix).arg(type_suffix).arg(n); + if (name_disambiguation.count(full_name) == 0) + { + name_disambiguation[full_name] = 0; + return full_name; + } + n++; + } + return ""; } BaseObjectGroup::object_group_type BaseObjectGroup::getObjectGroupTypeFromFWObject( diff --git a/src/cisco_lib/BaseObjectGroup.h b/src/cisco_lib/BaseObjectGroup.h index a7026b5d5..5cba1a16b 100644 --- a/src/cisco_lib/BaseObjectGroup.h +++ b/src/cisco_lib/BaseObjectGroup.h @@ -59,8 +59,8 @@ public: static std::map name_disambiguation; - static std::string registerGroupName(const std::string &prefix, - object_group_type gt); + static QString registerGroupName(const QString &prefix, + object_group_type gt); BaseObjectGroup(object_group_type _gt=UNKNOWN) : libfwbuilder::Group() { diff --git a/src/cisco_lib/CompilerDriver_pix_run.cpp b/src/cisco_lib/CompilerDriver_pix_run.cpp index 7f61139c7..9188a8375 100644 --- a/src/cisco_lib/CompilerDriver_pix_run.cpp +++ b/src/cisco_lib/CompilerDriver_pix_run.cpp @@ -499,7 +499,9 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, } catch (FWException &ex) { - return QString::fromUtf8(ex.toString().c_str()); + QString err = QString::fromUtf8(ex.toString().c_str()); + qDebug() << err; + return err; } return ""; diff --git a/src/cisco_lib/NATCompiler_asa8_writers.cpp b/src/cisco_lib/NATCompiler_asa8_writers.cpp index 3858f7d04..80d48570b 100644 --- a/src/cisco_lib/NATCompiler_asa8_writers.cpp +++ b/src/cisco_lib/NATCompiler_asa8_writers.cpp @@ -44,6 +44,7 @@ #include #include +#include using namespace libfwbuilder; @@ -108,25 +109,18 @@ QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj) NamedObject* asa8_object = pix_comp->named_objects_manager->getNamedObject(obj); if (asa8_object) return asa8_object->getCommandWord(); - for (FWObject::iterator i=CreateObjectGroups::object_groups->begin(); - i!=CreateObjectGroups::object_groups->end(); ++i) - { - BaseObjectGroup *og = dynamic_cast(*i); - assert(og!=NULL); - if (og->getId() == obj->getId()) return obj->getName().c_str(); - } + if (BaseObjectGroup::cast(obj)!=NULL) return obj->getName().c_str(); if (Interface::isA(obj) && obj->isChildOf(compiler->fw)) return "interface"; QString err("Found unknown object '%1' in the NAT rule: it is not " "an ASA8 object, object group or an interface of the firewall"); - throw FWException(err.arg(obj->getName().c_str()).toStdString()); + compiler->abort(err.arg(obj->getName().c_str()).toStdString()); + return ""; } void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule) { - //NATCompiler_asa8 *pix_comp = dynamic_cast(compiler); - FWOptions *ropt = rule->getOptionsObject(); QStringList cmd; diff --git a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp index ebcdebb9f..fbdf3a637 100644 --- a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp +++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp @@ -54,6 +54,7 @@ #include #include +#include using namespace libfwbuilder; @@ -80,29 +81,17 @@ NamedObjectManager::~NamedObjectManager() named_objects.clear(); } -string NamedObjectManager::addNamedObject(const FWObject *obj) +void NamedObjectManager::addNamedObject(const FWObject *obj) { - string res; - if (BaseObjectGroup::constcast(obj)!=NULL) - { - for (FWObject::const_iterator i=obj->begin(); i!=obj->end(); ++i) - { - res += addNamedObject(FWReference::getObject(*i)); - } - return res; - } - if (named_objects[obj->getId()] == NULL) - { - NamedObject *asa8obj = new NamedObject(obj); - res = asa8obj->getCommand(fw).toUtf8().constData(); - named_objects[obj->getId()] = asa8obj; - } - return res; + if (getNamedObject(obj) == NULL) + named_objects[obj->getId()] = new NamedObject(obj); } NamedObject* NamedObjectManager::getNamedObject(const FWObject *obj) { - return named_objects[obj->getId()]; + if (named_objects.count(obj->getId()) == 0) return NULL; + else + return named_objects[obj->getId()]; } string NamedObjectManager::getNamedObjectsDefinitions() @@ -183,7 +172,6 @@ bool CreateObjectGroups::processNext() BaseObjectGroup *obj_group = findObjectGroup(re); if (obj_group==NULL) { - //obj_group= new BaseObjectGroup(); obj_group = ObjectGroupFactory::createObjectGroup(compiler->fw); object_groups->add(obj_group); @@ -192,26 +180,20 @@ bool CreateObjectGroups::processNext() obj_group->setObjectGroupTypeFromMembers(named_objects_manager); QStringList group_name_prefix; - // if (!rule_iface->getLabel().empty()) - // group_name_prefix.push_back(rule_iface->getLabel().c_str()); - group_name_prefix.push_back(rule->getUniqueId().c_str()); group_name_prefix.push_back(name_suffix.c_str()); - string group_name = BaseObjectGroup::registerGroupName( - group_name_prefix.join(".").toStdString(), + QString reg_name = BaseObjectGroup::registerGroupName( + group_name_prefix.join("."), obj_group->getObjectGroupType()); - obj_group->setName(group_name); + obj_group->setName(reg_name.toUtf8().constData()); } else { re->clearChildren(false); //do not want to destroy children objects re->addRef(obj_group); } - -// assert(re->size()==1); - tmp_queue.push_back(rule); return true; } @@ -289,16 +271,34 @@ bool printObjectGroups::processNext() return true; } -void printNamedObjectsCommon::printObjectsForRE(RuleElement *re) +void printNamedObjectsCommon::printObjectsForRE(FWObject *re) { - if (re->isAny()) return; + if (RuleElement::cast(re)!=NULL && RuleElement::cast(re)->isAny()) return; for (FWObject::iterator it=re->begin(); it!=re->end(); ++it) { FWObject *obj = FWReference::getObject(*it); if (Interface::isA(obj)) continue; - //compiler->output << named_objects_manager->addNamedObject(obj); - named_objects_manager->addNamedObject(obj); + if (BaseObjectGroup::cast(obj)!=NULL) printObjectsForRE(obj); + else named_objects_manager->addNamedObject(obj); + } +} + +/* + * We only need named objects for address ranges in policy. At least + * at this time, we have decided to not create named objects for + * everything and use them only in cases where it is inevitable. + */ +void printNamedObjectsForPolicy::printObjectsForRE(FWObject *re) +{ + if (RuleElement::cast(re)!=NULL && RuleElement::cast(re)->isAny()) return; + + for (FWObject::iterator it=re->begin(); it!=re->end(); ++it) + { + FWObject *obj = FWReference::getObject(*it); + if (Interface::isA(obj)) continue; + if (BaseObjectGroup::cast(obj)!=NULL) printObjectsForRE(obj); + if (AddressRange::isA(obj)) named_objects_manager->addNamedObject(obj); } } @@ -314,20 +314,16 @@ bool printNamedObjectsForPolicy::processNext() slurp(); if (tmp_queue.size()==0) return false; - compiler->output << endl; - for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { PolicyRule *policy_rule = PolicyRule::cast( *k ); if (policy_rule) { RuleElementSrc *src_re = policy_rule->getSrc(); assert(src_re); - FWObject *srcobj = FWReference::getObject(src_re->front()); - if (AddressRange::isA(srcobj)) printObjectsForRE(src_re); + printObjectsForRE(src_re); RuleElementDst *dst_re = policy_rule->getDst(); assert(dst_re); - FWObject *dstobj = FWReference::getObject(dst_re->front()); - if (AddressRange::isA(srcobj)) printObjectsForRE(dst_re); + printObjectsForRE(dst_re); //RuleElementSrv *srv_re = policy_rule->getSrv(); assert(srv_re); //printObjectsForRE(srv_re); @@ -343,8 +339,6 @@ bool printNamedObjectsForNAT::processNext() slurp(); if (tmp_queue.size()==0) return false; - compiler->output << endl; - for (deque::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) { NATRule *nat_rule = NATRule::cast( *k ); diff --git a/src/cisco_lib/NamedObjectsAndGroupsSupport.h b/src/cisco_lib/NamedObjectsAndGroupsSupport.h index 485a2bfdb..9f47f6ddb 100644 --- a/src/cisco_lib/NamedObjectsAndGroupsSupport.h +++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.h @@ -49,7 +49,7 @@ public: NamedObjectManager(const libfwbuilder::Firewall *_fw); virtual ~NamedObjectManager(); - std::string addNamedObject(const libfwbuilder::FWObject *obj); + void addNamedObject(const libfwbuilder::FWObject *obj); NamedObject* getNamedObject(const libfwbuilder::FWObject *obj); std::string getNamedObjectsDefinitions(); @@ -174,7 +174,7 @@ public: class printNamedObjectsCommon : public BasicRuleProcessor { protected: - void printObjectsForRE(libfwbuilder::RuleElement *re); + virtual void printObjectsForRE(libfwbuilder::FWObject *re); NamedObjectManager *named_objects_manager; public: printNamedObjectsCommon(const std::string &n, @@ -186,6 +186,8 @@ public: class printNamedObjectsForPolicy : public printNamedObjectsCommon { +protected: + virtual void printObjectsForRE(libfwbuilder::FWObject *re); public: printNamedObjectsForPolicy(const std::string &n, NamedObjectManager *m) : printNamedObjectsCommon(n, m) {} diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 849d1f398..8183d3564 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:20 2011 PST by vadim +! Generated Thu Jan 20 14:33:17 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index d563db905..976537891 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:20 2011 PST by vadim +! Generated Thu Jan 20 14:33:17 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index aa8d28c02..df58a6fa6 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:20 2011 PST by vadim +! Generated Thu Jan 20 14:33:17 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 0b827c00d..915526e81 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:20 2011 PST by vadim +! Generated Thu Jan 20 14:33:17 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index a73937df4..5d7764d6f 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:05 2011 PST by vadim +! Generated Thu Jan 20 14:33:03 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 827c9c6a0..09ba22aeb 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:05 2011 PST by vadim +! Generated Thu Jan 20 14:33:02 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index 2f0cfa336..a293fb9f2 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:06 2011 PST by vadim +! Generated Thu Jan 20 14:33:03 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index 14ce90a5f..43b5a4818 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:06 2011 PST by vadim +! Generated Thu Jan 20 14:33:03 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 3ecb9b568..4601f43c7 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:07 2011 PST by vadim +! Generated Thu Jan 20 14:33:04 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 719393175..c086ad24f 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:07 2011 PST by vadim +! Generated Thu Jan 20 14:33:04 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 4b0fab5f1..f8fa9e860 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:08 2011 PST by vadim +! Generated Thu Jan 20 14:33:05 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 12b8c280d..3a5ba9fc7 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:08 2011 PST by vadim +! Generated Thu Jan 20 14:33:05 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index 79e5e0bdc..29ea3ab7c 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:09 2011 PST by vadim +! Generated Thu Jan 20 14:33:06 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 891163568..79879d531 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:09 2011 PST by vadim +! Generated Thu Jan 20 14:33:07 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 8a2c2698b..782641aa1 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:09 2011 PST by vadim +! Generated Thu Jan 20 14:33:06 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 978a79465..d14795111 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:10 2011 PST by vadim +! Generated Thu Jan 20 14:33:07 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index aca948145..e462097e6 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:10 2011 PST by vadim +! Generated Thu Jan 20 14:33:07 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index c44ca085d..be6e29526 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:10 2011 PST by vadim +! Generated Thu Jan 20 14:33:08 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index cf3a875ec..960255378 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:11 2011 PST by vadim +! Generated Thu Jan 20 14:33:08 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 3b7066507..fe0d3e597 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:11 2011 PST by vadim +! Generated Thu Jan 20 14:33:08 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index 95edc00a9..a7d78793c 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:12 2011 PST by vadim +! Generated Thu Jan 20 14:33:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index f8137404f..eb6084796 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:12 2011 PST by vadim +! Generated Thu Jan 20 14:33:09 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index 018ee9fc3..be7e07e09 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:13 2011 PST by vadim +! Generated Thu Jan 20 14:33:10 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index fe092821f..b80a0b50a 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:13 2011 PST by vadim +! Generated Thu Jan 20 14:33:11 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index 399045c8c..509f99d85 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:14 2011 PST by vadim +! Generated Thu Jan 20 14:33:11 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -103,7 +103,6 @@ clear config access-list clear config object-group clear config icmp clear config telnet - ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp @@ -155,7 +154,6 @@ access-group outside_acl_in in interface outside clear xlate clear config nat clear config object - ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)" diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 066069db9..e91f4f195 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:14 2011 PST by vadim +! Generated Thu Jan 20 14:33:11 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -103,7 +103,6 @@ clear config access-list clear config object-group clear config icmp clear config telnet - ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp @@ -141,7 +140,6 @@ access-group outside_acl_in in interface outside clear xlate clear config nat clear config object - ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)" diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 44ae52d3b..02cfd5209 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:14 2011 PST by vadim +! Generated Thu Jan 20 14:33:12 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -101,7 +101,6 @@ clear config access-list clear config object-group clear config icmp clear config telnet - ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp @@ -136,7 +135,6 @@ access-group outside_acl_in in interface outside clear xlate clear config nat clear config object - ! ! Rule 0 (NAT) nat (inside,outside) source static hostA:eth0.0 interface service http.0 http.0 description "0 (NAT)" diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index 97f2fcd16..2fd638d33 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:15 2011 PST by vadim +! Generated Thu Jan 20 14:33:12 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index 42b851f45..73f5310cb 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:15 2011 PST by vadim +! Generated Thu Jan 20 14:33:13 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -173,7 +173,6 @@ clear config object-group clear config icmp clear config telnet - object-group network id78630X30274.src.net.0 network-object 10.1.2.0 255.255.255.0 network-object 10.1.3.0 255.255.255.0 @@ -208,7 +207,6 @@ clear xlate clear config nat clear config object - object-group network id178211X29963.osrc.net.0 network-object object internal_subnet_1.0 network-object object internal_subnet_2.0 diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 1e1ba9ca8..ca0cbe0ed 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:16 2011 PST by vadim +! Generated Thu Jan 20 14:33:13 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -130,7 +130,6 @@ clear config access-list clear config object-group clear config icmp clear config telnet - ! ! Rule 0 (global) access-list inside_acl_in deny ip any any @@ -143,7 +142,6 @@ access-group outside_acl_in in interface outside clear xlate clear config nat clear config object - ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "0 (NAT)" diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index 3fa914049..cb6cf0d15 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:16 2011 PST by vadim +! Generated Thu Jan 20 14:33:13 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -125,7 +125,6 @@ clear config access-list clear config object-group clear config icmp clear config telnet - ! ! Rule 0 (global) access-list inside_acl_in deny ip any any @@ -139,7 +138,6 @@ clear xlate clear config nat clear config object - object-group network id20655X6113.osrc.net.0 network-object object internal_subnet_1.0 network-object object internal_subnet_2.0 diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index a11b895be..f6e29b0f2 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:16 2011 PST by vadim +! Generated Thu Jan 20 14:33:14 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -103,7 +103,6 @@ quit clear xlate clear config nat clear config object - ! ! Rule 0 (NAT) nat (inside,outside) source dynamic inside-range-1.0 interface description "0 (NAT)" diff --git a/test/pix/firewall94.fw.orig b/test/pix/firewall94.fw.orig new file mode 100755 index 000000000..7bcfeaada --- /dev/null +++ b/test/pix/firewall94.fw.orig @@ -0,0 +1,113 @@ +! +! This is automatically generated file. DO NOT MODIFY ! +! +! Firewall Builder fwb_pix v4.2.0.3440 +! +! Generated Thu Jan 20 14:33:14 2011 PST by vadim +! +! Compiled for pix 8.3 +! Outbound ACLs: supported +! Emulate outbound ACLs: yes +! Generating outbound ACLs: no +! Assume firewall is part of any: yes +! +!# files: * firewall94.fw +! +! test using address ranges in policy rule + + + +! +! Prolog script: +! + +! +! End of prolog script: +! + + + + +interface Ethernet0/0 + nameif outside + security-level 0 +exit + +interface Ethernet0/1 + nameif inside + security-level 100 +exit + + +no logging buffered +no logging console +no logging timestamp +no logging on + + + +telnet timeout -1 + +clear config ssh +aaa authentication ssh console LOCAL +ssh timeout -1 + +clear config snmp-server +no snmp-server enable traps + +clear config ntp + + +no service resetinbound +no service resetoutside +no sysopt connection timewait +no sysopt nodnsalias inbound +no sysopt nodnsalias outbound + + +class-map inspection_default + match default-inspection-traffic + +policy-map global_policy + +service-policy global_policy global + + + +object network inside-range-1.0 + range 10.0.0.5 10.0.0.10 +quit + +object network inside-range-2.0 + range 10.0.0.8 10.0.0.15 +quit + + +!################ +clear config access-list +clear config object-group +clear config icmp +clear config telnet + +object-group network id26782X14355.src.net.0 + network-object object inside-range-1.0 + network-object object inside-range-2.0 +exit +! +! Rule 0 (global) +access-list inside_acl_in remark 0 (global) +access-list inside_acl_in deny ip object-group id26782X14355.src.net.0 any log 6 interval 300 + + +access-group inside_acl_in in interface inside + + + + + +! +! Epilog script: +! + +! End of epilog script: +! diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index 0fcfa3231..32f56f01f 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:17 2011 PST by vadim +! Generated Thu Jan 20 14:33:15 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 1f21efaac..4d79f08b8 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:17 2011 PST by vadim +! Generated Thu Jan 20 14:33:15 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index 64d2d5933..d7af81bec 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -1259,6 +1259,7 @@ + @@ -1268,6 +1269,8 @@ + + @@ -20398,6 +20401,66 @@ no sysopt nodnsalias outbound + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index 7d2548a2f..9050352ac 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:18 2011 PST by vadim +! Generated Thu Jan 20 14:33:16 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 34758a103..57d21d38f 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3440 ! -! Generated Thu Jan 20 10:08:18 2011 PST by vadim +! Generated Thu Jan 20 14:33:16 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported