onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 09:47:20 +01:00
Code Issues Releases Wiki Activity

refs #1907 ASA NAT - fwbuilder doesnt support multiple translated sources in a single NAT rule

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-12 17:46:11 -08:00
parent e52b3b2db4
commit 353ba61b7d
44 changed files with 462 additions and 296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/ChangeLog
View File

@ -1,5 +1,10 @@
2011-01-12 Vadim Kurland <vadim@netcitadel.com>
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1907 "ASA NAT -
fwbuilder doesn't support multiple translated sources in a single
NAT rule". Compiler uses object-group to translate NAT rules that
have multiple objects in Translated Source.
* PolicyCompiler_pix_writers.cpp (_printLog): fixed #1913 "ASA/PIX
rules with logging enabled don't have log set unless user modifies
Firewall Settings". Added default log level setting to the

11
src/cisco_lib/ASA8TwiceNatLogic.cpp
View File

@ -48,14 +48,17 @@ ASA8TwiceNatStaticLogic::TwiceNatRuleType ASA8TwiceNatStaticLogic::getAutomaticT
assert(tsrc_re!=NULL);
Address *tsrc = Address::cast(FWReference::getObject(tsrc_re->front()));
if (tsrc->isAny()) return STATIC;
if (tsrc_re->isAny()) return STATIC;
else
{
/*
* Default behavior: if the number of ip addresses in OSrc is equal to
* that in TSrc, then use "static". Otherwise use "dynamic". However if
* rule option "asa8_nat_static" is true, use "static".
* Default behavior: if the number of ip addresses in OSrc is
* equal to that in TSrc, then use "static". Otherwise use
* "dynamic". Note that TSrc may be a group, in which case we
* assume it has different number of addresses and we fall
* back to dynamic
*/
if (tsrc == NULL) return DYNAMIC;
if (osrc->dimension() == tsrc->dimension()) return STATIC;
else return DYNAMIC;
}

18
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -26,6 +26,7 @@
#include "NATCompiler_asa8.h"
#include "ASA8Object.h"
#include "ASA8ObjectGroup.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
@ -286,10 +287,12 @@ void NATCompiler_asa8::compile()
add( new checkForUnnumbered("check for unnumbered interfaces"));
add( new ConvertToAtomicForOriginal("convert to atomic for OSrc, ODst, OSrv"));
add( new ConvertToAtomicForOriginal(
"convert to atomic for OSrc, ODst, OSrv"));
// remove ConvertToAtomicForTSrc if we figure out a way to support multiple
// translated soruces per #1907
add( new ConvertToAtomicForTSrc("convert to atomic for TSrc"));
// add( new ConvertToAtomicForTSrc("convert to atomic for TSrc"));
add( new ConvertToAtomicForTDst("convert to atomic for TDst"));
add( new ConvertToAtomicForTSrv("convert to atomic for TSrv"));
@ -300,15 +303,20 @@ void NATCompiler_asa8::compile()
"verify rule elements for static NAT rules"));
add( new processNONATRules("process NONAT" ));
add( new VerifyValidityOfDNSOption("Check validity of 'translate dns' option"));
add( new VerifyValidityOfDNSOption(
"Check validity of 'translate dns' option"));
add( new CreateObjectGroupsForTSrc("create object groups for TSrc"));
/* REMOVE_OLD_OPTIMIZATIONS
if (fw->getOptionsObject()->getBool("pix_optimize_default_nat"))
add (new clearOSrc ("clear OSrc" ));
*/
/* WE_DO_NOT_USE_NATCMD_FOR_ASA8
add( new createNATCmd ("create NAT commands" ));
add( new createStaticCmd ("create static commands" ));
*/
/* REMOVE_OLD_OPTIMIZATIONS
add( new mergeNATCmd ("merge NAT commands" ));
@ -321,7 +329,9 @@ void NATCompiler_asa8::compile()
add( new PrintClearCommands("Clear ACLs" ));
add( new PrintObjectsForNat("generate objects for nat commands"));
// add( new PrintObjectsForTSrc("generate object groups and objects for TSrc"));
//add( new PrintObjectsForTSrc(
// "generate object groups and objects for TSrc"));
add( new printObjectGroups("generate code for object groups"));
add( new PrintRule("generate PIX code" ));
add( new storeProcessedRules ("store processed rules" ));
add( new simplePrintProgress ());

3
src/cisco_lib/NATCompiler_asa8.h
View File

@ -103,7 +103,8 @@ namespace fwcompiler {
friend class PrintRule;
class PrintRule : public NATCompiler_pix::PrintRule
{
public:
QString printSingleObject(libfwbuilder::FWObject *obj);
public:
PrintRule(const std::string &n);
virtual void printNONAT(libfwbuilder::NATRule *rule);

97
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -26,6 +26,7 @@
#include "NATCompiler_asa8.h"
#include "ASA8Object.h"
#include "ASA8TwiceNatLogic.h"
#include "ObjectGroupsSupport.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
@ -77,20 +78,28 @@ bool NATCompiler_asa8::PrintObjectsForNat::processNext()
{
NATRule *rule = NATRule::cast( *k );
Address *osrc = compiler->getFirstOSrc(rule); assert(osrc);
Address *odst = compiler->getFirstODst(rule); assert(odst);
Service *osrv = compiler->getFirstOSrv(rule); assert(osrv);
Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc);
Address *tdst = compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv);
// OSrc, ODst, OSrv and TSrc may be either a single
// address/service object or a group. We print group
// definitions in rule processor printObjectGroups
pix_comp->addASA8Object(osrc);
pix_comp->addASA8Object(odst);
pix_comp->addASA8Object(osrv);
pix_comp->addASA8Object(tsrc);
Address *osrc = compiler->getFirstOSrc(rule);
if (osrc) pix_comp->addASA8Object(osrc);
Address *odst = compiler->getFirstODst(rule);
if (odst) pix_comp->addASA8Object(odst);
Service *osrv = compiler->getFirstOSrv(rule);
if (osrv) pix_comp->addASA8Object(osrv);
Address *tsrc = compiler->getFirstTSrc(rule);
if (tsrc) pix_comp->addASA8Object(tsrc);
Address *tdst = compiler->getFirstTDst(rule); assert(tdst);
pix_comp->addASA8Object(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv);
pix_comp->addASA8Object(tsrv);
}
return true;
@ -178,20 +187,49 @@ void NATCompiler_asa8::PrintRule::printDNAT(libfwbuilder::NATRule *rule)
printSDNAT(rule);
}
QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj)
{
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
ASA8Object* asa8_object = pix_comp->getASA8Object(obj);
if (asa8_object) return asa8_object->getCommandWord();
for (FWObject::iterator i=CreateObjectGroups::object_groups->begin();
i!=CreateObjectGroups::object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
if (og->getId() == obj->getId()) return obj->getName().c_str();
}
QString err("Found unknown object '%1' in the NAT rule: it is not "
"an ASA8 object nor object group");
throw FWException(err.arg(obj->getName().c_str()).toStdString());
}
void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
{
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
// NATCmd *natcmd = pix_comp->nat_commands[ rule->getInt("nat_cmd") ];
FWOptions *ropt = rule->getOptionsObject();
QStringList cmd;
Address *osrc = compiler->getFirstOSrc(rule); assert(osrc);
Address *odst = compiler->getFirstODst(rule); assert(odst);
Service *osrv = compiler->getFirstOSrv(rule); assert(osrv);
Address *tsrc = compiler->getFirstTSrc(rule); assert(tsrc);
RuleElementOSrc *osrc_re = rule->getOSrc();
assert(osrc_re!=NULL);
FWObject *osrc = FWReference::getObject(osrc_re->front());
RuleElementODst *odst_re = rule->getODst();
assert(odst_re!=NULL);
FWObject *odst = FWReference::getObject(odst_re->front());
RuleElementOSrv *osrv_re = rule->getOSrv();
assert(osrv_re!=NULL);
FWObject *osrv = FWReference::getObject(osrv_re->front());
RuleElementTSrc *tsrc_re = rule->getTSrc();
assert(tsrc_re!=NULL);
FWObject *tsrc = FWReference::getObject(tsrc_re->front());
Address *tdst = compiler->getFirstTDst(rule); assert(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv);
@ -216,33 +254,34 @@ void NATCompiler_asa8::PrintRule::printSDNAT(NATRule *rule)
break;
}
cmd << pix_comp->getASA8Object(osrc)->getCommandWord();
if (tsrc->isAny())
cmd << pix_comp->getASA8Object(osrc)->getCommandWord();
cmd << printSingleObject(osrc);
if (tsrc_re->isAny())
cmd << printSingleObject(osrc);
else
cmd << pix_comp->getASA8Object(tsrc)->getCommandWord();
cmd << printSingleObject(tsrc);
// only need "destination" part if ODst is not any
if (!odst->isAny())
if (!odst_re->isAny())
{
// ASA documentation says destination translation is always "static"
cmd << "destination" << "static";
cmd << pix_comp->getASA8Object(odst)->getCommandWord();
cmd << printSingleObject(odst);
if (tdst->isAny())
cmd << pix_comp->getASA8Object(odst)->getCommandWord();
cmd << printSingleObject(odst);
else
cmd << pix_comp->getASA8Object(tdst)->getCommandWord();
cmd << printSingleObject(tdst);
}
if (!osrv->isAny())
if (!osrv_re->isAny())
{
cmd << "service";
cmd << pix_comp->getASA8Object(osrv)->getCommandWord();
cmd << printSingleObject(osrv);
if (tsrv->isAny())
cmd << pix_comp->getASA8Object(osrv)->getCommandWord();
cmd << printSingleObject(osrv);
else
cmd << pix_comp->getASA8Object(tsrv)->getCommandWord();
cmd << printSingleObject(tsrv);
}
if (ropt->getBool("asa8_nat_dns")) cmd << "dns";

7
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -489,8 +489,11 @@ bool NATCompiler_pix::AssignInterface::processNext()
assert(a1!=NULL && a2!=NULL);
rule->setInt("nat_iface_orig", helper.findInterfaceByNetzone(a1));
rule->setInt("nat_iface_trn", helper.findInterfaceByNetzone(a2));
int org_intf_id = helper.findInterfaceByNetzone(a1);
int trn_intf_id = helper.findInterfaceByNetzone(a2);
rule->setInt("nat_iface_orig", org_intf_id);
rule->setInt("nat_iface_trn", trn_intf_id);
rule->setInterfaceId(trn_intf_id);
if ( rule->getInt("nat_iface_orig")==-1 )
{

19
src/cisco_lib/ObjectGroupsSupport.h
View File

@ -62,24 +62,31 @@ public:
class CreateObjectGroupsForSrc : public CreateObjectGroups
{
public:
CreateObjectGroupsForSrc(const std::string &n):
CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME) {}
CreateObjectGroupsForSrc(const std::string &n) :
CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME) {}
};
class CreateObjectGroupsForDst : public CreateObjectGroups
{
public:
CreateObjectGroupsForDst(const std::string &n):
CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME) {}
CreateObjectGroupsForDst(const std::string &n) :
CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME) {}
};
class CreateObjectGroupsForSrv : public CreateObjectGroups
{
public:
CreateObjectGroupsForSrv(const std::string &n):
CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {}
CreateObjectGroupsForSrv(const std::string &n) :
CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {}
};
class CreateObjectGroupsForTSrc : public CreateObjectGroups
{
public:
CreateObjectGroupsForTSrc(const std::string &n) :
CreateObjectGroups(n,"tsrc",libfwbuilder::RuleElementTSrc::TYPENAME) {}
};
/**
* this processor accumulates all rules fed to it by previous
* processors, then prints all object groups and feeds all

32
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:34 2011 PST by vadim
! Generated Wed Jan 12 17:40:37 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -148,10 +148,10 @@ object-group network inside.id56627X61097.src.net.0
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
access-list outside_in deny ip object-group outside.id56590X61097.src.net.0 any log 2 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.1 any log 2 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.2 any log 2 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.0 any log 2 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.1 any log 2 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.2 any log 2 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300
!
! Rule 1 (global)
! SSH Access to firewall is permitted
@ -164,31 +164,31 @@ ssh 10.3.14.0 255.255.255.0 inside
! Rule 3 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group inside.id56627X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group inside.id56627X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
!
! Rule 4 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp object-group outside.id56590X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
!
! Rule 5 (global)
! All other attempts to connect to
! the firewall are denied and logged
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.0 log 2 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.1 log 2 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.2 log 2 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.0 log 2 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.1 log 2 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.2 log 2 interval 300
!
! Rule 6 (global)
access-list inside_in permit ip 10.3.14.0 255.255.255.0 any
access-list inside_out permit ip 10.3.14.0 255.255.255.0 any
!
! Rule 7 (global)
access-list inside_in deny ip any any log 2 interval 300
access-list inside_out deny ip any any log 2 interval 300
access-list inside_in deny ip any any log 2 interval 300
access-list inside_out deny ip any any log 2 interval 300
access-group inside_in in interface inside

32
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:35 2011 PST by vadim
! Generated Wed Jan 12 17:40:38 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -148,10 +148,10 @@ object-group network inside.id56627X61097.src.net.1
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
access-list outside_in deny ip object-group outside.id56590X61097.src.net.3 any log 3 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.4 any log 3 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.5 any log 3 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 3 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.3 any log 3 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.4 any log 3 interval 300
access-list outside_in deny ip object-group outside.id56590X61097.src.net.5 any log 3 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 3 interval 300
!
! Rule 1 (global)
! SSH Access to firewall is permitted
@ -164,31 +164,31 @@ ssh 10.3.14.0 255.255.255.0 inside
! Rule 3 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group inside.id56627X61097.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group inside.id56627X61097.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
!
! Rule 4 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp object-group outside.id56590X61097.src.net.3 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.4 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.5 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.3 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.4 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id56590X61097.src.net.5 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
!
! Rule 5 (global)
! All other attempts to connect to
! the firewall are denied and logged
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.3 log 3 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.4 log 3 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.5 log 3 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.3 log 3 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.4 log 3 interval 300
access-list inside_in deny ip any object-group outside.id56590X61097.src.net.5 log 3 interval 300
!
! Rule 6 (global)
access-list inside_in permit ip 10.3.14.0 255.255.255.0 any
access-list inside_out permit ip 10.3.14.0 255.255.255.0 any
!
! Rule 7 (global)
access-list inside_in deny ip any any log 3 interval 300
access-list inside_out deny ip any any log 3 interval 300
access-list inside_in deny ip any any log 3 interval 300
access-list inside_out deny ip any any log 3 interval 300
access-group inside_in in interface inside

32
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:34 2011 PST by vadim
! Generated Wed Jan 12 17:40:37 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -148,10 +148,10 @@ object-group network inside.id55439X897.src.net.0
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
access-list outside_in deny ip object-group outside.id2913X78273.src.net.0 any log 2 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.1 any log 2 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.2 any log 2 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.0 any log 2 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.1 any log 2 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.2 any log 2 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 2 interval 300
!
! Rule 1 (global)
! SSH Access to firewall is permitted
@ -164,16 +164,16 @@ ssh 10.3.14.0 255.255.255.0 inside
! Rule 3 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group inside.id55439X897.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group inside.id55439X897.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
!
! Rule 4 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp object-group outside.id2913X78273.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.0 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.2 10.3.14.0 255.255.255.0 eq 53 log 2 interval 300
!
! Rule 5 (Ethernet0.101,Ethernet0.102)
ssh 0.0.0.0 0.0.0.0 outside
@ -218,17 +218,17 @@ access-list dmz20_out permit udp any 10.3.14.0 255.255.255.0 eq 53
! Rule 9 (global)
! All other attempts to connect to
! the firewall are denied and logged
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.0 log 2 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.1 log 2 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.2 log 2 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.0 log 2 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.1 log 2 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.2 log 2 interval 300
!
! Rule 10 (global)
access-list inside_in permit ip 10.3.14.0 255.255.255.0 any
access-list inside_out permit ip 10.3.14.0 255.255.255.0 any
!
! Rule 11 (global)
access-list inside_in deny ip any any log 2 interval 300
access-list inside_out deny ip any any log 2 interval 300
access-list inside_in deny ip any any log 2 interval 300
access-list inside_out deny ip any any log 2 interval 300
access-group dmz20_in in interface dmz20

32
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:34 2011 PST by vadim
! Generated Wed Jan 12 17:40:37 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -154,10 +154,10 @@ object-group network outside.id3401X82678.dst.net.0
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule
access-list outside_in deny ip object-group outside.id2913X78273.src.net.3 any log 3 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.4 any log 3 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.5 any log 3 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 3 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.3 any log 3 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.4 any log 3 interval 300
access-list outside_in deny ip object-group outside.id2913X78273.src.net.5 any log 3 interval 300
access-list outside_in deny ip 10.3.14.0 255.255.255.0 any log 3 interval 300
!
! Rule 1 (global)
! SSH Access to firewall is permitted
@ -170,16 +170,16 @@ ssh 10.3.14.0 255.255.255.0 inside
! Rule 3 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group inside.id55439X897.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp host 10.3.14.206 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group inside.id55439X897.src.net.1 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp host 10.0.0.253 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
!
! Rule 4 (global)
! Firewall uses one of the machines
! on internal network for DNS
access-list inside_out permit udp object-group outside.id2913X78273.src.net.3 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.4 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.5 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.3 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.4 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
access-list inside_out permit udp object-group outside.id2913X78273.src.net.5 10.3.14.0 255.255.255.0 eq 53 log 3 interval 300
!
! Rule 5 (Ethernet0.101,Ethernet0.102)
ssh 0.0.0.0 0.0.0.0 outside
@ -224,17 +224,17 @@ access-list dmz20_out permit udp any 10.3.14.0 255.255.255.0 eq 53
! Rule 9 (global)
! All other attempts to connect to
! the firewall are denied and logged
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.3 log 3 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.4 log 3 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.5 log 3 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.3 log 3 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.4 log 3 interval 300
access-list inside_in deny ip any object-group outside.id2913X78273.src.net.5 log 3 interval 300
!
! Rule 10 (global)
access-list inside_in permit ip 10.3.14.0 255.255.255.0 any
access-list inside_out permit ip 10.3.14.0 255.255.255.0 any
!
! Rule 11 (global)
access-list inside_in deny ip any any log 3 interval 300
access-list inside_out deny ip any any log 3 interval 300
access-list inside_in deny ip any any log 3 interval 300
access-list inside_out deny ip any any log 3 interval 300
access-group dmz20_in in interface dmz20

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:00 2011 PST by vadim
! Generated Wed Jan 12 17:40:04 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:01 2011 PST by vadim
! Generated Wed Jan 12 17:40:05 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

40
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:02 2011 PST by vadim
! Generated Wed Jan 12 17:40:06 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -238,7 +238,7 @@ object-group service outside.id3DB0FA12.srv.tcp.0 tcp
!
! Rule 3 (ethernet1)
! anti-spoofing rule
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 6 interval 300
!
! Rule 5 (ethernet0)
access-list inside_acl_in permit tcp any object-group inside.id3DB0FA90.dst.net.0 object-group inside.id3DB0FA90.srv.tcp.0
@ -266,20 +266,20 @@ access-list dmz_acl_in permit 47 any host 192.168.1.10
!
! Rule 9 (global)
icmp permit any 3 outside
access-list outside_acl_in permit icmp any host 22.22.22.22 3
access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 6 interval 300
icmp permit any 3 inside
access-list inside_acl_in permit icmp any host 192.168.1.1 3
access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 6 interval 300
icmp permit any 3 dmz
access-list dmz_acl_in permit icmp any host 192.168.2.1 3
access-list outside_acl_in permit icmp any any 3
access-list inside_acl_in permit icmp any any 3
access-list dmz_acl_in permit icmp any any 3
access-list outside_acl_in permit 47 any any
access-list inside_acl_in permit 47 any any
access-list dmz_acl_in permit 47 any any
access-list outside_acl_in permit 50 any any
access-list inside_acl_in permit 50 any any
access-list dmz_acl_in permit 50 any any
access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 6 interval 300
access-list outside_acl_in permit icmp any any 3 log 6 interval 300
access-list inside_acl_in permit icmp any any 3 log 6 interval 300
access-list dmz_acl_in permit icmp any any 3 log 6 interval 300
access-list outside_acl_in permit 47 any any log 6 interval 300
access-list inside_acl_in permit 47 any any log 6 interval 300
access-list dmz_acl_in permit 47 any any log 6 interval 300
access-list outside_acl_in permit 50 any any log 6 interval 300
access-list inside_acl_in permit 50 any any log 6 interval 300
access-list dmz_acl_in permit 50 any any log 6 interval 300
!
! Rule 11 (global)
access-list outside_acl_in permit ip object-group inside.id3DB0FA90.dst.net.0 object-group outside.id3DB0F9E6.dst.net.0
@ -321,9 +321,9 @@ access-list inside_acl_in permit icmp any host 192.168.1.1 3
access-list dmz_acl_in permit icmp any host 192.168.2.1 3
!
! Rule 20 (global)
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 6 interval 300
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 6 interval 300
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 6 interval 300
!
! Rule 21 (global)
access-list outside_acl_in permit ip host 22.22.22.22 any
@ -332,9 +332,9 @@ access-list dmz_acl_in permit ip host 192.168.2.1 any
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
!
! Rule 22 (global)
access-list outside_acl_in deny ip any any
access-list inside_acl_in deny ip any any
access-list dmz_acl_in deny ip any any
access-list outside_acl_in deny ip any any log 6 interval 300
access-list inside_acl_in deny ip any any log 6 interval 300
access-list dmz_acl_in deny ip any any log 6 interval 300
access-group dmz_acl_in in interface dmz

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:03 2011 PST by vadim
! Generated Wed Jan 12 17:40:07 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

8
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:04 2011 PST by vadim
! Generated Wed Jan 12 17:40:08 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -146,11 +146,11 @@ access-list dmz50_acl_in permit tcp any host 192.0.2.1 eq 80
!
! Rule 6 (global)
access-list outside_acl_in remark 6 (global)
access-list outside_acl_in deny ip any any log 5 interval 120
access-list outside_acl_in deny ip any any log 5 interval 120
access-list inside_acl_in remark 6 (global)
access-list inside_acl_in deny ip any any log 5 interval 120
access-list inside_acl_in deny ip any any log 5 interval 120
access-list dmz50_acl_in remark 6 (global)
access-list dmz50_acl_in deny ip any any log 5 interval 120
access-list dmz50_acl_in deny ip any any log 5 interval 120
access-group dmz50_acl_in in interface dmz50

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:05 2011 PST by vadim
! Generated Wed Jan 12 17:40:09 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:06 2011 PST by vadim
! Generated Wed Jan 12 17:40:10 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

12
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:07 2011 PST by vadim
! Generated Wed Jan 12 17:40:11 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -82,14 +82,14 @@ object-group network inside.id3D8FCCDE.src.net.0
!
! Rule 0 (eth1)
! Anti-spoofing rule
access-list outside_acl_in deny ip host 192.168.1.1 any
access-list outside_acl_in deny ip host 22.22.22.22 any
access-list outside_acl_in deny ip host 192.168.2.1 any
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any
access-list outside_acl_in deny ip host 192.168.1.1 any log 6 interval 300
access-list outside_acl_in deny ip host 22.22.22.22 any log 6 interval 300
access-list outside_acl_in deny ip host 192.168.2.1 any log 6 interval 300
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 6 interval 300
!
! Rule 1 (eth1)
! Anti-spoofing rule
access-list inside_acl_in deny ip 192.168.1.0 255.255.255.0 any
access-list inside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 6 interval 300
!
! Rule 2 (global)
access-list inside_acl_in permit tcp any host 192.168.1.10 object-group inside.id3D6EF08C.srv.tcp.0

18
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:08 2011 PST by vadim
! Generated Wed Jan 12 17:40:12 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -105,14 +105,14 @@ access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10
access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10
!
! Rule 6 (eth0,eth1)
access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
!
! Rule 7 (eth0,eth1)
access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any

18
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:10 2011 PST by vadim
! Generated Wed Jan 12 17:40:14 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -152,14 +152,14 @@ access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10
access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10
!
! Rule 19 (eth0,eth1)
access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
!
! Rule 20 (eth0,eth1)
access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any

18
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:09 2011 PST by vadim
! Generated Wed Jan 12 17:40:13 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -167,14 +167,14 @@ access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10
access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10
!
! Rule 19 (eth0,eth1)
access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list outside_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list outside_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list dmz_acl_in deny ip host 10.5.70.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.2.20 any log 0 interval 300
access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300
access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
!
! Rule 20 (eth0,eth1)
access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any

18
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:11 2011 PST by vadim
! Generated Wed Jan 12 17:40:15 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -191,14 +191,14 @@ access-list inside_in permit ip host 192.168.2.23 host 192.168.1.10
access-list inside_out permit ip host 192.168.2.23 host 192.168.1.10
!
! Rule 19 (eth0,eth1)
access-list outside_in deny ip host 10.5.70.20 any log 0 interval 300
access-list outside_in deny ip host 192.168.2.20 any log 0 interval 300
access-list outside_in deny ip host 192.168.1.20 any log 0 interval 300
access-list outside_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list dmz_in deny ip host 10.5.70.20 any log 0 interval 300
access-list dmz_in deny ip host 192.168.2.20 any log 0 interval 300
access-list dmz_in deny ip host 192.168.1.20 any log 0 interval 300
access-list dmz_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list outside_in deny ip host 10.5.70.20 any log 0 interval 300
access-list outside_in deny ip host 192.168.2.20 any log 0 interval 300
access-list outside_in deny ip host 192.168.1.20 any log 0 interval 300
access-list outside_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list dmz_in deny ip host 10.5.70.20 any log 0 interval 300
access-list dmz_in deny ip host 192.168.2.20 any log 0 interval 300
access-list dmz_in deny ip host 192.168.1.20 any log 0 interval 300
access-list dmz_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300
!
! Rule 20 (eth0,eth1)
access-list outside_out permit ip host 10.5.70.20 any

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:12 2011 PST by vadim
! Generated Wed Jan 12 17:40:16 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

6
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:13 2011 PST by vadim
! Generated Wed Jan 12 17:40:17 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -117,8 +117,8 @@ access-list outside_acl_in permit ip any object-group outside.id438728A918346.ds
access-list inside_acl_in permit ip any object-group outside.id438728A918346.dst.net.0
!
! Rule 11 (global)
access-list outside_acl_in deny ip any any
access-list inside_acl_in deny ip any any
access-list outside_acl_in deny ip any any log 6 interval 300
access-list inside_acl_in deny ip any any log 6 interval 300
access-group inside_acl_in in interface inside

14
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:14 2011 PST by vadim
! Generated Wed Jan 12 17:40:18 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -197,18 +197,18 @@ access-list outside_acl_in permit ip any 192.0.2.0 255.255.255.0
access-list inside_acl_in permit ip any 192.0.2.0 255.255.255.0
!
! Rule 2 (global)
access-list outside_acl_in deny ip any object-group outside.id4390C25825682.dst.net.0
access-list inside_acl_in deny ip any object-group outside.id4390C25825682.dst.net.0
access-list outside_acl_in deny ip any object-group outside.id4390C25825682.dst.net.0 log 6 interval 300
access-list inside_acl_in deny ip any object-group outside.id4390C25825682.dst.net.0 log 6 interval 300
!
! Rule 3 (global)
access-list outside_acl_in deny tcp any object-group outside.id4390C25825682.dst.net.0 eq 25
access-list inside_acl_in deny tcp any object-group outside.id4390C25825682.dst.net.0 eq 25
!
! Rule 5 (global)
access-list outside_acl_in deny ip object-group outside.id4388CFF8674.src.net.0 any
access-list outside_acl_in deny ip object-group outside.id4388CFF8674.src.net.0 any log 6 interval 300
!
! Rule 6 (global)
access-list outside_acl_in deny ip object-group outside.id4390C25825682.dst.net.0 any
access-list outside_acl_in deny ip object-group outside.id4390C25825682.dst.net.0 any log 6 interval 300
!
! Rule 7 (global)
access-list outside_acl_in permit ip object-group outside.id4390C25825682.dst.net.0 any
@ -221,8 +221,8 @@ access-list inside_acl_in permit tcp any host 192.168.1.10 eq 25
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
!
! Rule 11 (global)
access-list outside_acl_in deny ip any any
access-list inside_acl_in deny ip any any
access-list outside_acl_in deny ip any any log 6 interval 300
access-list inside_acl_in deny ip any any log 6 interval 300
access-group inside_acl_in in interface inside

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:15 2011 PST by vadim
! Generated Wed Jan 12 17:40:19 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

40
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:17 2011 PST by vadim
! Generated Wed Jan 12 17:40:20 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -260,7 +260,7 @@ access-list outside_acl_in permit icmp any any 3
!
! Rule 3 (ethernet1)
! anti-spoofing rule
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
!
! Rule 4 (ethernet0)
ssh 192.168.1.0 255.255.255.0 inside
@ -301,20 +301,20 @@ access-list inside_acl_in permit 47 any host 192.168.1.10
access-list dmz_acl_in permit 47 any host 192.168.1.10
!
! Rule 12 (global)
access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300
access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300
icmp permit any 3 inside
access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300
access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300
icmp permit any 3 dmz
access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300
access-list outside_acl_in permit icmp any any 3 log 0 interval 300
access-list inside_acl_in permit icmp any any 3 log 0 interval 300
access-list dmz_acl_in permit icmp any any 3 log 0 interval 300
access-list outside_acl_in permit 47 any any log 0 interval 300
access-list inside_acl_in permit 47 any any log 0 interval 300
access-list dmz_acl_in permit 47 any any log 0 interval 300
access-list outside_acl_in permit 50 any any log 0 interval 300
access-list inside_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300
access-list outside_acl_in permit icmp any any 3 log 0 interval 300
access-list inside_acl_in permit icmp any any 3 log 0 interval 300
access-list dmz_acl_in permit icmp any any 3 log 0 interval 300
access-list outside_acl_in permit 47 any any log 0 interval 300
access-list inside_acl_in permit 47 any any log 0 interval 300
access-list dmz_acl_in permit 47 any any log 0 interval 300
access-list outside_acl_in permit 50 any any log 0 interval 300
access-list inside_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit 50 any any log 0 interval 300
!
! Rule 14 (global)
access-list outside_acl_in permit ip object-group inside.id45142FA628543.dst.net.0 object-group outside.id45142FFC28543.dst.net.0
@ -371,9 +371,9 @@ access-list inside_acl_in permit tcp any range 20000 20020 host 192.168.1.10
access-list dmz_acl_in permit tcp any range 20000 20020 host 192.168.1.10
!
! Rule 25 (global)
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300
!
! Rule 26 (global)
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
@ -385,9 +385,9 @@ access-list dmz_acl_in permit ip host 192.168.2.1 any
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
!
! Rule 28 (global)
access-list outside_acl_in deny ip any any log 0 interval 300
access-list inside_acl_in deny ip any any log 0 interval 300
access-list dmz_acl_in deny ip any any log 0 interval 300
access-list outside_acl_in deny ip any any log 0 interval 300
access-list inside_acl_in deny ip any any log 0 interval 300
access-list dmz_acl_in deny ip any any log 0 interval 300
access-group dmz_acl_in in interface dmz

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:17 2011 PST by vadim
! Generated Wed Jan 12 17:40:21 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:19 2011 PST by vadim
! Generated Wed Jan 12 17:40:22 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:20 2011 PST by vadim
! Generated Wed Jan 12 17:40:23 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported

2
test/pix/firewall81.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:21 2011 PST by vadim
! Generated Wed Jan 12 17:40:24 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall82.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:22 2011 PST by vadim
! Generated Wed Jan 12 17:40:25 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall83.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:23 2011 PST by vadim
! Generated Wed Jan 12 17:40:26 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:24 2011 PST by vadim
! Generated Wed Jan 12 17:40:27 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

75
test/pix/firewall90.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:25 2011 PST by vadim
! Generated Wed Jan 12 17:40:28 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -148,15 +148,42 @@ quit
object network outside_range
range 22.22.22.21 22.22.22.25
quit
object network firewall90:FastEthernet1:ip
host 22.22.22.22
quit
object network external_gw2
host 22.22.22.100
quit
object service squid
service tcp destination eq 3128
quit
object-group network outside.id130599X29063.tsrc.net.0
network-object host 22.22.22.21
network-object host 22.22.22.22
network-object host 22.22.22.100
exit
object-group network outside.id20720X27505.tsrc.net.0
network-object host 22.22.22.21
network-object host 22.22.22.22
network-object host 22.22.22.100
exit
object-group network outside.id241772X29764.tsrc.net.0
network-object host 22.22.22.21
network-object host 22.22.22.22
exit
object-group network outside.id21121X3710.tsrc.net.0
network-object host 22.22.22.22
network-object host 22.22.22.30
network-object host 22.22.22.100
exit
object-group network outside.id21177X3720.tsrc.net.0
network-object host 22.22.22.22
network-object 22.22.22.128 255.255.255.224
exit
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic Internal_net interface service http http
@ -179,20 +206,15 @@ nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip-1 dest
!
! Rule 6 (NAT)
! For #1907
nat (inside,outside) source dynamic hostA:eth0 outside_range service smtp smtp
nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip service smtp smtp
nat (inside,outside) source static hostA:eth0 external_gw2 service smtp smtp
nat (inside,outside) source dynamic hostA:eth0 outside.id130599X29063.tsrc.net.0 service smtp smtp
!
! Rule 7 (NAT)
! For #1907
nat (inside,outside) source dynamic hostA:eth0 outside_range service smtp smtp
nat (inside,outside) source static hostA:eth0 interface service smtp smtp
nat (inside,outside) source static hostA:eth0 external_gw2 service smtp smtp
nat (inside,outside) source dynamic hostA:eth0 outside.id20720X27505.tsrc.net.0 service smtp smtp
!
! Rule 8 (NAT)
! For #1907
nat (inside,outside) source dynamic hostA:eth0 outside_range service smtp smtp
nat (inside,outside) source static hostA:eth0 interface service smtp smtp
nat (inside,outside) source dynamic hostA:eth0 outside.id241772X29764.tsrc.net.0 service smtp smtp
!
! Rule 9 (NAT)
! for #1902
@ -221,21 +243,32 @@ nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip-1
nat (inside,outside) source dynamic hostA:eth0 outside_range
!
! Rule 14 (NAT)
! for #1908
! "static" vs "dynamic"
nat (outside,outside) source dynamic outside_range firewall90:FastEthernet1:ip-1
! for #1908 "static" vs "dynamic"
! for #1885 "named object" - create
! network object to define address range, then add it to object-group
nat (inside,outside) source dynamic hostA:eth0 outside.id21121X3710.tsrc.net.0
!
! Rule 15 (NAT)
! for #1908
! for #1908, #1916
! "static" vs "dynamic"
nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1
nat (inside,outside) source dynamic hostA:eth0 outside.id21177X3720.tsrc.net.0
!
! Rule 16 (NAT)
! for #1908
! "static" vs "dynamic"
nat (inside,outside) source static internal_subnet_1 firewall90:FastEthernet1:ip-1
nat (outside,outside) source dynamic outside_range firewall90:FastEthernet1:ip-1
!
! Rule 17 (NAT)
! for #1908
! "static" vs "dynamic"
nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1
!
! Rule 18 (NAT)
! for #1908
! "static" vs "dynamic"
nat (inside,outside) source static internal_subnet_1 firewall90:FastEthernet1:ip-1
!
! Rule 19 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0 service http squid

2
test/pix/firewall91.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:26 2011 PST by vadim
! Generated Wed Jan 12 17:40:29 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall92.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:26 2011 PST by vadim
! Generated Wed Jan 12 17:40:30 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

40
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:28 2011 PST by vadim
! Generated Wed Jan 12 17:40:31 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported
@ -244,7 +244,7 @@ access-list outside_acl_in permit icmp any any 3
!
! Rule 3 (ethernet1)
! anti-spoofing rule
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
!
! Rule 4 (ethernet0)
ssh 192.168.1.0 255.255.255.0 inside
@ -277,20 +277,20 @@ access-list inside_acl_in permit 47 any host 192.168.1.10
access-list dmz_acl_in permit 47 any host 192.168.1.10
!
! Rule 10 (global)
access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300
access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300
icmp permit any 3 inside
access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300
access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300
icmp permit any 3 dmz
access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300
access-list outside_acl_in permit icmp any any 3 log 0 interval 300
access-list inside_acl_in permit icmp any any 3 log 0 interval 300
access-list dmz_acl_in permit icmp any any 3 log 0 interval 300
access-list outside_acl_in permit 47 any any log 0 interval 300
access-list inside_acl_in permit 47 any any log 0 interval 300
access-list dmz_acl_in permit 47 any any log 0 interval 300
access-list outside_acl_in permit 50 any any log 0 interval 300
access-list inside_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300
access-list outside_acl_in permit icmp any any 3 log 0 interval 300
access-list inside_acl_in permit icmp any any 3 log 0 interval 300
access-list dmz_acl_in permit icmp any any 3 log 0 interval 300
access-list outside_acl_in permit 47 any any log 0 interval 300
access-list inside_acl_in permit 47 any any log 0 interval 300
access-list dmz_acl_in permit 47 any any log 0 interval 300
access-list outside_acl_in permit 50 any any log 0 interval 300
access-list inside_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit 50 any any log 0 interval 300
!
! Rule 12 (global)
access-list outside_acl_in permit ip object-group inside.id444A03DE9567.dst.net.0 object-group outside.id444A04349567.dst.net.0
@ -341,9 +341,9 @@ access-list inside_acl_in permit tcp any gt 1024 host 192.168.1.10 eq 80
access-list dmz_acl_in permit tcp any gt 1024 host 192.168.1.10 eq 80
!
! Rule 23 (global)
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300
!
! Rule 24 (global)
access-list outside_acl_in permit ip host 22.22.22.22 any
@ -352,9 +352,9 @@ access-list dmz_acl_in permit ip host 192.168.2.1 any
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
!
! Rule 25 (global)
access-list outside_acl_in deny ip any any log 0 interval 300
access-list inside_acl_in deny ip any any log 0 interval 300
access-list dmz_acl_in deny ip any any log 0 interval 300
access-list outside_acl_in deny ip any any log 0 interval 300
access-list inside_acl_in deny ip any any log 0 interval 300
access-list dmz_acl_in deny ip any any log 0 interval 300
access-group dmz_acl_in in interface dmz

40
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:29 2011 PST by vadim
! Generated Wed Jan 12 17:40:32 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported
@ -255,7 +255,7 @@ access-list outside_acl_in permit icmp any any 3
!
! Rule 3 (ethernet1)
! anti-spoofing rule
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
!
! Rule 4 (ethernet0)
ssh 192.168.1.0 255.255.255.0 inside
@ -288,20 +288,20 @@ access-list inside_acl_in permit 47 any host 192.168.1.10
access-list dmz_acl_in permit 47 any host 192.168.1.10
!
! Rule 10 (global)
access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300
access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300
icmp permit any 3 inside
access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300
access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300
icmp permit any 3 dmz
access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300
access-list outside_acl_in permit icmp any any 3 log 0 interval 300
access-list inside_acl_in permit icmp any any 3 log 0 interval 300
access-list dmz_acl_in permit icmp any any 3 log 0 interval 300
access-list outside_acl_in permit 47 any any log 0 interval 300
access-list inside_acl_in permit 47 any any log 0 interval 300
access-list dmz_acl_in permit 47 any any log 0 interval 300
access-list outside_acl_in permit 50 any any log 0 interval 300
access-list inside_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300
access-list outside_acl_in permit icmp any any 3 log 0 interval 300
access-list inside_acl_in permit icmp any any 3 log 0 interval 300
access-list dmz_acl_in permit icmp any any 3 log 0 interval 300
access-list outside_acl_in permit 47 any any log 0 interval 300
access-list inside_acl_in permit 47 any any log 0 interval 300
access-list dmz_acl_in permit 47 any any log 0 interval 300
access-list outside_acl_in permit 50 any any log 0 interval 300
access-list inside_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit 50 any any log 0 interval 300
!
! Rule 12 (global)
access-list outside_acl_in permit ip object-group inside.id17298X54624.dst.net.0 object-group outside.id17384X54624.dst.net.0
@ -352,9 +352,9 @@ access-list inside_acl_in permit tcp any gt 1024 host 192.168.1.10 eq 80
access-list dmz_acl_in permit tcp any gt 1024 host 192.168.1.10 eq 80
!
! Rule 23 (global)
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300
!
! Rule 24 (global)
access-list outside_acl_in permit ip host 22.22.22.22 any
@ -363,9 +363,9 @@ access-list dmz_acl_in permit ip host 192.168.2.1 any
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
!
! Rule 25 (global)
access-list outside_acl_in deny ip any any log 0 interval 300
access-list inside_acl_in deny ip any any log 0 interval 300
access-list dmz_acl_in deny ip any any log 0 interval 300
access-list outside_acl_in deny ip any any log 0 interval 300
access-list inside_acl_in deny ip any any log 0 interval 300
access-list dmz_acl_in deny ip any any log 0 interval 300
access-group dmz_acl_in in interface dmz

77
test/pix/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1294446618" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1294882163" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -524,6 +524,15 @@
<ObjectRef ref="id4388C37D674"/>
<ObjectRef ref="id4389EE9118346"/>
</ObjectGroup>
<ObjectGroup id="id21078X3710" name="outside_group" comment="" ro="False">
<ObjectRef ref="id23297X67574"/>
<ObjectRef ref="id19852X26146"/>
<ObjectRef ref="id622710X3710"/>
</ObjectGroup>
<ObjectGroup id="id21119X3720" name="outside_group_2" comment="" ro="False">
<ObjectRef ref="id19852X26146"/>
<ObjectRef ref="id21130X3720"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="stdid02_1" name="Hosts" comment="" ro="False">
<Host id="id3F8F9622" name="DMZhost1" comment="" ro="False">
@ -1224,11 +1233,13 @@
<Network id="id69063X11724" name="n10.1.6.0" comment="" ro="False" address="10.1.6.0" netmask="255.255.255.0"/>
<Network id="id178241X29963" name="internal_subnet_1" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.192"/>
<Network id="id178250X29963" name="internal_subnet_2" comment="" ro="False" address="192.168.1.64" netmask="255.255.255.192"/>
<Network id="id21130X3720" name="ext_subnet" comment="" ro="False" address="22.22.22.128" netmask="255.255.255.224"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
<AddressRange id="id3D0F7F89" name="test_range_2" comment="" ro="False" start_address="192.168.1.250" end_address="192.168.1.255"/>
<AddressRange id="id3D196750" name="outside_range" comment="" ro="False" start_address="22.22.22.21" end_address="22.22.22.25"/>
<AddressRange id="id622710X3710" name="outside_range-1" comment="" ro="False" start_address="22.22.22.30" end_address="22.22.22.40"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05_1" name="Services" comment="" ro="False">
@ -18228,7 +18239,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294875498" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<Firewall id="id19839X26146" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294882747" platform="pix" version="8.3" name="firewall90" comment="testing new style ASA 8.3 nat commands&#10;SNAT rules&#10;" ro="False">
<NAT id="id19920X26146" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id19921X26146" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -18562,7 +18573,61 @@ no sysopt nodnsalias outbound
<Option name="color">#7694C0</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id132365X22142" disabled="False" group="" position="14" action="Translate" comment="for #1908&#10;&quot;static&quot; vs &quot;dynamic&quot;&#10;">
<NATRule id="id21121X3710" disabled="False" group="" position="14" action="Translate" comment="for #1908 &quot;static&quot; vs &quot;dynamic&quot;&#10;for #1885 &quot;named object&quot; - create &#10;network object to define address range, then add it to object-group">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id21078X3710"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="asa8_nat_auto">True</Option>
<Option name="asa8_nat_dns">False</Option>
<Option name="asa8_nat_dynamic">False</Option>
<Option name="asa8_nat_static">False</Option>
<Option name="color">#7694C0</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id21177X3720" disabled="False" group="" position="15" action="Translate" comment="for #1908, #1916&#10;&quot;static&quot; vs &quot;dynamic&quot;&#10;">
<OSrc neg="False">
<ObjectRef ref="host-hostA"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id21119X3720"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="asa8_nat_auto">True</Option>
<Option name="asa8_nat_dns">False</Option>
<Option name="asa8_nat_dynamic">False</Option>
<Option name="asa8_nat_static">False</Option>
<Option name="color">#7694C0</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id132365X22142" disabled="False" group="" position="16" action="Translate" comment="for #1908&#10;&quot;static&quot; vs &quot;dynamic&quot;&#10;">
<OSrc neg="False">
<ObjectRef ref="id3D196750"/>
</OSrc>
@ -18589,7 +18654,7 @@ no sysopt nodnsalias outbound
<Option name="color">#7694C0</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id188268X22142" disabled="False" group="" position="15" action="Translate" comment="for #1908&#10;&quot;static&quot; vs &quot;dynamic&quot;&#10;">
<NATRule id="id188268X22142" disabled="False" group="" position="17" action="Translate" comment="for #1908&#10;&quot;static&quot; vs &quot;dynamic&quot;&#10;">
<OSrc neg="False">
<ObjectRef ref="id178241X29963"/>
</OSrc>
@ -18613,7 +18678,7 @@ no sysopt nodnsalias outbound
<Option name="color">#7694C0</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id244282X22142" disabled="False" group="" position="16" action="Translate" comment="for #1908&#10;&quot;static&quot; vs &quot;dynamic&quot;&#10;">
<NATRule id="id244282X22142" disabled="False" group="" position="18" action="Translate" comment="for #1908&#10;&quot;static&quot; vs &quot;dynamic&quot;&#10;">
<OSrc neg="False">
<ObjectRef ref="id178241X29963"/>
</OSrc>
@ -18640,7 +18705,7 @@ no sysopt nodnsalias outbound
<Option name="color">#7694C0</Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id301880X21607" disabled="False" group="" position="17" action="Translate" comment="">
<NATRule id="id301880X21607" disabled="False" group="" position="19" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>

6
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:30 2011 PST by vadim
! Generated Wed Jan 12 17:40:34 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -128,9 +128,9 @@ access-list inside_acl_in permit ip 10.3.14.0 255.255.255.0 any
!
! Rule 5 (global)
access-list outside_acl_in remark 5 (global)
access-list outside_acl_in deny ip any any
access-list outside_acl_in deny ip any any log 6 interval 300
access-list inside_acl_in remark 5 (global)
access-list inside_acl_in deny ip any any
access-list inside_acl_in deny ip any any log 6 interval 300
access-group inside_acl_in in interface inside

2
test/pix/quick-cmp.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh
DIFFCMD="diff -C 5 -c -b -B -w -I \"! Generated\" -I 'Activating ' -I '! Firewall Builder fwb_pix v' -I 'Can not find file' -I '====' -I 'log '"
DIFFCMD="diff -C 5 -c -b -B -w -I \"! Generated\" -I 'Activating ' -I '! Firewall Builder fwb_pix v' -I 'Can not find file' -I '===='"
for f in $(ls *.fw.orig)
do

6
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3430
!
! Generated Wed Jan 12 16:02:31 2011 PST by vadim
! Generated Wed Jan 12 17:40:35 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -116,9 +116,9 @@ access-list inside_acl_in permit tcp any host 10.3.14.30 eq 80
!
! Rule 4 (global)
access-list outside_acl_in remark 4 (global)
access-list outside_acl_in deny ip any any log 5 interval 120
access-list outside_acl_in deny ip any any log 5 interval 120
access-list inside_acl_in remark 4 (global)
access-list inside_acl_in deny ip any any log 5 interval 120
access-list inside_acl_in deny ip any any log 5 interval 120
access-group inside_acl_in in interface inside