diff --git a/doc/ChangeLog b/doc/ChangeLog index 4d16e8540..4666d136e 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,10 @@ 2011-02-20 vadim + * BaseCompiler.cpp (getErrorsForRule): fixes #2124 "some error + messages get multiplied when compiler splits rules". Under certain + circumstances error messages could appear multiple times in the + generated script. + * Compiler.cpp (_expand_interface): fixes #1920 "Setting host interface to unnumbered after it has been assigned IP address doesn't have desired effect". Compiler still used ip addresses diff --git a/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp b/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp index ed675a22c..7f8611477 100644 --- a/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp +++ b/src/cisco_lib/RoutingCompiler_iosacl_writers.cpp @@ -82,12 +82,10 @@ bool RoutingCompiler_iosacl::PrintRule::processNext() compiler->output << "! " << endl; compiler->output << "! Rule " << rl << endl; compiler->output << "! " << endl; - compiler->output << "! \"Routing rule " << rl << "\"" << endl; - compiler->output << "! " << endl; } - string err = rule->getCompilerMessage(); - if (!err.empty()) compiler->output << "# " << err << endl; +// string err = rule->getCompilerMessage(); +// if (!err.empty()) compiler->output << "# " << err << endl; if( rule->getRuleType() != RoutingRule::MultiPath ) { @@ -100,6 +98,10 @@ bool RoutingCompiler_iosacl::PrintRule::processNext() } compiler->output << "! " << comm.substr(c1) << endl; compiler->output << "! " << endl; + + string err = compiler->getErrorsForRule(rule, "! "); + if (!err.empty()) compiler->output << err << endl; + current_rule_label = rl; } @@ -108,6 +110,9 @@ bool RoutingCompiler_iosacl::PrintRule::processNext() } else { + string err = compiler->getErrorsForRule(rule, "! "); + if (!err.empty()) compiler->output << err << endl; + compiler->abort(rule, "MultiPath routing not supported by platform"); } return true; diff --git a/src/cisco_lib/RoutingCompiler_pix_writers.cpp b/src/cisco_lib/RoutingCompiler_pix_writers.cpp index 6ed0fb7db..0a9542994 100644 --- a/src/cisco_lib/RoutingCompiler_pix_writers.cpp +++ b/src/cisco_lib/RoutingCompiler_pix_writers.cpp @@ -78,8 +78,8 @@ bool RoutingCompiler_pix::PrintRule::processNext() compiler->output << "! " << endl; } - string err = rule->getCompilerMessage(); - if (!err.empty()) compiler->output << "# " << err << endl; +// string err = rule->getCompilerMessage(); +// if (!err.empty()) compiler->output << "# " << err << endl; if( rule->getRuleType() != RoutingRule::MultiPath ) { @@ -92,7 +92,11 @@ bool RoutingCompiler_pix::PrintRule::processNext() } compiler->output << "! " << comm.substr(c1) << endl; compiler->output << "! " << endl; - current_rule_label=rl; + + string err = compiler->getErrorsForRule(rule, "! "); + if (!err.empty()) compiler->output << err << endl; + + current_rule_label = rl; } string command_line = RoutingRuleToString(rule); @@ -100,6 +104,9 @@ bool RoutingCompiler_pix::PrintRule::processNext() } else { + string err = compiler->getErrorsForRule(rule, "! "); + if (!err.empty()) compiler->output << err << endl; + compiler->abort(rule, "MultiPath routing not supported by platform"); } return true; diff --git a/src/iptlib/NATCompiler_PrintRule.cpp b/src/iptlib/NATCompiler_PrintRule.cpp index 023315e45..dcaa8e6d3 100644 --- a/src/iptlib/NATCompiler_PrintRule.cpp +++ b/src/iptlib/NATCompiler_PrintRule.cpp @@ -181,12 +181,15 @@ string NATCompiler_ipt::PrintRule::_printRuleLabel(NATRule *rule) res << "# " << line.toStdString() << endl; } //res << "# " << endl; + + string err = compiler->getErrorsForRule(rule, "# "); + if (!err.empty()) res << err << endl; } current_rule_label=rl; } - string err = rule->getCompilerMessage(); - if (!err.empty()) res << "# " << err << endl; +// string err = rule->getCompilerMessage(); +// if (!err.empty()) res << "# " << err << endl; return res.str(); } diff --git a/src/iptlib/PolicyCompiler_PrintRule.cpp b/src/iptlib/PolicyCompiler_PrintRule.cpp index d35809f3c..82b474d23 100644 --- a/src/iptlib/PolicyCompiler_PrintRule.cpp +++ b/src/iptlib/PolicyCompiler_PrintRule.cpp @@ -199,13 +199,16 @@ string PolicyCompiler_ipt::PrintRule::_printRuleLabel(PolicyRule *rule) res << "# " << line.toStdString() << endl; } //res << "# " << endl; + + string err = compiler->getErrorsForRule(rule, "# "); + if (!err.empty()) res << err << endl; } } current_rule_label = rl; - string err = rule->getCompilerMessage(); - if (!err.empty()) res << "# " << err << endl; +// string err = rule->getCompilerMessage(); +// if (!err.empty()) res << "# " << err << endl; return res.str(); } diff --git a/src/iptlib/RoutingCompiler_ipt_writers.cpp b/src/iptlib/RoutingCompiler_ipt_writers.cpp index 2971f5736..fb7e5219a 100644 --- a/src/iptlib/RoutingCompiler_ipt_writers.cpp +++ b/src/iptlib/RoutingCompiler_ipt_writers.cpp @@ -190,11 +190,15 @@ bool RoutingCompiler_ipt::PrintRule::processNext() } compiler->output << "# " << comm.substr(c1) << endl; compiler->output << "# " << endl; + + string err = compiler->getErrorsForRule(rule, "# "); + if (!err.empty()) compiler->output << err << endl; + current_rule_label = rl; } - string err = rule->getCompilerMessage(); - if (!err.empty()) compiler->output << "# " << err << endl; +// string err = rule->getCompilerMessage(); +// if (!err.empty()) compiler->output << "# " << err << endl; string command_line = RoutingRuleToString(rule); compiler->output << command_line; diff --git a/src/libfwbuilder/src/fwcompiler/BaseCompiler.cpp b/src/libfwbuilder/src/fwcompiler/BaseCompiler.cpp index d4d2e9eb2..158b19b7f 100644 --- a/src/libfwbuilder/src/fwcompiler/BaseCompiler.cpp +++ b/src/libfwbuilder/src/fwcompiler/BaseCompiler.cpp @@ -70,8 +70,25 @@ string BaseCompiler::getErrors(const string &comment_sep) void BaseCompiler::clearErrors() { errors_buffer.str(""); + rule_errors.clear(); } +string BaseCompiler::getErrorsForRule(Rule *rule, const std::string &comment_sep) +{ + string rule_label = rule->getLabel(); + rule_errors[rule_label].sort(); + ostringstream ostr; + list::iterator it; + string prev; // used to remove duplicate messages + for (it=rule_errors[rule_label].begin(); it!=rule_errors[rule_label].end(); ++it) + { + if (*it != prev) ostr << comment_sep << *it << endl; + prev = *it; + } + return ostr.str(); +} + + /* * Error and warning format: * @@ -126,7 +143,11 @@ void BaseCompiler::message(const std::string &level, string str = setLevel(level, stdErrorMessage(fw, ruleset, rule, errstr)); printError(str); Rule *cast_rule = Rule::cast(rule); - if (cast_rule) cast_rule->setCompilerMessage(str); + if (cast_rule) + { + cast_rule->setCompilerMessage(str); + rule_errors[cast_rule->getLabel()].push_back(str); + } } void BaseCompiler::printError(const string &errstr) diff --git a/src/libfwbuilder/src/fwcompiler/BaseCompiler.h b/src/libfwbuilder/src/fwcompiler/BaseCompiler.h index a533a9067..32672ab8a 100644 --- a/src/libfwbuilder/src/fwcompiler/BaseCompiler.h +++ b/src/libfwbuilder/src/fwcompiler/BaseCompiler.h @@ -47,7 +47,12 @@ namespace fwcompiler { { std::string level_macro; + // all errors generated by the compiler std::stringstream errors_buffer; + // a dictionary mapping rule label to the list of errors associated + // with it. + std::map > rule_errors; + // in test mode we trat fatal errors as errors and continue after // printing error message bool test_mode; @@ -139,6 +144,9 @@ public: bool haveErrorsAndWarnings(); void clearErrors(); + std::string getErrorsForRule(libfwbuilder::Rule *rule, + const std::string &comment_sep); + /** * fills a list of strings with regular expressions that match * error messages diff --git a/src/libfwbuilder/src/fwcompiler/Compiler.cpp b/src/libfwbuilder/src/fwcompiler/Compiler.cpp index cab4b080c..464b80bde 100644 --- a/src/libfwbuilder/src/fwcompiler/Compiler.cpp +++ b/src/libfwbuilder/src/fwcompiler/Compiler.cpp @@ -1569,10 +1569,14 @@ string Compiler::printComment(Rule *rule, string &prev_rule_label, if (!remainder.empty()) res << prefix << " " << remainder << endl; } + + string err = getErrorsForRule(rule, prefix + " "); + if (!err.empty()) res << err << endl; + prev_rule_label = rl; } - string err = rule->getCompilerMessage(); - if (!err.empty()) res << prefix << " " << err << endl; +// string err = rule->getCompilerMessage(); +// if (!err.empty()) res << prefix << " " << err << endl; return res.str(); } diff --git a/src/pflib/RoutingCompiler_openbsd_writers.cpp b/src/pflib/RoutingCompiler_openbsd_writers.cpp index 037f9215f..87d6979d7 100644 --- a/src/pflib/RoutingCompiler_openbsd_writers.cpp +++ b/src/pflib/RoutingCompiler_openbsd_writers.cpp @@ -189,11 +189,15 @@ bool RoutingCompiler_openbsd::PrintRule::processNext() } } if (comment_lines) compiler->output << "#" << endl; + + string err = compiler->getErrorsForRule(rule, "# "); + if (!err.empty()) compiler->output << err << endl; + current_rule_label = rl; } - string err = rule->getCompilerMessage(); - if (!err.empty()) compiler->output << "# " << err << endl; +// string err = rule->getCompilerMessage(); +// if (!err.empty()) compiler->output << "# " << err << endl; string command_line = RoutingRuleToString(rule); compiler->output << command_line; diff --git a/test/iosacl/auto-interface-test.fw.orig b/test/iosacl/auto-interface-test.fw.orig index ee05104e2..5e8f0f824 100755 --- a/test/iosacl/auto-interface-test.fw.orig +++ b/test/iosacl/auto-interface-test.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:19 2011 PST by vadim +! Generated Sun Feb 20 21:26:38 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/c3620.fw.orig b/test/iosacl/c3620.fw.orig index cac92d5e1..311daeae6 100755 --- a/test/iosacl/c3620.fw.orig +++ b/test/iosacl/c3620.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:19 2011 PST by vadim +! Generated Sun Feb 20 21:26:38 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! @@ -38,7 +38,6 @@ ip access-list extended e1_0_in ! ! Rule -1 backup ssh access rule (automatic) remark -1 backup ssh access rule (automatic) - permit tcp host 10.3.14.41 host 0.0.0.0 eq 22 permit tcp host 10.3.14.41 host 10.3.14.201 eq 22 permit tcp host 10.3.14.41 host 192.168.171.2 eq 22 ! @@ -77,7 +76,6 @@ ip access-list extended e1_0_out ! ! Rule -2 backup ssh access rule (out) (automatic) remark -2 backup ssh access rule (out) (automatic) - permit tcp host 0.0.0.0 eq 22 host 10.3.14.41 permit tcp host 10.3.14.201 eq 22 host 10.3.14.41 permit tcp host 192.168.171.2 eq 22 host 10.3.14.41 ! @@ -98,7 +96,6 @@ ip access-list extended e1_1_in ! ! Rule -1 backup ssh access rule (automatic) remark -1 backup ssh access rule (automatic) - permit tcp host 10.3.14.41 host 0.0.0.0 eq 22 permit tcp host 10.3.14.41 host 10.3.14.201 eq 22 permit tcp host 10.3.14.41 host 192.168.171.2 eq 22 ! @@ -133,7 +130,6 @@ ip access-list extended e1_1_out ! ! Rule -2 backup ssh access rule (out) (automatic) remark -2 backup ssh access rule (out) (automatic) - permit tcp host 0.0.0.0 eq 22 host 10.3.14.41 permit tcp host 10.3.14.201 eq 22 host 10.3.14.41 permit tcp host 192.168.171.2 eq 22 host 10.3.14.41 exit @@ -142,7 +138,6 @@ ip access-list extended fe0_0_in ! ! Rule -1 backup ssh access rule (automatic) remark -1 backup ssh access rule (automatic) - permit tcp host 10.3.14.41 host 0.0.0.0 eq 22 permit tcp host 10.3.14.41 host 10.3.14.201 eq 22 permit tcp host 10.3.14.41 host 192.168.171.2 eq 22 ! @@ -173,7 +168,6 @@ ip access-list extended fe0_0_out ! ! Rule -2 backup ssh access rule (out) (automatic) remark -2 backup ssh access rule (out) (automatic) - permit tcp host 0.0.0.0 eq 22 host 10.3.14.41 permit tcp host 10.3.14.201 eq 22 host 10.3.14.41 permit tcp host 192.168.171.2 eq 22 host 10.3.14.41 ! @@ -225,32 +219,24 @@ exit ! ! Rule 0 (main) ! -! "Routing rule 0 (main)" -! ! ! ip route 10.10.10.0 255.255.255.0 10.3.14.254 1 ! ! Rule 1 (main) ! -! "Routing rule 1 (main)" -! ! ! ip route 10.10.11.0 255.255.255.0 FastEthernet0/0 1 ! ! Rule 2 (main) ! -! "Routing rule 2 (main)" -! ! ! ip route 10.10.12.0 255.255.255.0 FastEthernet0/0 1 ! ! Rule 3 (main) ! -! "Routing rule 3 (main)" -! ! ! ip route 0.0.0.0 0.0.0.0 Ethernet1/0 1 diff --git a/test/iosacl/ccie4u-r1.fw.orig b/test/iosacl/ccie4u-r1.fw.orig index 4f002d4f5..28c4d0236 100755 --- a/test/iosacl/ccie4u-r1.fw.orig +++ b/test/iosacl/ccie4u-r1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:19 2011 PST by vadim +! Generated Sun Feb 20 21:26:39 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! @@ -153,12 +153,25 @@ ipv6 access-list ipv6_fe0_0_in permit tcp fe80::/64 any eq 22 ! ! Rule r1-ipv6 1 (global) +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule r1-ipv6 2 (global) +! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 5 (global)' below it +! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 6 (global)' below it + permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule r1-ipv6 3 (global) +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log @@ -183,6 +196,11 @@ ipv6 access-list ipv6_fe0_0_in permit ipv6 fe80::/64 any log ! ! Rule r1-ipv6 9 (global) +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it + permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log @@ -216,9 +234,19 @@ ipv6 access-list ipv6_fe0_0_out permit tcp fe80::/64 any eq 22 ! ! Rule r1-ipv6 1 (global) +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule r1-ipv6 3 (global) +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log @@ -231,6 +259,11 @@ ipv6 access-list ipv6_fe0_0_out permit ipv6 fe80::/64 any log ! ! Rule r1-ipv6 9 (global) +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it + permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log @@ -261,12 +294,25 @@ exit ipv6 access-list ipv6_fe0_1_in ! ! Rule r1-ipv6 1 (global) +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule r1-ipv6 2 (global) +! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 5 (global)' below it +! ccie4u-r1:r1-ipv6:2: error: Rule 'r1-ipv6 2 (global)' shadows rule 'r1-ipv6 6 (global)' below it + permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule r1-ipv6 3 (global) +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log @@ -288,6 +334,11 @@ ipv6 access-list ipv6_fe0_1_in permit ipv6 any host fe80::21d:9ff:fe8b:8e94 log ! ! Rule r1-ipv6 9 (global) +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it + permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log @@ -321,9 +372,19 @@ ipv6 access-list ipv6_fe0_1_out permit tcp fe80::/64 any eq 22 ! ! Rule r1-ipv6 1 (global) +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 13 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 3 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 4 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 5 (global)' below it +! ccie4u-r1:r1-ipv6:1: error: Rule 'r1-ipv6 1 (global)' shadows rule 'r1-ipv6 6 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule r1-ipv6 3 (global) +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 13 (global)' below it +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 4 (global)' below it +! ccie4u-r1:r1-ipv6:3: error: Rule 'r1-ipv6 3 (global)' shadows rule 'r1-ipv6 5 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log @@ -336,6 +397,11 @@ ipv6 access-list ipv6_fe0_1_out permit ipv6 fe80::/64 any log ! ! Rule r1-ipv6 9 (global) +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 10 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 11 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 12 (global)' below it +! ccie4u-r1:r1-ipv6:9: error: Rule 'r1-ipv6 9 (global)' shadows rule 'r1-ipv6 13 (global)' below it + permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log diff --git a/test/iosacl/dynamips1-og.fw.orig b/test/iosacl/dynamips1-og.fw.orig index 1ffe384b3..77941a3ca 100755 --- a/test/iosacl/dynamips1-og.fw.orig +++ b/test/iosacl/dynamips1-og.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:19 2011 PST by vadim +! Generated Sun Feb 20 21:26:39 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/iosacl/firewall-ipv6-1.fw.orig b/test/iosacl/firewall-ipv6-1.fw.orig index 6e10b5362..730412888 100755 --- a/test/iosacl/firewall-ipv6-1.fw.orig +++ b/test/iosacl/firewall-ipv6-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:20 2011 PST by vadim +! Generated Sun Feb 20 21:26:39 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! @@ -92,12 +92,25 @@ ipv6 access-list ipv6_e0_0_in permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-1-ipv6 1 (global) +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 3 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule fw-ipv6-1-ipv6 2 (global) +! firewall-ipv6-1:fw-ipv6-1-ipv6:2: error: Rule 'fw-ipv6-1-ipv6 2 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:2: error: Rule 'fw-ipv6-1-ipv6 2 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)' below it + permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule fw-ipv6-1-ipv6 3 (global) +! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log @@ -122,6 +135,11 @@ ipv6 access-list ipv6_e0_0_in permit ipv6 fe80::/64 any log ! ! Rule fw-ipv6-1-ipv6 9 (global) +! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 10 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 12 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it + permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log @@ -155,9 +173,19 @@ ipv6 access-list ipv6_e0_0_out permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-1-ipv6 1 (global) +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 3 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:1: error: Rule 'fw-ipv6-1-ipv6 1 (global)' shadows rule 'fw-ipv6-1-ipv6 6 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule fw-ipv6-1-ipv6 3 (global) +! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 4 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:3: error: Rule 'fw-ipv6-1-ipv6 3 (global)' shadows rule 'fw-ipv6-1-ipv6 5 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log @@ -170,6 +198,11 @@ ipv6 access-list ipv6_e0_0_out permit ipv6 fe80::/64 any log ! ! Rule fw-ipv6-1-ipv6 9 (global) +! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 10 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 11 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 12 (global)' below it +! firewall-ipv6-1:fw-ipv6-1-ipv6:9: error: Rule 'fw-ipv6-1-ipv6 9 (global)' shadows rule 'fw-ipv6-1-ipv6 13 (global)' below it + permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log diff --git a/test/iosacl/firewall-ipv6-2.fw.orig b/test/iosacl/firewall-ipv6-2.fw.orig index dd2911bdb..a0a78f568 100755 --- a/test/iosacl/firewall-ipv6-2.fw.orig +++ b/test/iosacl/firewall-ipv6-2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:20 2011 PST by vadim +! Generated Sun Feb 20 21:26:39 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! @@ -99,12 +99,25 @@ ipv6 access-list ipv6_e0_0_in permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-2-ipv6 1 (global) +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 3 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule fw-ipv6-2-ipv6 2 (global) +! firewall-ipv6-2:fw-ipv6-2-ipv6:2: error: Rule 'fw-ipv6-2-ipv6 2 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:2: error: Rule 'fw-ipv6-2-ipv6 2 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)' below it + permit tcp host 3ffe:1200:2001:1:8000::1 host fe80::21d:9ff:fe8b:8e94 eq 22 log ! ! Rule fw-ipv6-2-ipv6 3 (global) +! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log @@ -129,6 +142,11 @@ ipv6 access-list ipv6_e0_0_in permit ipv6 fe80::/64 any log ! ! Rule fw-ipv6-2-ipv6 9 (global) +! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 10 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 12 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it + permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log @@ -162,9 +180,19 @@ ipv6 access-list ipv6_e0_0_out permit tcp fe80::/64 any eq 22 ! ! Rule fw-ipv6-2-ipv6 1 (global) +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 3 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:1: error: Rule 'fw-ipv6-2-ipv6 1 (global)' shadows rule 'fw-ipv6-2-ipv6 6 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 ! ! Rule fw-ipv6-2-ipv6 3 (global) +! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 4 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:3: error: Rule 'fw-ipv6-2-ipv6 3 (global)' shadows rule 'fw-ipv6-2-ipv6 5 (global)' below it + permit tcp host 2001:5c0:0:2::24 any eq 22 log permit tcp 3ffe:1200:2000::/36 any eq 22 log permit tcp host 3ffe:1200:2001:1:8000::1 any eq 22 log @@ -177,6 +205,11 @@ ipv6 access-list ipv6_e0_0_out permit ipv6 fe80::/64 any log ! ! Rule fw-ipv6-2-ipv6 9 (global) +! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 10 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 11 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 12 (global)' below it +! firewall-ipv6-2:fw-ipv6-2-ipv6:9: error: Rule 'fw-ipv6-2-ipv6 9 (global)' shadows rule 'fw-ipv6-2-ipv6 13 (global)' below it + permit ipv6 host 2001:5c0:0:2::24 any log permit ipv6 3ffe:1200:2000::/36 any log permit ipv6 host 3ffe:1200:2001:1:8000::1 any log diff --git a/test/iosacl/firewall-ipv6-3.fw.orig b/test/iosacl/firewall-ipv6-3.fw.orig index c5cbffd25..db3dfa505 100755 --- a/test/iosacl/firewall-ipv6-3.fw.orig +++ b/test/iosacl/firewall-ipv6-3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:20 2011 PST by vadim +! Generated Sun Feb 20 21:26:40 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/testios1-1.fw.orig b/test/iosacl/testios1-1.fw.orig index 234301dc0..065ea41d6 100755 --- a/test/iosacl/testios1-1.fw.orig +++ b/test/iosacl/testios1-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:20 2011 PST by vadim +! Generated Sun Feb 20 21:26:40 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! @@ -326,8 +326,6 @@ exit ! ! Rule 0 (main) ! -! "Routing rule 0 (main)" -! ! ip route 0.0.0.0 0.0.0.0 ! ip route 0.0.0.0 0.0.0.0 ethernet0 1 diff --git a/test/iosacl/testios1.fw.orig b/test/iosacl/testios1.fw.orig index a0be22cbf..c0a48a473 100755 --- a/test/iosacl/testios1.fw.orig +++ b/test/iosacl/testios1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:20 2011 PST by vadim +! Generated Sun Feb 20 21:26:40 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/testios2.fw.orig b/test/iosacl/testios2.fw.orig index e98e36e00..82b12733c 100755 --- a/test/iosacl/testios2.fw.orig +++ b/test/iosacl/testios2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:21 2011 PST by vadim +! Generated Sun Feb 20 21:26:40 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! @@ -369,15 +369,12 @@ exit ! ! Rule 0 (main) ! -! "Routing rule 0 (main)" -! -# testios2:Routing:0: error: Object "test-addr-1" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall +! testios2:Routing:0: error: Object "test-addr-1" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall + ! ! Rule 1 (main) ! -! "Routing rule 1 (main)" -! -# testios2:Routing:1: error: Can not use both gateway address and interface in IOS routing rule +! testios2:Routing:1: error: Can not use both gateway address and interface in IOS routing rule ! ! Epilog script: diff --git a/test/iosacl/testios20-v12.3.fw.orig b/test/iosacl/testios20-v12.3.fw.orig index 8fee79439..b1adec0ec 100755 --- a/test/iosacl/testios20-v12.3.fw.orig +++ b/test/iosacl/testios20-v12.3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:21 2011 PST by vadim +! Generated Sun Feb 20 21:26:41 2011 PST by vadim ! ! Compiled for iosacl 12.3 ! diff --git a/test/iosacl/testios20.fw.orig b/test/iosacl/testios20.fw.orig index 65cd57ffe..8227b9799 100755 --- a/test/iosacl/testios20.fw.orig +++ b/test/iosacl/testios20.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:21 2011 PST by vadim +! Generated Sun Feb 20 21:26:41 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/iosacl/testios3.fw.orig b/test/iosacl/testios3.fw.orig index 745780eda..dcc3393e3 100755 --- a/test/iosacl/testios3.fw.orig +++ b/test/iosacl/testios3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:21 2011 PST by vadim +! Generated Sun Feb 20 21:26:41 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! @@ -413,10 +413,9 @@ ip access-list extended e0_out ! ! Rule 3 (ethernet0) ! testios3:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode + deny ip 10.10.10.0 0.0.0.255 192.0.2.0 0.0.0.255 log -! testios3:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode deny ip 10.10.11.0 0.0.0.255 192.0.2.0 0.0.0.255 log -! testios3:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode deny ip 10.10.12.0 0.0.0.255 192.0.2.0 0.0.0.255 log ! ! Rule 4 (global) diff --git a/test/iosacl/testios4.fw.orig b/test/iosacl/testios4.fw.orig index 0d089d433..079dbed9f 100755 --- a/test/iosacl/testios4.fw.orig +++ b/test/iosacl/testios4.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:21 2011 PST by vadim +! Generated Sun Feb 20 21:26:41 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! @@ -208,6 +208,7 @@ ip access-list extended e0_out ! ! Rule 3 (ethernet0) ! testios4:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode + deny ip object-group id47180X84238.src.net.0 192.0.2.0 0.0.0.255 log ! ! Rule 4 (global) diff --git a/test/iosacl/testios5-1.fw.orig b/test/iosacl/testios5-1.fw.orig index c34d355d8..bc5dace1d 100755 --- a/test/iosacl/testios5-1.fw.orig +++ b/test/iosacl/testios5-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:22 2011 PST by vadim +! Generated Sun Feb 20 21:26:42 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/iosacl/testios5.fw.orig b/test/iosacl/testios5.fw.orig index 4d402b692..3060b7821 100755 --- a/test/iosacl/testios5.fw.orig +++ b/test/iosacl/testios5.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3457 +! Firewall Builder fwb_iosacl v4.2.0.3483 ! -! Generated Thu Feb 3 10:04:22 2011 PST by vadim +! Generated Sun Feb 20 21:26:42 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/ipf/firewall-ipf.conf.orig b/test/ipf/firewall-ipf.conf.orig index c7593eec8..f86dee45c 100755 --- a/test/ipf/firewall-ipf.conf.orig +++ b/test/ipf/firewall-ipf.conf.orig @@ -39,8 +39,8 @@ pass in quick on eth1 from 33.33.33.0/24 to any # # Rule 4 (eth0) # firewall:Policy:4: warning: Changing rule direction due to self reference + pass in quick on eth0 proto udp from 192.168.1.0/24 to 192.168.1.1 port = 53 keep state -# firewall:Policy:4: warning: Changing rule direction due to self reference pass in quick on eth0 proto udp from 192.168.1.0/24 to 222.222.222.222 port = 53 keep state # # Rule 5 (eth0) @@ -66,8 +66,8 @@ block out log level local0.warning quick from any to any # # Rule 8 (global) # firewall:Policy:8: warning: Changing rule direction due to self reference + block return-icmp-as-dest (3) in quick proto 50 from any to 192.168.1.1 -# firewall:Policy:8: warning: Changing rule direction due to self reference block return-icmp-as-dest (3) in quick proto 50 from any to 222.222.222.222 # # Rule 11 (global) @@ -269,6 +269,8 @@ pass out log level local0.warning quick from 222.222.222.222 to 192.168.1.1 pass out log level local0.warning quick from 222.222.222.222 to 222.222.222.222 # # Rule 19 (global) +# firewall:Policy:19: warning: Changing rule direction due to self reference + pass in quick proto icmp from 192.168.1.1 to 192.168.1.1 keep state pass in quick proto icmp from 192.168.1.1 to 222.222.222.222 keep state pass in quick proto icmp from 222.222.222.222 to 192.168.1.1 keep state @@ -301,69 +303,37 @@ pass out quick from 192.168.1.1 to 192.168.1.1 pass out quick from 192.168.1.1 to 222.222.222.222 pass out quick from 222.222.222.222 to 192.168.1.1 pass out quick from 222.222.222.222 to 222.222.222.222 -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto icmp from 192.168.1.1 to 33.33.33.33 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto icmp from 192.168.1.1 to 33.33.33.34 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto icmp from 222.222.222.222 to 33.33.33.33 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto icmp from 222.222.222.222 to 33.33.33.34 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto tcp from 192.168.1.1 to 33.33.33.33 flags S keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto tcp from 192.168.1.1 to 33.33.33.34 flags S keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto tcp from 222.222.222.222 to 33.33.33.33 flags S keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto tcp from 222.222.222.222 to 33.33.33.34 flags S keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto udp from 192.168.1.1 to 33.33.33.33 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto udp from 192.168.1.1 to 33.33.33.34 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto udp from 222.222.222.222 to 33.33.33.33 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick proto udp from 222.222.222.222 to 33.33.33.34 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick from 192.168.1.1 to 33.33.33.33 -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick from 192.168.1.1 to 33.33.33.34 -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick from 222.222.222.222 to 33.33.33.33 -# firewall:Policy:19: warning: Changing rule direction due to self reference pass out quick from 222.222.222.222 to 33.33.33.34 -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto icmp from 33.33.33.33 to 192.168.1.1 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto icmp from 33.33.33.33 to 222.222.222.222 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto icmp from 33.33.33.34 to 192.168.1.1 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto icmp from 33.33.33.34 to 222.222.222.222 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto tcp from 33.33.33.33 to 192.168.1.1 flags S keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto tcp from 33.33.33.33 to 222.222.222.222 flags S keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto tcp from 33.33.33.34 to 192.168.1.1 flags S keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto tcp from 33.33.33.34 to 222.222.222.222 flags S keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto udp from 33.33.33.33 to 192.168.1.1 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto udp from 33.33.33.33 to 222.222.222.222 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto udp from 33.33.33.34 to 192.168.1.1 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick proto udp from 33.33.33.34 to 222.222.222.222 keep state -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick from 33.33.33.33 to 192.168.1.1 -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick from 33.33.33.33 to 222.222.222.222 -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick from 33.33.33.34 to 192.168.1.1 -# firewall:Policy:19: warning: Changing rule direction due to self reference pass in quick from 33.33.33.34 to 222.222.222.222 skip 3 in from 33.33.33.33 to any skip 2 in from 33.33.33.34 to any @@ -425,20 +395,14 @@ pass out quick from any to 192.168.1.1 # Rule 20 (global) # Automatically generated 'masquerading' rule # firewall:Policy:20: warning: Changing rule direction due to self reference + pass out quick proto icmp from 192.168.1.1 to any keep state -# firewall:Policy:20: warning: Changing rule direction due to self reference pass out quick proto icmp from 222.222.222.222 to any keep state -# firewall:Policy:20: warning: Changing rule direction due to self reference pass out quick proto tcp from 192.168.1.1 to any flags S keep state -# firewall:Policy:20: warning: Changing rule direction due to self reference pass out quick proto tcp from 222.222.222.222 to any flags S keep state -# firewall:Policy:20: warning: Changing rule direction due to self reference pass out quick proto udp from 192.168.1.1 to any keep state -# firewall:Policy:20: warning: Changing rule direction due to self reference pass out quick proto udp from 222.222.222.222 to any keep state -# firewall:Policy:20: warning: Changing rule direction due to self reference pass out quick from 192.168.1.1 to any -# firewall:Policy:20: warning: Changing rule direction due to self reference pass out quick from 222.222.222.222 to any pass in quick proto icmp from 192.168.1.0/24 to any keep state pass in quick proto tcp from 192.168.1.0/24 to any flags S keep state diff --git a/test/ipf/firewall.fw.orig b/test/ipf/firewall.fw.orig index a2ead733a..832daab99 100755 --- a/test/ipf/firewall.fw.orig +++ b/test/ipf/firewall.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:11 2011 PST by vadim +# Generated Sun Feb 20 21:28:57 2011 PST by vadim # # files: * firewall.fw ipf.fw # files: firewall-ipf.conf ipf.conf @@ -169,7 +169,7 @@ configure_interfaces() { update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 16:55:11 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:57 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall1-ipf.conf.orig b/test/ipf/firewall1-ipf.conf.orig index 7a8e2f15f..826a4c672 100755 --- a/test/ipf/firewall1-ipf.conf.orig +++ b/test/ipf/firewall1-ipf.conf.orig @@ -99,38 +99,26 @@ block out log quick proto icmp from any to any icmp-type 3 # # Rule 9 (global) # firewall1:Policy:9: warning: Changing rule direction due to self reference + skip 11 in proto icmp from 192.168.1.10 to 22.22.22.22 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference skip 10 in proto icmp from 192.168.1.10 to 22.22.23.23 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference skip 9 in proto icmp from 192.168.1.10 to 192.168.1.1 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference skip 8 in proto icmp from 192.168.1.10 to 192.168.2.1 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference skip 7 in proto icmp from 192.168.1.20 to 22.22.22.22 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference skip 6 in proto icmp from 192.168.1.20 to 22.22.23.23 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference skip 5 in proto icmp from 192.168.1.20 to 192.168.1.1 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference skip 4 in proto icmp from 192.168.1.20 to 192.168.2.1 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference block in log quick proto icmp from any to 22.22.22.22 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference block in log quick proto icmp from any to 22.22.23.23 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference block in log quick proto icmp from any to 192.168.1.1 icmp-type 3 -# firewall1:Policy:9: warning: Changing rule direction due to self reference block in log quick proto icmp from any to 192.168.2.1 icmp-type 3 # # Rule 10 (global) # firewall1:Policy:10: warning: Changing rule direction due to self reference + skip 5 out from 22.22.22.22 to 192.168.1.0/24 -# firewall1:Policy:10: warning: Changing rule direction due to self reference skip 4 out from 22.22.23.23 to 192.168.1.0/24 -# firewall1:Policy:10: warning: Changing rule direction due to self reference skip 3 out from 192.168.1.1 to 192.168.1.0/24 -# firewall1:Policy:10: warning: Changing rule direction due to self reference skip 2 out from 192.168.2.1 to 192.168.1.0/24 skip 1 in from 192.168.2.0/24 to 192.168.1.0/24 skip 1 out from 192.168.2.0/24 to 192.168.1.0/24 @@ -153,12 +141,10 @@ block out log quick from 192.168.2.0/24 to any # # Rule 12 (global) # firewall1:Policy:12: warning: Changing rule direction due to self reference + skip 4 in from any to 22.22.22.22 -# firewall1:Policy:12: warning: Changing rule direction due to self reference skip 3 in from any to 22.22.23.23 -# firewall1:Policy:12: warning: Changing rule direction due to self reference skip 2 in from any to 192.168.1.1 -# firewall1:Policy:12: warning: Changing rule direction due to self reference skip 1 in from any to 192.168.2.1 block in quick from any to any block out quick from any to any diff --git a/test/ipf/firewall1.fw.orig b/test/ipf/firewall1.fw.orig index 5b97e28ab..7a4a91656 100755 --- a/test/ipf/firewall1.fw.orig +++ b/test/ipf/firewall1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:11 2011 PST by vadim +# Generated Sun Feb 20 21:28:57 2011 PST by vadim # # files: * firewall1.fw /etc/ipf.fw # files: firewall1-ipf.conf /etc/fw/ipf.conf @@ -83,7 +83,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:11 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:57 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall10-ipf.conf.orig b/test/ipf/firewall10-ipf.conf.orig index 0008c55a5..184a1d08c 100755 --- a/test/ipf/firewall10-ipf.conf.orig +++ b/test/ipf/firewall10-ipf.conf.orig @@ -57,30 +57,19 @@ pass out quick proto tcp from any to any port = 119 flags S keep state # # Rule 2 (global) # firewall10:Policy:2: warning: Changing rule direction due to self reference + skip 1 in from 192.168.1.0/24 to any -# firewall10:Policy:2: warning: Changing rule direction due to self reference skip 11 in from any to any -# firewall10:Policy:2: warning: Changing rule direction due to self reference skip 3 in from any to 22.22.22.22 -# firewall10:Policy:2: warning: Changing rule direction due to self reference skip 2 in from any to 192.168.1.1 -# firewall10:Policy:2: warning: Changing rule direction due to self reference skip 1 in from any to 192.168.2.0 -# firewall10:Policy:2: warning: Changing rule direction due to self reference skip 7 in from any to any -# firewall10:Policy:2: warning: Changing rule direction due to self reference pass in quick proto icmp from any to any icmp-type 11 code 0 keep state -# firewall10:Policy:2: warning: Changing rule direction due to self reference pass in quick proto icmp from any to any icmp-type 11 code 1 keep state -# firewall10:Policy:2: warning: Changing rule direction due to self reference pass in quick proto icmp from any to any icmp-type 0 code 0 keep state -# firewall10:Policy:2: warning: Changing rule direction due to self reference pass in quick proto icmp from any to any icmp-type 3 keep state -# firewall10:Policy:2: warning: Changing rule direction due to self reference pass in quick proto tcp from 192.168.1.0/24 to 22.22.22.22 port = 22 flags S keep state -# firewall10:Policy:2: warning: Changing rule direction due to self reference pass in quick proto tcp from 192.168.1.0/24 to 192.168.1.1 port = 22 flags S keep state -# firewall10:Policy:2: warning: Changing rule direction due to self reference pass in quick proto tcp from 192.168.1.0/24 to 192.168.2.0 port = 22 flags S keep state # # Rule 3 (global) diff --git a/test/ipf/firewall10.fw.orig b/test/ipf/firewall10.fw.orig index c166ce1bf..a32b13eac 100755 --- a/test/ipf/firewall10.fw.orig +++ b/test/ipf/firewall10.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:11 2011 PST by vadim +# Generated Sun Feb 20 21:28:57 2011 PST by vadim # # files: * firewall10.fw /etc/firewall10.fw # files: firewall10-ipf.conf /etc/firewall10-ipf.conf @@ -75,7 +75,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:11 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:57 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall11-ipf.conf.orig b/test/ipf/firewall11-ipf.conf.orig index cc727ecd1..b137f78e6 100755 --- a/test/ipf/firewall11-ipf.conf.orig +++ b/test/ipf/firewall11-ipf.conf.orig @@ -9,12 +9,10 @@ pass in quick on ng0 from any to # # Rule 1 (global) # firewall11:Policy:1: warning: Changing rule direction due to self reference + pass in quick proto icmp from any to 10.0.0.1 keep state -# firewall11:Policy:1: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 10.0.0.1 keep state -# firewall11:Policy:1: warning: Changing rule direction due to self reference pass in quick proto udp from any to 10.0.0.1 keep state -# firewall11:Policy:1: warning: Changing rule direction due to self reference pass in quick from any to 10.0.0.1 # # Rule 2 (global) diff --git a/test/ipf/firewall11.fw.orig b/test/ipf/firewall11.fw.orig index a3f6fb454..a5017df6f 100755 --- a/test/ipf/firewall11.fw.orig +++ b/test/ipf/firewall11.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:11 2011 PST by vadim +# Generated Sun Feb 20 21:28:57 2011 PST by vadim # # files: * firewall11.fw /etc/firewall11.fw # files: firewall11-ipf.conf /etc/firewall11-ipf.conf @@ -162,7 +162,7 @@ configure_interfaces() { update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 16:55:11 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:57 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall2-ipf.conf.orig b/test/ipf/firewall2-ipf.conf.orig index f4f7b39ec..8932e5668 100755 --- a/test/ipf/firewall2-ipf.conf.orig +++ b/test/ipf/firewall2-ipf.conf.orig @@ -88,10 +88,9 @@ pass out log quick proto tcp from any to 22.22.22.22 port = 21 keep state # # Rule 9 (global) # firewall2:Policy:9: warning: Changing rule direction due to self reference + pass in log quick proto tcp from any to 22.22.23.23 port = 21 keep state -# firewall2:Policy:9: warning: Changing rule direction due to self reference pass in log quick proto tcp from any to 192.168.1.1 port = 21 keep state -# firewall2:Policy:9: warning: Changing rule direction due to self reference pass in log quick proto tcp from any to 192.168.2.1 port = 21 keep state # # Rule 10 (global) diff --git a/test/ipf/firewall2-nat.conf.orig b/test/ipf/firewall2-nat.conf.orig index 352ec6fad..4cb8a470b 100755 --- a/test/ipf/firewall2-nat.conf.orig +++ b/test/ipf/firewall2-nat.conf.orig @@ -116,332 +116,170 @@ map eth2 from 192.168.1.0/24 to any -> 22.22.22.0/24 # # Rule 17 (NAT) # firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules + rdr eth1 from any to 22.22.22.22/32 port = 10000 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10000 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10000 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10000 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10001 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10001 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10001 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10001 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10002 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10002 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10002 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10002 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10003 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10003 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10003 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10003 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10004 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10004 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10004 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10004 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10005 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10005 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10005 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10005 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10006 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10006 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10006 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10006 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10007 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10007 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10007 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10007 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10008 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10008 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10008 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10008 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10009 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10009 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10009 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10009 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10010 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10010 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10010 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10010 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10011 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10011 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10011 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10011 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10012 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10012 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10012 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10012 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10013 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10013 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10013 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10013 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10014 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10014 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10014 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10014 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10015 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10015 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10015 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10015 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10016 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10016 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10016 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10016 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10017 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10017 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10017 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10017 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10018 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10018 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10018 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10018 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10019 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10019 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10019 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10019 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10020 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10020 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10020 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10020 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10021 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10021 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10021 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10021 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10022 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10022 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10022 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10022 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10023 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10023 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10023 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10023 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10024 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10024 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10024 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10024 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10025 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10025 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10025 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10025 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10026 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10026 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10026 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10026 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10027 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10027 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10027 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10027 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10028 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10028 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10028 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10028 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10029 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10029 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10029 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10029 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10030 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10030 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10030 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10030 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10031 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10031 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10031 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10031 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10032 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10032 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10032 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10032 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10033 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10033 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10033 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10033 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10034 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10034 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10034 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10034 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10035 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10035 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10035 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10035 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10036 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10036 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10036 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10036 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10037 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10037 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10037 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10037 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10038 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10038 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10038 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10038 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10039 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10039 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10039 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10039 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth1 from any to 22.22.22.22/32 port = 10040 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth3 from any to 22.22.23.23/32 port = 10040 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth0 from any to 192.168.1.1/32 port = 10040 -> 192.168.1.10 port 10000 tcp -# firewall2:NAT:17: warning: Expanding port range test-TCP creates 41 rules rdr eth2 from any to 192.168.2.1/32 port = 10040 -> 192.168.1.10 port 10000 tcp # # Rule 18 (NAT) diff --git a/test/ipf/firewall2.fw.orig b/test/ipf/firewall2.fw.orig index 22b7936c3..9eb8c3d56 100755 --- a/test/ipf/firewall2.fw.orig +++ b/test/ipf/firewall2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:12 2011 PST by vadim +# Generated Sun Feb 20 21:28:58 2011 PST by vadim # # files: * firewall2.fw /etc/fw/firewall2.fw # files: firewall2-ipf.conf /etc/fw/firewall2-ipf.conf @@ -79,7 +79,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:12 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:58 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall34.fw.orig b/test/ipf/firewall34.fw.orig index 37f9253eb..6359e001e 100755 --- a/test/ipf/firewall34.fw.orig +++ b/test/ipf/firewall34.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:12 2011 PST by vadim +# Generated Sun Feb 20 21:28:58 2011 PST by vadim # # files: * firewall34.fw /etc/fw/firewall34.fw # files: firewall34-ipf.conf /etc/fw/firewall34-ipf.conf @@ -162,7 +162,7 @@ configure_interfaces() { update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 16:55:12 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:58 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall35.fw.orig b/test/ipf/firewall35.fw.orig index d0c5f18b6..5b55ecf1f 100755 --- a/test/ipf/firewall35.fw.orig +++ b/test/ipf/firewall35.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:12 2011 PST by vadim +# Generated Sun Feb 20 21:28:59 2011 PST by vadim # # files: * firewall35.fw /etc/firewall35.fw # files: firewall35-ipf.conf /etc/firewall35-ipf.conf @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:12 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall4-ipf.conf.orig b/test/ipf/firewall4-ipf.conf.orig index afa788423..0f598c443 100755 --- a/test/ipf/firewall4-ipf.conf.orig +++ b/test/ipf/firewall4-ipf.conf.orig @@ -43,22 +43,15 @@ block out log quick proto icmp from any to any icmp-type 3 # # Rule 6 (global) # firewall4:Policy:6: warning: Changing rule direction due to self reference + skip 8 in proto icmp from 192.168.1.10 to 192.168.1.1 icmp-type 3 -# firewall4:Policy:6: warning: Changing rule direction due to self reference skip 7 in proto icmp from 192.168.1.10 to 192.168.2.1 icmp-type 3 -# firewall4:Policy:6: warning: Changing rule direction due to self reference skip 6 in proto icmp from 192.168.1.10 to 222.222.222.222 icmp-type 3 -# firewall4:Policy:6: warning: Changing rule direction due to self reference skip 5 in proto icmp from 192.168.1.20 to 192.168.1.1 icmp-type 3 -# firewall4:Policy:6: warning: Changing rule direction due to self reference skip 4 in proto icmp from 192.168.1.20 to 192.168.2.1 icmp-type 3 -# firewall4:Policy:6: warning: Changing rule direction due to self reference skip 3 in proto icmp from 192.168.1.20 to 222.222.222.222 icmp-type 3 -# firewall4:Policy:6: warning: Changing rule direction due to self reference block in log quick proto icmp from any to 192.168.1.1 icmp-type 3 -# firewall4:Policy:6: warning: Changing rule direction due to self reference block in log quick proto icmp from any to 192.168.2.1 icmp-type 3 -# firewall4:Policy:6: warning: Changing rule direction due to self reference block in log quick proto icmp from any to 222.222.222.222 icmp-type 3 # # Rule 8 (global) diff --git a/test/ipf/firewall4.fw.orig b/test/ipf/firewall4.fw.orig index ae342694c..5526df927 100755 --- a/test/ipf/firewall4.fw.orig +++ b/test/ipf/firewall4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:13 2011 PST by vadim +# Generated Sun Feb 20 21:28:59 2011 PST by vadim # # files: * firewall4.fw /etc/fw/firewall4.fw # files: firewall4-ipf.conf /etc/fw/firewall4-ipf.conf @@ -80,7 +80,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall5-ipf.conf.orig b/test/ipf/firewall5-ipf.conf.orig index 9c189980a..b2a546d9b 100755 --- a/test/ipf/firewall5-ipf.conf.orig +++ b/test/ipf/firewall5-ipf.conf.orig @@ -3,10 +3,9 @@ # # Rule 0 (global) # firewall5:Policy:0: warning: Changing rule direction due to self reference + pass in quick proto tcp from any to 33.33.33.33 port = 22 flags S keep state -# firewall5:Policy:0: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 33.33.33.34 port = 22 flags S keep state -# firewall5:Policy:0: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 192.168.1.1 port = 22 flags S keep state # # Rule 1 (global) diff --git a/test/ipf/firewall5.fw.orig b/test/ipf/firewall5.fw.orig index d29c5c31a..0bc0c814e 100755 --- a/test/ipf/firewall5.fw.orig +++ b/test/ipf/firewall5.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:13 2011 PST by vadim +# Generated Sun Feb 20 21:28:59 2011 PST by vadim # # files: * firewall5.fw /etc/firewall5.fw # files: firewall5-ipf.conf /etc/firewall5-ipf.conf @@ -92,7 +92,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall7.fw.orig b/test/ipf/firewall7.fw.orig index 84962fd9c..be18b1bf2 100755 --- a/test/ipf/firewall7.fw.orig +++ b/test/ipf/firewall7.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:13 2011 PST by vadim +# Generated Sun Feb 20 21:28:59 2011 PST by vadim # # files: * firewall7.fw /etc/fw/firewall7.fw # files: firewall7-ipf.conf /etc/fw/firewall7-ipf.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall8-ipf.conf.orig b/test/ipf/firewall8-ipf.conf.orig index c75217482..04df6ae6d 100755 --- a/test/ipf/firewall8-ipf.conf.orig +++ b/test/ipf/firewall8-ipf.conf.orig @@ -3,10 +3,9 @@ # # Rule 0 (global) # firewall8:Policy:0: warning: Changing rule direction due to self reference + pass in quick proto tcp from any to 33.33.33.33 port = 22 flags S keep state -# firewall8:Policy:0: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 33.33.33.34 port = 22 flags S keep state -# firewall8:Policy:0: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 192.168.1.1 port = 22 flags S keep state # # Rule 1 (global) diff --git a/test/ipf/firewall8.fw.orig b/test/ipf/firewall8.fw.orig index 8b940fbdb..222fadbfd 100755 --- a/test/ipf/firewall8.fw.orig +++ b/test/ipf/firewall8.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:13 2011 PST by vadim +# Generated Sun Feb 20 21:28:59 2011 PST by vadim # # files: * firewall8.fw /etc/firewall8.fw # files: firewall8-ipf.conf /etc/firewall8-ipf.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:28:59 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/firewall9-ipf.conf.orig b/test/ipf/firewall9-ipf.conf.orig index 425048542..b9421d8fb 100755 --- a/test/ipf/firewall9-ipf.conf.orig +++ b/test/ipf/firewall9-ipf.conf.orig @@ -31,8 +31,8 @@ count out log from any to any # # Rule 5 (global) # firewall9:Policy:5: warning: Changing rule direction due to self reference + pass in quick proto tcp from any to 22.22.22.22 port = 22 flags S keep state -# firewall9:Policy:5: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 192.168.1.1 port = 22 flags S keep state # # Rule 6 (global) diff --git a/test/ipf/firewall9.fw.orig b/test/ipf/firewall9.fw.orig index b6b610bd1..5e2a943d6 100755 --- a/test/ipf/firewall9.fw.orig +++ b/test/ipf/firewall9.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:13 2011 PST by vadim +# Generated Sun Feb 20 21:29:00 2011 PST by vadim # # files: * firewall9.fw /etc/firewall9.fw # files: firewall9-ipf.conf /etc/firewall9-ipf.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:13 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:00 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipf/host-ipf.conf.orig b/test/ipf/host-ipf.conf.orig index 7f96b6fd2..95b478fc2 100755 --- a/test/ipf/host-ipf.conf.orig +++ b/test/ipf/host-ipf.conf.orig @@ -72,31 +72,26 @@ pass out log quick on lo from 127.0.0.1 to 127.0.0.1 # Rule 4 (global) # block fragments # host:Policy:4: warning: Changing rule direction due to self reference + block in log quick from any to 22.22.22.22 with short # # Rule 5 (global) # host:Policy:5: warning: Changing rule direction due to self reference + pass in quick proto icmp from any to 22.22.22.22 icmp-type 3 keep state -# host:Policy:5: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 22.22.22.22 port = 25 keep state -# host:Policy:5: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 22.22.22.22 port = 80 keep state -# host:Policy:5: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 22.22.22.22 port = 22 keep state -# host:Policy:5: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 22.22.22.22 port = 21 keep state -# host:Policy:5: warning: Changing rule direction due to self reference pass in quick proto tcp from any to 22.22.22.22 port = 23 keep state # # Rule 6 (global) # allow all outgoing connections # host:Policy:6: warning: Changing rule direction due to self reference + pass out quick proto icmp from 22.22.22.22 to any keep state -# host:Policy:6: warning: Changing rule direction due to self reference pass out quick proto tcp from 22.22.22.22 to any keep state -# host:Policy:6: warning: Changing rule direction due to self reference pass out quick proto udp from 22.22.22.22 to any keep state -# host:Policy:6: warning: Changing rule direction due to self reference pass out quick from 22.22.22.22 to any # # Rule 7 (global) diff --git a/test/ipf/host.fw.orig b/test/ipf/host.fw.orig index b27b91597..003447c40 100755 --- a/test/ipf/host.fw.orig +++ b/test/ipf/host.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipf v4.2.0.3483 # -# Generated Sun Feb 20 16:55:14 2011 PST by vadim +# Generated Sun Feb 20 21:29:00 2011 PST by vadim # # files: * host.fw /etc/fw/host.fw # files: host-ipf.conf /etc/fw/host-ipf.conf @@ -78,7 +78,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:14 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:00 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipfw/firewall.fw.orig b/test/ipfw/firewall.fw.orig index 5ded3bf47..92070f82e 100755 --- a/test/ipfw/firewall.fw.orig +++ b/test/ipfw/firewall.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:54 2011 PST by vadim +# Generated Sun Feb 20 21:29:36 2011 PST by vadim # # files: * firewall.fw ipfw.fw # @@ -81,7 +81,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:54 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:36 2011 by vadim" set_kernel_vars configure_interfaces @@ -118,6 +118,7 @@ prolog_commands # Rule 3 (eth0) # комментарий по-русски # firewall:Policy:3: warning: Changing rule direction due to self reference + "$IPFW" add 60 set 1 permit udp from 192.168.1.0/24 to me 53 in recv eth0 keep-state || exit 1 # # Rule 4 (eth0) @@ -141,6 +142,7 @@ prolog_commands # # Rule 9 (global) # firewall:Policy:9: warning: Changing rule direction due to self reference + "$IPFW" add 160 set 1 unreach port 50 from any to me in || exit 1 # # Rule 12 (global) @@ -180,6 +182,7 @@ prolog_commands # Rule 20 (global) # Automatically generated 'masquerading' rule # firewall:Policy:20: warning: Changing rule direction due to self reference + "$IPFW" add 350 set 1 permit all from me to any out keep-state || exit 1 "$IPFW" add 360 set 1 permit all from 192.168.1.0/24 to any keep-state || exit 1 # diff --git a/test/ipfw/firewall1.fw.orig b/test/ipfw/firewall1.fw.orig index 3142e55e8..9a59f1e6e 100755 --- a/test/ipfw/firewall1.fw.orig +++ b/test/ipfw/firewall1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:54 2011 PST by vadim +# Generated Sun Feb 20 21:29:36 2011 PST by vadim # # files: * firewall1.fw /etc/firewall1.fw # @@ -83,7 +83,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:54 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:36 2011 by vadim" set_kernel_vars configure_interfaces @@ -156,14 +156,14 @@ prolog_commands # # Rule 9 (global) # firewall1:Policy:9: warning: Changing rule direction due to self reference + "$IPFW" add 350 set 1 skipto 380 icmp from 192.168.1.10 to me icmptypes 3 in || exit 1 -# firewall1:Policy:9: warning: Changing rule direction due to self reference "$IPFW" add 360 set 1 skipto 380 icmp from 192.168.1.20 to me icmptypes 3 in || exit 1 -# firewall1:Policy:9: warning: Changing rule direction due to self reference "$IPFW" add 370 set 1 drop log icmp from any to me icmptypes 3 in || exit 1 # # Rule 10 (global) # firewall1:Policy:10: warning: Changing rule direction due to self reference + "$IPFW" add 380 set 1 skipto 410 all from me to 192.168.1.0/24 out || exit 1 "$IPFW" add 390 set 1 skipto 410 all from 192.168.2.0/24 to 192.168.1.0/24 || exit 1 "$IPFW" add 400 set 1 drop log all from any to 192.168.1.0/24 || exit 1 @@ -183,6 +183,7 @@ prolog_commands # # Rule 13 (global) # firewall1:Policy:13: warning: Changing rule direction due to self reference + "$IPFW" add 500 set 1 skipto 520 all from any to me in || exit 1 "$IPFW" add 510 set 1 drop all from any to any || exit 1 # diff --git a/test/ipfw/firewall2.fw.orig b/test/ipfw/firewall2.fw.orig index 7786ad352..c21937e97 100755 --- a/test/ipfw/firewall2.fw.orig +++ b/test/ipfw/firewall2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:55 2011 PST by vadim +# Generated Sun Feb 20 21:29:37 2011 PST by vadim # # files: * firewall2.fw /etc/firewall2.fw # @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim" set_kernel_vars configure_interfaces @@ -145,6 +145,7 @@ prolog_commands # # Rule 12 (global) # firewall2:Policy:12: warning: Changing rule direction due to self reference + "$IPFW" add 180 set 1 permit log tcp from any to me 21 in setup keep-state || exit 1 # # Rule 13 (global) diff --git a/test/ipfw/firewall33.fw.orig b/test/ipfw/firewall33.fw.orig index cca1f1116..3c4f278ad 100755 --- a/test/ipfw/firewall33.fw.orig +++ b/test/ipfw/firewall33.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:55 2011 PST by vadim +# Generated Sun Feb 20 21:29:37 2011 PST by vadim # # files: * firewall33.fw /etc/fw/firewall33.fw # @@ -163,7 +163,7 @@ configure_interfaces() { update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim" set_kernel_vars configure_interfaces @@ -193,6 +193,7 @@ prolog_commands # # Rule 2 (global) # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + "$IPFW" add 80 set 1 permit all from 192.0.2.1 to any keep-state || exit 1 # # Rule 3 (global) @@ -213,6 +214,7 @@ prolog_commands # # Rule 6 (global) # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + "$IPFW" add 190 set 1 skipto 210 all from any to 192.0.2.1 || exit 1 "$IPFW" add 200 set 1 permit all from any to any keep-state || exit 1 # diff --git a/test/ipfw/firewall34.fw.orig b/test/ipfw/firewall34.fw.orig index aadad5277..5f32ceefa 100755 --- a/test/ipfw/firewall34.fw.orig +++ b/test/ipfw/firewall34.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:55 2011 PST by vadim +# Generated Sun Feb 20 21:29:37 2011 PST by vadim # # files: * firewall34.fw /etc/firewall34.fw # @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipfw/firewall4.fw.orig b/test/ipfw/firewall4.fw.orig index 8a69a68e2..75899bb16 100755 --- a/test/ipfw/firewall4.fw.orig +++ b/test/ipfw/firewall4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:55 2011 PST by vadim +# Generated Sun Feb 20 21:29:37 2011 PST by vadim # # files: * firewall4.fw /etc/firewall4.fw # @@ -80,7 +80,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim" set_kernel_vars configure_interfaces @@ -127,10 +127,9 @@ prolog_commands # # Rule 6 (global) # firewall4:Policy:6: warning: Changing rule direction due to self reference + "$IPFW" add 130 set 1 skipto 160 icmp from 192.168.1.10 to me icmptypes 3 in || exit 1 -# firewall4:Policy:6: warning: Changing rule direction due to self reference "$IPFW" add 140 set 1 skipto 160 icmp from 192.168.1.20 to me icmptypes 3 in || exit 1 -# firewall4:Policy:6: warning: Changing rule direction due to self reference "$IPFW" add 150 set 1 drop log icmp from any to me icmptypes 3 in || exit 1 # # Rule 8 (global) diff --git a/test/ipfw/firewall7.fw.orig b/test/ipfw/firewall7.fw.orig index ff5c8c904..e3274c3a6 100755 --- a/test/ipfw/firewall7.fw.orig +++ b/test/ipfw/firewall7.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:55 2011 PST by vadim +# Generated Sun Feb 20 21:29:37 2011 PST by vadim # # files: * firewall7.fw /etc/firewall7.fw # @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:55 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/ipfw/firewall8.fw.orig b/test/ipfw/firewall8.fw.orig index 95b794ad8..337e14db2 100755 --- a/test/ipfw/firewall8.fw.orig +++ b/test/ipfw/firewall8.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:56 2011 PST by vadim +# Generated Sun Feb 20 21:29:37 2011 PST by vadim # # files: * firewall8.fw /etc/firewall8.fw # @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:56 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:37 2011 by vadim" set_kernel_vars configure_interfaces @@ -95,6 +95,7 @@ prolog_commands # # Rule 0 (global) # firewall8:Policy:0: warning: Changing rule direction due to self reference + "$IPFW" add 10 set 1 permit tcp from any to me 22 in setup keep-state || exit 1 # # Rule 1 (global) diff --git a/test/ipfw/firewall9.fw.orig b/test/ipfw/firewall9.fw.orig index 271df8215..cb837a7c2 100755 --- a/test/ipfw/firewall9.fw.orig +++ b/test/ipfw/firewall9.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:56 2011 PST by vadim +# Generated Sun Feb 20 21:29:38 2011 PST by vadim # # files: * firewall9.fw /etc/firewall9.fw # @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:56 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:38 2011 by vadim" set_kernel_vars configure_interfaces @@ -114,6 +114,7 @@ prolog_commands # # Rule 5 (global) # firewall9:Policy:5: warning: Changing rule direction due to self reference + "$IPFW" add 100 set 1 permit tcp from any to me 22 in setup keep-state || exit 1 # # Rule 6 (global) diff --git a/test/ipfw/host.fw.orig b/test/ipfw/host.fw.orig index 423bdc685..be423794f 100755 --- a/test/ipfw/host.fw.orig +++ b/test/ipfw/host.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:56 2011 PST by vadim +# Generated Sun Feb 20 21:29:38 2011 PST by vadim # # files: * host.fw /etc/host.fw # @@ -79,7 +79,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:56 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:38 2011 by vadim" set_kernel_vars configure_interfaces @@ -113,17 +113,19 @@ prolog_commands # Rule 4 (global) # block fragments # host:Policy:4: warning: Changing rule direction due to self reference + "$IPFW" add 50 set 1 drop log all from any to me frag in || exit 1 # # Rule 5 (global) # host:Policy:5: warning: Changing rule direction due to self reference + "$IPFW" add 60 set 1 permit icmp from any to me icmptypes 3 in keep-state || exit 1 -# host:Policy:5: warning: Changing rule direction due to self reference "$IPFW" add 70 set 1 permit tcp from any to me 25,80,22,21,23 in setup keep-state || exit 1 # # Rule 6 (global) # allow all outgoing connections # host:Policy:6: warning: Changing rule direction due to self reference + "$IPFW" add 80 set 1 permit all from me to any out keep-state || exit 1 # # Rule 7 (global) diff --git a/test/ipfw/mac.fw.orig b/test/ipfw/mac.fw.orig index d62145826..caccca6a2 100755 --- a/test/ipfw/mac.fw.orig +++ b/test/ipfw/mac.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipfw v4.2.0.3483 # -# Generated Sun Feb 20 16:55:56 2011 PST by vadim +# Generated Sun Feb 20 21:29:38 2011 PST by vadim # # files: * mac.fw /etc/mac.fw # @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 16:55:56 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:29:38 2011 by vadim" set_kernel_vars configure_interfaces @@ -99,6 +99,7 @@ prolog_commands # # Rule 1 (global) # mac:Policy:1: warning: Changing rule direction due to self reference + "$IPFW" add 20 set 1 permit tcp from any to me established in keep-state || exit 1 # # Rule 2 (global) @@ -107,18 +108,16 @@ prolog_commands # # Rule 3 (global) # mac:Policy:3: warning: Changing rule direction due to self reference + "$IPFW" add 50 set 1 permit icmp from any to me icmptypes 11,11,0,3 in keep-state || exit 1 -# mac:Policy:3: warning: Changing rule direction due to self reference "$IPFW" add 60 set 1 permit tcp from any to me 22,25 in setup keep-state || exit 1 -# mac:Policy:3: warning: Changing rule direction due to self reference "$IPFW" add 70 set 1 permit udp from any to me in keep-state || exit 1 # # Rule 4 (global) # mac:Policy:4: warning: Changing rule direction due to self reference + "$IPFW" add 80 set 1 permit icmp from me to any icmptypes 11,11,0,3 out keep-state || exit 1 -# mac:Policy:4: warning: Changing rule direction due to self reference "$IPFW" add 90 set 1 permit tcp from me to any out setup keep-state || exit 1 -# mac:Policy:4: warning: Changing rule direction due to self reference "$IPFW" add 100 set 1 permit udp from me to any 53,68,67 out keep-state || exit 1 # # Rule 5 (global) diff --git a/test/ipt/cluster1_secuwall-1.fw.orig b/test/ipt/cluster1_secuwall-1.fw.orig index 875c71e05..26e9f3ad6 100755 --- a/test/ipt/cluster1_secuwall-1.fw.orig +++ b/test/ipt/cluster1_secuwall-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:49 2011 PST by vadim +# Generated Sun Feb 20 21:02:48 2011 PST by vadim # # files: * cluster1_secuwall-1.fw /etc/cluster1_secuwall-1.fw # @@ -588,7 +588,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:49 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:48 2011 by vadim" log "Database was cluster-tests.fwb" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall-base-rulesets.fw.orig b/test/ipt/firewall-base-rulesets.fw.orig index 6333d88e4..4332581fc 100755 --- a/test/ipt/firewall-base-rulesets.fw.orig +++ b/test/ipt/firewall-base-rulesets.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:07:08 2011 PST by vadim +# Generated Sun Feb 20 21:01:06 2011 PST by vadim # # files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw # @@ -445,7 +445,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:07:08 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:01:06 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-1.fw.orig b/test/ipt/firewall-ipv6-1.fw.orig index 46e19b84b..0393815a2 100755 --- a/test/ipt/firewall-ipv6-1.fw.orig +++ b/test/ipt/firewall-ipv6-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:07:32 2011 PST by vadim +# Generated Sun Feb 20 21:01:29 2011 PST by vadim # # files: * firewall-ipv6-1.fw /etc/firewall-ipv6-1.fw # @@ -355,6 +355,8 @@ script_body() { # echo "Rule 4 (global)" # + # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it + $IPTABLES -N Cid4834D3108571.0 $IPTABLES -A INPUT -p tcp -m tcp -d 1.1.1.1 --dport 22 -m state --state NEW -j Cid4834D3108571.0 $IPTABLES -N RULE_4 @@ -407,6 +409,9 @@ script_body() { # echo "Rule 13 (global)" # + # firewall-ipv6-1:Policy:13: error: Rule '13 (global)' shadows rule '15 (global)' below it + # firewall-ipv6-1:Policy:13: error: Rule '13 (global)' shadows rule '17 (global)' below it + $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT @@ -459,10 +464,10 @@ script_body() { echo "Rule 21 (global)" # # firewall-ipv6-1:Policy:21: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -N RULE_21 $IPTABLES -A OUTPUT -d 192.0.2.1 -j RULE_21 $IPTABLES -A OUTPUT -d 207.251.84.150 -j RULE_21 - # firewall-ipv6-1:Policy:21: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A FORWARD -d 192.0.2.1 -j RULE_21 $IPTABLES -A FORWARD -d 207.251.84.150 -j RULE_21 $IPTABLES -A RULE_21 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 21 -- DENY " --ulog-qthreshold 1 @@ -506,6 +511,8 @@ script_body() { echo "Rule Policy_ipv6 0 (global)" # # for bug 2047082 + # firewall-ipv6-1:Policy_ipv6:0: error: Rule 'Policy_ipv6 0 (global)' shadows rule 'Policy_ipv6 14 (global)' below it + $IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule Policy_ipv6 1 (global) @@ -522,9 +529,9 @@ script_body() { echo "Rule Policy_ipv6 2 (global)" # # firewall-ipv6-1:Policy_ipv6:2: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IP6TABLES -N Policy_ipv6_2 $IP6TABLES -A OUTPUT -d 2001:db8::1 -j Policy_ipv6_2 - # firewall-ipv6-1:Policy_ipv6:2: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IP6TABLES -A FORWARD -d 2001:db8::1 -j Policy_ipv6_2 $IP6TABLES -A Policy_ipv6_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY " $IP6TABLES -A Policy_ipv6_2 -j DROP @@ -561,9 +568,14 @@ script_body() { # echo "Rule Policy_ipv6 6 (global)" # + # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 10 (global)' below it + # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 11 (global)' below it + # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 12 (global)' below it + # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 7 (global)' below it + # firewall-ipv6-1:Policy_ipv6:6: error: Rule 'Policy_ipv6 6 (global)' shadows rule 'Policy_ipv6 9 (global)' below it # firewall-ipv6-1:Policy_ipv6:6: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A OUTPUT -p ipv6-icmp -d fe80::21d:9ff:fe8b:8e94 -j ACCEPT - # firewall-ipv6-1:Policy_ipv6:6: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 7 (global) @@ -571,34 +583,37 @@ script_body() { echo "Rule Policy_ipv6 7 (global)" # # firewall-ipv6-1:Policy_ipv6:7: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 8 (global) # echo "Rule Policy_ipv6 8 (global)" # + # firewall-ipv6-1:Policy_ipv6:8: error: Rule 'Policy_ipv6 8 (global)' shadows rule 'Policy_ipv6 13 (global)' below it # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT - # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT - # firewall-ipv6-1:Policy_ipv6:8: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 9 (global) # echo "Rule Policy_ipv6 9 (global)" # - $IP6TABLES -A INPUT -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT # firewall-ipv6-1:Policy_ipv6:9: warning: Making rule stateless because it matches ICMPv6 + + $IP6TABLES -A INPUT -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 10 (global) # echo "Rule Policy_ipv6 10 (global)" # + # firewall-ipv6-1:Policy_ipv6:10: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A INPUT -p tcp -m tcp -m multiport --dports 139,135,42,445,88,389,636,3268,3269,53 -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -p udp -m udp -m multiport --dports 138,137,53,88 -m state --state NEW -j ACCEPT - # firewall-ipv6-1:Policy_ipv6:10: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule Policy_ipv6 11 (global) @@ -687,7 +702,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:07:32 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:01:29 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-2.fw.orig b/test/ipt/firewall-ipv6-2.fw.orig index f241565af..5fb2de2bd 100755 --- a/test/ipt/firewall-ipv6-2.fw.orig +++ b/test/ipt/firewall-ipv6-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:07:34 2011 PST by vadim +# Generated Sun Feb 20 21:01:31 2011 PST by vadim # # files: * firewall-ipv6-2.fw /etc/firewall-ipv6-2.fw # @@ -383,6 +383,8 @@ script_body() { # echo "Rule 4 (global)" # + # firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it + $IPTABLES -N Cid56136X87590.0 $IPTABLES -A INPUT -p tcp -m tcp -d 1.1.1.1 --dport 22 -m state --state NEW -j Cid56136X87590.0 $IPTABLES -N RULE_4 @@ -407,6 +409,9 @@ script_body() { # echo "Rule 7 (global)" # + # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '27 (global)' below it + # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '28 (global)' below it + $IPTABLES -N In_RULE_7 $IPTABLES -A INPUT -m state --state NEW -j In_RULE_7 $IPTABLES -A In_RULE_7 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 7 -- ACCEPT " --ulog-qthreshold 1 @@ -416,6 +421,8 @@ script_body() { # echo "Rule 8 (global)" # + # firewall-ipv6-2:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it + $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 192.168.1.1 -m state --state NEW -j ACCEPT # @@ -449,6 +456,9 @@ script_body() { # echo "Rule 15 (global)" # + # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '17 (global)' below it + # firewall-ipv6-2:Policy:15: error: Rule '15 (global)' shadows rule '19 (global)' below it + $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT @@ -474,6 +484,9 @@ script_body() { echo "Rule 20 (global)" # # INPUT, OUTPUT, FORWARD + # firewall-ipv6-2:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)' below it + # firewall-ipv6-2:Policy:20: error: Rule '20 (global)' shadows rule '30 (global)' below it + $IPTABLES -A INPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT @@ -508,10 +521,10 @@ script_body() { echo "Rule 24 (global)" # # firewall-ipv6-2:Policy:24: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -N RULE_24 $IPTABLES -A OUTPUT -d 192.0.2.1 -j RULE_24 $IPTABLES -A OUTPUT -d 207.251.84.150 -j RULE_24 - # firewall-ipv6-2:Policy:24: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A FORWARD -d 192.0.2.1 -j RULE_24 $IPTABLES -A FORWARD -d 207.251.84.150 -j RULE_24 $IPTABLES -A RULE_24 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 24 -- DENY " --ulog-qthreshold 1 @@ -609,12 +622,22 @@ script_body() { # echo "Rule 1 (global)" # + # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it + # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it + # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it + # firewall-ipv6-2:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it + $IP6TABLES -A INPUT -p tcp -m tcp -s 2001:5c0:0:2::24 -d fe80::21d:9ff:fe8b:8e94 --dport 22 -m state --state NEW -j ACCEPT # # Rule 2 (global) # echo "Rule 2 (global)" # + # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it + # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it + # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it + # firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it + $IP6TABLES -N RULE_2 $IP6TABLES -A INPUT -p tcp -m tcp -s 3ffe:1200:2001:1:8000::1 --dport 22 -m state --state NEW -j RULE_2 $IP6TABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT " @@ -624,6 +647,8 @@ script_body() { # echo "Rule 3 (global)" # + # firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it + $IP6TABLES -N Cid56124X87590.0 $IP6TABLES -A INPUT -p tcp -m tcp -d fe80::21d:9ff:fe8b:8e94 --dport 22 -m state --state NEW -j Cid56124X87590.0 $IP6TABLES -N RULE_3 @@ -674,6 +699,9 @@ script_body() { # echo "Rule 7 (global)" # + # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '27 (global)' below it + # firewall-ipv6-2:Policy:7: error: Rule '7 (global)' shadows rule '28 (global)' below it + $IP6TABLES -N In_RULE_7 $IP6TABLES -A INPUT -m state --state NEW -j In_RULE_7 $IP6TABLES -A In_RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- ACCEPT " @@ -683,6 +711,8 @@ script_body() { # echo "Rule 8 (global)" # + # firewall-ipv6-2:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it + $IP6TABLES -A OUTPUT -d e80::21d:9ff:fe8b:8e94 -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -d e80::21d:9ff:fe8b:8e94 -m state --state NEW -j ACCEPT # @@ -697,6 +727,8 @@ script_body() { # echo "Rule 10 (global)" # + # firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '25 (global)' below it + $IP6TABLES -N RULE_10 $IP6TABLES -A INPUT -s fe80::/64 -m state --state NEW -j RULE_10 $IP6TABLES -A OUTPUT -s fe80::/64 -m state --state NEW -j RULE_10 @@ -708,6 +740,8 @@ script_body() { # echo "Rule 11 (global)" # + # firewall-ipv6-2:Policy:11: error: Rule '11 (global)' shadows rule '12 (global)' below it + $IP6TABLES -N RULE_11 $IP6TABLES -A INPUT -s 2001:5c0:0:2::24 -m state --state NEW -j RULE_11 $IP6TABLES -A INPUT -s 3ffe:1200:2000::/36 -m state --state NEW -j RULE_11 @@ -734,11 +768,13 @@ script_body() { # echo "Rule 16 (global)" # + # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '18 (global)' below it + # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '19 (global)' below it + # firewall-ipv6-2:Policy:16: error: Rule '16 (global)' shadows rule '29 (global)' below it # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT - # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT - # firewall-ipv6-2:Policy:16: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT # # Rule 18 (global) @@ -746,10 +782,9 @@ script_body() { echo "Rule 18 (global)" # # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT - # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT - # firewall-ipv6-2:Policy:18: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT # # Rule 19 (global) @@ -757,10 +792,9 @@ script_body() { echo "Rule 19 (global)" # # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT - # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT - # firewall-ipv6-2:Policy:19: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT # # Rule 22 (global) @@ -768,6 +802,8 @@ script_body() { echo "Rule 22 (global)" # # for bug 2047082 + # firewall-ipv6-2:Policy:22: error: Rule '22 (global)' shadows rule '30 (global)' below it + $IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT # # Rule 23 (global) @@ -784,9 +820,9 @@ script_body() { echo "Rule 24 (global)" # # firewall-ipv6-2:Policy:24: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IP6TABLES -N RULE_24 $IP6TABLES -A OUTPUT -d 2001:db8::1 -j RULE_24 - # firewall-ipv6-2:Policy:24: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IP6TABLES -A FORWARD -d 2001:db8::1 -j RULE_24 $IP6TABLES -A RULE_24 -j LOG --log-level info --log-prefix "RULE 24 -- DENY " $IP6TABLES -A RULE_24 -j DROP @@ -814,8 +850,8 @@ script_body() { echo "Rule 27 (global)" # # firewall-ipv6-2:Policy:27: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A OUTPUT -p ipv6-icmp -d fe80::21d:9ff:fe8b:8e94 -j ACCEPT - # firewall-ipv6-2:Policy:27: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule 28 (global) @@ -823,6 +859,7 @@ script_body() { echo "Rule 28 (global)" # # firewall-ipv6-2:Policy:28: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # # Rule 29 (global) @@ -830,10 +867,9 @@ script_body() { echo "Rule 29 (global)" # # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6 + $IP6TABLES -A OUTPUT -p ipv6-icmp -j ACCEPT - # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT - # firewall-ipv6-2:Policy:29: warning: Making rule stateless because it matches ICMPv6 $IP6TABLES -A FORWARD -p ipv6-icmp -j ACCEPT # # Rule 30 (global) @@ -930,7 +966,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:07:34 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:01:31 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-3.fw.orig b/test/ipt/firewall-ipv6-3.fw.orig index 5cd7772ab..9c719b9fd 100755 --- a/test/ipt/firewall-ipv6-3.fw.orig +++ b/test/ipt/firewall-ipv6-3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:07:57 2011 PST by vadim +# Generated Sun Feb 20 21:01:54 2011 PST by vadim # # files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw # @@ -352,6 +352,8 @@ script_body() { # echo "Rule fw-ipv6-3 2 (global)" # + # firewall-ipv6-3:fw-ipv6-3:2: error: Rule 'fw-ipv6-3 2 (global)' shadows rule 'fw-ipv6-3 3 (global)' below it + $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT @@ -369,6 +371,8 @@ script_body() { echo "Rule fw-ipv6-3 4 (global)" # # INPUT, OUTPUT, FORWARD + # firewall-ipv6-3:fw-ipv6-3:4: error: Rule 'fw-ipv6-3 4 (global)' shadows rule 'fw-ipv6-3 6 (global)' below it + $IPTABLES -A INPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT @@ -403,10 +407,10 @@ script_body() { echo "Rule fw-ipv6-3 8 (global)" # # firewall-ipv6-3:fw-ipv6-3:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -N fw-ipv6-3_8 $IPTABLES -A OUTPUT -d 192.0.2.1 -j fw-ipv6-3_8 $IPTABLES -A OUTPUT -d 207.251.84.150 -j fw-ipv6-3_8 - # firewall-ipv6-3:fw-ipv6-3:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A FORWARD -d 192.0.2.1 -j fw-ipv6-3_8 $IPTABLES -A FORWARD -d 207.251.84.150 -j fw-ipv6-3_8 $IPTABLES -A fw-ipv6-3_8 -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 8 -- DENY " --ulog-qthreshold 1 @@ -515,9 +519,9 @@ script_body() { echo "Rule fw-ipv6-3 8 (global)" # # firewall-ipv6-3:fw-ipv6-3:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IP6TABLES -N fw-ipv6-3_8 $IP6TABLES -A OUTPUT -d 2001:db8::1 -j fw-ipv6-3_8 - # firewall-ipv6-3:fw-ipv6-3:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IP6TABLES -A FORWARD -d 2001:db8::1 -j fw-ipv6-3_8 $IP6TABLES -A fw-ipv6-3_8 -j LOG --log-level info --log-prefix "RULE 8 -- DENY " $IP6TABLES -A fw-ipv6-3_8 -j DROP @@ -592,7 +596,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:07:57 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:01:54 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-4-1.fw.orig b/test/ipt/firewall-ipv6-4-1.fw.orig index 8e47c31e0..f1cf22b95 100755 --- a/test/ipt/firewall-ipv6-4-1.fw.orig +++ b/test/ipt/firewall-ipv6-4-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:23 2011 PST by vadim +# Generated Sun Feb 20 21:02:20 2011 PST by vadim # # files: * firewall-ipv6-4-1.fw /etc/firewall-ipv6-4-1.fw # @@ -342,6 +342,8 @@ script_body() { echo "-A OUTPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT " # # Rule 2 (global) + # firewall-ipv6-4-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it + echo "-A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT " # # Rule 3 (global) @@ -349,6 +351,8 @@ script_body() { # # Rule 4 (global) # INPUT, OUTPUT, FORWARD + # firewall-ipv6-4-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it + echo "-A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 5 (global) @@ -366,10 +370,17 @@ script_body() { # # Rule 8 (global) # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo ":RULE_8 - [0:0]" echo "-A FORWARD -d 192.0.2.1 -j RULE_8 " + # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A FORWARD -d 207.251.84.150 -j RULE_8 " + # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A RULE_8 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"RULE 8 -- DENY \" --ulog-qthreshold 1 " + # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A RULE_8 -j DROP " # # Rule 9 (global) @@ -449,9 +460,14 @@ script_body() { # # Rule 8 (global) # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo ":RULE_8 - [0:0]" echo "-A FORWARD -d 2001:db8::1 -j RULE_8 " + # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A RULE_8 -j LOG --log-level info --log-prefix \"RULE 8 -- DENY \"" + # firewall-ipv6-4-1:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A RULE_8 -j DROP " # # Rule 11 (global) @@ -539,7 +555,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:23 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:20 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-4.fw.orig b/test/ipt/firewall-ipv6-4.fw.orig index 1ac208ce7..72379215b 100755 --- a/test/ipt/firewall-ipv6-4.fw.orig +++ b/test/ipt/firewall-ipv6-4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:00 2011 PST by vadim +# Generated Sun Feb 20 21:01:57 2011 PST by vadim # # files: * firewall-ipv6-4.fw /etc/firewall-ipv6-4.fw # @@ -341,8 +341,14 @@ script_body() { echo "-A OUTPUT -p icmp -m icmp -s 1.1.1.1 --icmp-type 8/0 -m state --state NEW -j ACCEPT " # # Rule 2 (global) + # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it + echo "-A OUTPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT " + # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it + echo "-A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT " + # firewall-ipv6-4:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it + echo "-A FORWARD -p icmp -m icmp --icmp-type any -m state --state NEW -j ACCEPT " # # Rule 3 (global) @@ -352,8 +358,14 @@ script_body() { # # Rule 4 (global) # INPUT, OUTPUT, FORWARD + # firewall-ipv6-4:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it + echo "-A INPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT " + # firewall-ipv6-4:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it + echo "-A OUTPUT -s 1.1.1.0/24 -m state --state NEW -j ACCEPT " + # firewall-ipv6-4:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it + echo "-A FORWARD -s 1.1.1.0/24 -m state --state NEW -j ACCEPT " # # Rule 5 (global) @@ -375,13 +387,23 @@ script_body() { # # Rule 8 (global) # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo ":RULE_8 - [0:0]" echo "-A OUTPUT -d 192.0.2.1 -j RULE_8 " + # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A OUTPUT -d 207.251.84.150 -j RULE_8 " # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A FORWARD -d 192.0.2.1 -j RULE_8 " + # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A FORWARD -d 207.251.84.150 -j RULE_8 " + # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A RULE_8 -j ULOG --ulog-nlgroup 1 --ulog-prefix \"RULE 8 -- DENY \" --ulog-qthreshold 1 " + # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A RULE_8 -j DROP " # # Rule 9 (global) @@ -483,11 +505,17 @@ script_body() { # # Rule 8 (global) # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo ":RULE_8 - [0:0]" echo "-A OUTPUT -d 2001:db8::1 -j RULE_8 " # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A FORWARD -d 2001:db8::1 -j RULE_8 " + # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A RULE_8 -j LOG --log-level info --log-prefix \"RULE 8 -- DENY \"" + # firewall-ipv6-4:Policy:8: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET6): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + echo "-A RULE_8 -j DROP " # # Rule 11 (global) @@ -577,7 +605,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:00 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:01:57 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-5.fw.orig b/test/ipt/firewall-ipv6-5.fw.orig index f6de9ea0d..a6e537a7a 100755 --- a/test/ipt/firewall-ipv6-5.fw.orig +++ b/test/ipt/firewall-ipv6-5.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:03 2011 PST by vadim +# Generated Sun Feb 20 21:02:01 2011 PST by vadim # # files: * firewall-ipv6-5.fw /etc/firewall-ipv6-5.fw # @@ -412,7 +412,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:03 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:01 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-6.fw.orig b/test/ipt/firewall-ipv6-6.fw.orig index f5a7a3af5..55a81d6a4 100755 --- a/test/ipt/firewall-ipv6-6.fw.orig +++ b/test/ipt/firewall-ipv6-6.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:07 2011 PST by vadim +# Generated Sun Feb 20 21:02:05 2011 PST by vadim # # files: * firewall-ipv6-6.fw /etc/firewall-ipv6-6.fw # @@ -399,7 +399,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:07 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:05 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-7.fw.orig b/test/ipt/firewall-ipv6-7.fw.orig index e61e676d3..57e561e0d 100755 --- a/test/ipt/firewall-ipv6-7.fw.orig +++ b/test/ipt/firewall-ipv6-7.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:11 2011 PST by vadim +# Generated Sun Feb 20 21:02:08 2011 PST by vadim # # files: * firewall-ipv6-7.fw /etc/firewall-ipv6-7.fw # @@ -443,7 +443,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:11 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:08 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-8.fw.orig b/test/ipt/firewall-ipv6-8.fw.orig index 852e21478..7d432e83b 100755 --- a/test/ipt/firewall-ipv6-8.fw.orig +++ b/test/ipt/firewall-ipv6-8.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:15 2011 PST by vadim +# Generated Sun Feb 20 21:02:13 2011 PST by vadim # # files: * firewall-ipv6-8.fw /etc/firewall-ipv6-8.fw # @@ -484,7 +484,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:15 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:13 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig b/test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig index 62a3971eb..936256ed0 100755 --- a/test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig +++ b/test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:19 2011 PST by vadim +# Generated Sun Feb 20 21:02:16 2011 PST by vadim # # files: * firewall-ipv6-ipt-reset-prolog-after-flush.fw /etc/firewall-ipv6-ipt-reset-prolog-after-flush.fw # @@ -450,7 +450,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:19 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:16 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig b/test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig index 587afeee6..a8015a61d 100755 --- a/test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig +++ b/test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:23 2011 PST by vadim +# Generated Sun Feb 20 21:02:20 2011 PST by vadim # # files: * firewall-ipv6-ipt-reset-prolog-after-interfaces.fw /etc/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw # @@ -450,7 +450,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:23 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:20 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig b/test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig index d690e3199..c1933533d 100755 --- a/test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig +++ b/test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:27 2011 PST by vadim +# Generated Sun Feb 20 21:02:25 2011 PST by vadim # # files: * firewall-ipv6-ipt-reset-prolog-top.fw /etc/firewall-ipv6-ipt-reset-prolog-top.fw # @@ -450,7 +450,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:27 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:25 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-prolog-after-flush.fw.orig b/test/ipt/firewall-ipv6-prolog-after-flush.fw.orig index 57878778e..3780adf6e 100755 --- a/test/ipt/firewall-ipv6-prolog-after-flush.fw.orig +++ b/test/ipt/firewall-ipv6-prolog-after-flush.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:27 2011 PST by vadim +# Generated Sun Feb 20 21:02:25 2011 PST by vadim # # files: * firewall-ipv6-prolog-after-flush.fw /etc/firewall-ipv6-prolog-after-flush.fw # @@ -420,7 +420,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:27 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:25 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig b/test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig index 8dad8936b..fce42ae93 100755 --- a/test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig +++ b/test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:31 2011 PST by vadim +# Generated Sun Feb 20 21:02:29 2011 PST by vadim # # files: * firewall-ipv6-prolog-after-interfaces.fw /etc/firewall-ipv6-prolog-after-interfaces.fw # @@ -420,7 +420,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:31 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:29 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall-ipv6-prolog-top.fw.orig b/test/ipt/firewall-ipv6-prolog-top.fw.orig index 93e953d87..65d6a9b85 100755 --- a/test/ipt/firewall-ipv6-prolog-top.fw.orig +++ b/test/ipt/firewall-ipv6-prolog-top.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:32 2011 PST by vadim +# Generated Sun Feb 20 21:02:30 2011 PST by vadim # # files: * firewall-ipv6-prolog-top.fw /etc/firewall-ipv6-prolog-top.fw # @@ -420,7 +420,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:32 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:30 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall-server-1-s.fw.orig b/test/ipt/firewall-server-1-s.fw.orig index afeeb2f79..4568bbc80 100755 --- a/test/ipt/firewall-server-1-s.fw.orig +++ b/test/ipt/firewall-server-1-s.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:35 2011 PST by vadim +# Generated Sun Feb 20 21:02:33 2011 PST by vadim # # files: * firewall-server-1-s.fw /etc/fw/firewall-server-1-s.fw # @@ -393,7 +393,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:35 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:33 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall.fw.orig b/test/ipt/firewall.fw.orig index 125561b61..9752b6b8f 100755 --- a/test/ipt/firewall.fw.orig +++ b/test/ipt/firewall.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:17 2011 PST by vadim +# Generated Sun Feb 20 20:58:11 2011 PST by vadim # # files: * firewall.fw /etc/fw/firewall.fw # @@ -364,18 +364,13 @@ script_body() { echo "Rule 2 (NAT)" # # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) + $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10/31 -j SNAT --to-source 222.222.222.10-222.222.222.100 - # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.12/30 -j SNAT --to-source 222.222.222.10-222.222.222.100 - # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.16/28 -j SNAT --to-source 222.222.222.10-222.222.222.100 - # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.32/27 -j SNAT --to-source 222.222.222.10-222.222.222.100 - # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.64/27 -j SNAT --to-source 222.222.222.10-222.222.222.100 - # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.96/30 -j SNAT --to-source 222.222.222.10-222.222.222.100 - # firewall:NAT:2: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.100 -j SNAT --to-source 222.222.222.10-222.222.222.100 # # Rule 4 (NAT) @@ -431,6 +426,7 @@ script_body() { echo "Rule 11 (NAT)" # # firewall:NAT:11: warning: SNAT rule can not match MAC address. Object CA(host-with-mac-1:1) removed from the rule + $IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.10 --dport 25 -j SNAT --to-source 222.222.222.222 # # Rule 12 (NAT) @@ -920,11 +916,12 @@ script_body() { # echo "Rule 36 (global)" # + # firewall:Policy:36: warning: Empty MAC address in rule + $IPTABLES -N Cid3DB0B422.0 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3DB0B422.0 $IPTABLES -A Cid3DB0B422.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid3DB0B422.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT - # firewall:Policy:36: warning: Empty MAC address in rule $IPTABLES -A Cid3DB0B422.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid3DB0B422.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT # @@ -932,11 +929,12 @@ script_body() { # echo "Rule 37 (global)" # + # firewall:Policy:37: warning: Empty MAC address in rule + $IPTABLES -N Cid3DB0B628.0 $IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3DB0B628.0 $IPTABLES -A Cid3DB0B628.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid3DB0B628.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT - # firewall:Policy:37: warning: Empty MAC address in rule $IPTABLES -A Cid3DB0B628.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid3DB0B628.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT $IPTABLES -A Cid3DB0B628.0 -s 192.168.1.20 -j ACCEPT @@ -945,11 +943,12 @@ script_body() { # echo "Rule 38 (global)" # + # firewall:Policy:38: warning: Empty MAC address in rule + $IPTABLES -N Cid3DE474B7.0 $IPTABLES -A FORWARD -p tcp -m tcp --sport 53 -d 192.168.1.10 -m state --state NEW -j Cid3DE474B7.0 $IPTABLES -A Cid3DE474B7.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid3DE474B7.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT - # firewall:Policy:38: warning: Empty MAC address in rule $IPTABLES -A Cid3DE474B7.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid3DE474B7.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT # @@ -957,6 +956,8 @@ script_body() { # echo "Rule 39 (global)" # + # firewall:Policy:39: warning: Empty MAC address in rule + $IPTABLES -N Cpol-firewall2-2.0 $IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.1.10 --dport 10000:11000 -m state --state NEW -j Cpol-firewall2-2.0 $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 192.168.1.10 --dports 6667,3128,113,53,21,80,119,25,22,23,540,70,13,2105,443 -m state --state NEW -j Cpol-firewall2-2.0 @@ -964,7 +965,6 @@ script_body() { $IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 192.168.1.10 --dports 514,4321,465,1080,111,7100 -m state --state NEW -j Cpol-firewall2-2.0 $IPTABLES -A Cpol-firewall2-2.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cpol-firewall2-2.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT - # firewall:Policy:39: warning: Empty MAC address in rule $IPTABLES -A Cpol-firewall2-2.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cpol-firewall2-2.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT # @@ -972,18 +972,18 @@ script_body() { # echo "Rule 40 (global)" # + # firewall:Policy:40: warning: Empty MAC address in rule + $IPTABLES -N Cid445FAA6D31658.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid445FAA6D31658.0 $IPTABLES -A Cid445FAA6D31658.0 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.0 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT - # firewall:Policy:40: warning: Empty MAC address in rule $IPTABLES -A Cid445FAA6D31658.0 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.0 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT $IPTABLES -N Cid445FAA6D31658.1 $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j Cid445FAA6D31658.1 $IPTABLES -A Cid445FAA6D31658.1 -m mac --mac-source 00:10:4b:de:e9:70 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.1 -m mac --mac-source 00:10:4b:de:e9:71 -j ACCEPT - # firewall:Policy:40: warning: Empty MAC address in rule $IPTABLES -A Cid445FAA6D31658.1 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT $IPTABLES -A Cid445FAA6D31658.1 -m mac --mac-source 00:10:4b:de:e9:6f -s 192.168.1.10 -j ACCEPT # @@ -992,6 +992,7 @@ script_body() { echo "Rule 41 (global)" # # firewall:Policy:41: warning: Can not match MAC address of the firewall (chain OUTPUT) + $IPTABLES -A OUTPUT -s 192.168.1.1 -d 192.168.1.10 -m state --state NEW -j ACCEPT # # Rule 42 (global) @@ -1341,7 +1342,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:17 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:11 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall1.fw.orig b/test/ipt/firewall1.fw.orig index d6d011c39..7976481e3 100755 --- a/test/ipt/firewall1.fw.orig +++ b/test/ipt/firewall1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:19 2011 PST by vadim +# Generated Sun Feb 20 20:58:14 2011 PST by vadim # # files: * firewall1.fw /etc/fw/firewall1.fw # @@ -1252,7 +1252,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:19 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:14 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall10.fw.orig b/test/ipt/firewall10.fw.orig index 05a77cb1b..edbf6c5eb 100755 --- a/test/ipt/firewall10.fw.orig +++ b/test/ipt/firewall10.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:20 2011 PST by vadim +# Generated Sun Feb 20 20:58:15 2011 PST by vadim # # files: * firewall10.fw /etc/fw/firewall10.fw # @@ -473,7 +473,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:20 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:15 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall11.fw.orig b/test/ipt/firewall11.fw.orig index a337efa6d..3cdb4070d 100755 --- a/test/ipt/firewall11.fw.orig +++ b/test/ipt/firewall11.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:22 2011 PST by vadim +# Generated Sun Feb 20 20:58:17 2011 PST by vadim # # files: * firewall11.fw /etc/fw/firewall11.fw # @@ -589,7 +589,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:22 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:17 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall12.fw.orig b/test/ipt/firewall12.fw.orig index 6100c1586..170eba86d 100755 --- a/test/ipt/firewall12.fw.orig +++ b/test/ipt/firewall12.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:23 2011 PST by vadim +# Generated Sun Feb 20 20:58:18 2011 PST by vadim # # files: * firewall12.fw /etc/fw/firewall12.fw # @@ -511,7 +511,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:23 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:18 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall13.fw.orig b/test/ipt/firewall13.fw.orig index d4509d240..0843dd53a 100755 --- a/test/ipt/firewall13.fw.orig +++ b/test/ipt/firewall13.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:25 2011 PST by vadim +# Generated Sun Feb 20 20:58:20 2011 PST by vadim # # files: * firewall13.fw /etc/fw/firewall13.fw # @@ -385,7 +385,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:25 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:20 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall14.fw.orig b/test/ipt/firewall14.fw.orig index caf6b505a..b150be627 100755 --- a/test/ipt/firewall14.fw.orig +++ b/test/ipt/firewall14.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:27 2011 PST by vadim +# Generated Sun Feb 20 20:58:21 2011 PST by vadim # # files: * firewall14.fw /etc/fw/firewall14.fw # @@ -404,7 +404,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:27 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:21 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall15.fw.orig b/test/ipt/firewall15.fw.orig index c44af3f77..0e3e7d646 100755 --- a/test/ipt/firewall15.fw.orig +++ b/test/ipt/firewall15.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:28 2011 PST by vadim +# Generated Sun Feb 20 20:58:23 2011 PST by vadim # # files: * firewall15.fw /etc/fw/firewall15.fw # @@ -388,7 +388,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:28 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:23 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall16.fw.orig b/test/ipt/firewall16.fw.orig index a34fdba7c..74e584e3d 100755 --- a/test/ipt/firewall16.fw.orig +++ b/test/ipt/firewall16.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:30 2011 PST by vadim +# Generated Sun Feb 20 20:58:24 2011 PST by vadim # # files: * firewall16.fw /etc/fw/firewall16.fw # @@ -492,7 +492,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:30 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:24 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall17.fw.orig b/test/ipt/firewall17.fw.orig index 9927dff96..2ed8e37c2 100755 --- a/test/ipt/firewall17.fw.orig +++ b/test/ipt/firewall17.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:31 2011 PST by vadim +# Generated Sun Feb 20 20:58:26 2011 PST by vadim # # files: * firewall17.fw /etc/fw/firewall17.fw # @@ -471,7 +471,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:31 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:26 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall18.fw.orig b/test/ipt/firewall18.fw.orig index 025ca8462..e0ad00a4d 100755 --- a/test/ipt/firewall18.fw.orig +++ b/test/ipt/firewall18.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:33 2011 PST by vadim +# Generated Sun Feb 20 20:58:27 2011 PST by vadim # # files: * firewall18.fw /etc/fw/firewall18.fw # @@ -504,7 +504,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:33 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:27 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall19.fw.orig b/test/ipt/firewall19.fw.orig index 357e8079c..df85094f3 100755 --- a/test/ipt/firewall19.fw.orig +++ b/test/ipt/firewall19.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:35 2011 PST by vadim +# Generated Sun Feb 20 20:58:29 2011 PST by vadim # # files: * firewall19.fw /etc/fw/firewall19.fw # @@ -429,10 +429,9 @@ script_body() { echo "Rule 10 (global)" # # firewall19:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -A INPUT -s 192.168.1.0/24 -p tcp ! --syn -dport 5190 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited - # firewall19:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A OUTPUT -s 192.168.1.0/24 -p tcp ! --syn -dport 5190 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited - # firewall19:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A FORWARD -s 192.168.1.0/24 -p tcp ! --syn -dport 5190 -m state --state NEW -j REJECT --reject-with icmp-host-prohibited # # Rule 11 (global) @@ -509,7 +508,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:35 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:29 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall2-1.fw.orig b/test/ipt/firewall2-1.fw.orig index 1e9e96e89..2c18b53b5 100755 --- a/test/ipt/firewall2-1.fw.orig +++ b/test/ipt/firewall2-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:45 2011 PST by vadim +# Generated Sun Feb 20 20:58:39 2011 PST by vadim # # files: * firewall2-1.fw /etc/fw/firewall2-1.fw # @@ -573,6 +573,7 @@ script_body() { echo "Rule 20 (NAT)" # # firewall2-1:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) + $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.100-22.22.22.110 # # Rule 21 (NAT) @@ -816,6 +817,8 @@ script_body() { echo "Rule 0 (eth1)" # # Anti-spoofing rule + # firewall2-1:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it + $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_0 @@ -889,6 +892,9 @@ script_body() { # testing choice of chains in case when several # interfaces are used and rule matches 'any' or # broadcast + # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it + # firewall2-1:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it + $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -d 255.255.255.255 --destination-port 68,67 -m state --state NEW -j ACCEPT @@ -951,16 +957,18 @@ script_body() { # echo "Rule 10 (global)" # + # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it + # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it + # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it + # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it + # firewall2-1:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -j RULE_10 - # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -p udp -m udp --dport 161 -j RULE_10 - # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j RULE_10 - # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_10 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1 - # firewall2-1:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_10 -j REJECT --reject-with icmp-net-unreachable # # Rule 11 (global) @@ -1300,6 +1308,8 @@ script_body() { # echo "Rule 25 (global)" # + # firewall2-1:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it + $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT @@ -1420,7 +1430,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:45 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:39 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall2-2.fw.orig b/test/ipt/firewall2-2.fw.orig index 63d38ff0e..d766beec4 100755 --- a/test/ipt/firewall2-2.fw.orig +++ b/test/ipt/firewall2-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:49 2011 PST by vadim +# Generated Sun Feb 20 20:58:44 2011 PST by vadim # # files: * firewall2-2.fw /etc/fw/firewall2-2.fw # @@ -572,6 +572,7 @@ script_body() { echo "Rule 20 (NAT)" # # firewall2-2:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) + $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.100-22.22.22.110 # # Rule 21 (NAT) @@ -815,6 +816,8 @@ script_body() { echo "Rule 0 (eth1)" # # Anti-spoofing rule + # firewall2-2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it + $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_0 @@ -888,6 +891,9 @@ script_body() { # testing choice of chains in case when several # interfaces are used and rule matches 'any' or # broadcast + # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it + # firewall2-2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it + $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT @@ -950,16 +956,18 @@ script_body() { # echo "Rule 10 (global)" # + # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it + # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it + # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it + # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it + # firewall2-2:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -j RULE_10 - # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -p udp -m udp --dport 161 -j RULE_10 - # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j RULE_10 - # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_10 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1 - # firewall2-2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_10 -j REJECT --reject-with icmp-net-unreachable # # Rule 11 (global) @@ -1129,6 +1137,8 @@ script_body() { # echo "Rule 25 (global)" # + # firewall2-2:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it + $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT @@ -1249,7 +1259,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:49 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:44 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall2-3.fw.orig b/test/ipt/firewall2-3.fw.orig index 0671bd76c..05ffff688 100755 --- a/test/ipt/firewall2-3.fw.orig +++ b/test/ipt/firewall2-3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:53 2011 PST by vadim +# Generated Sun Feb 20 20:58:47 2011 PST by vadim # # files: * firewall2-3.fw /etc/fw/firewall2-3.fw # @@ -557,6 +557,7 @@ script_body() { echo "Rule 20 (NAT)" # # firewall2-3:NAT:20: warning: Adding of virtual address for address range is not implemented (object ext_range) + $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.100-22.22.22.110 # # Rule 21 (NAT) @@ -936,15 +937,12 @@ script_body() { echo "Rule 10 (global)" # # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -j RULE_10 - # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -p udp -m udp --dport 161 -j RULE_10 - # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j RULE_10 - # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_10 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1 - # firewall2-3:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_10 -j REJECT --reject-with icmp-net-unreachable # # Rule 11 (global) @@ -1120,7 +1118,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:53 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:47 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall2-4.fw.orig b/test/ipt/firewall2-4.fw.orig index 4703e6c7c..5096ee596 100755 --- a/test/ipt/firewall2-4.fw.orig +++ b/test/ipt/firewall2-4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:57 2011 PST by vadim +# Generated Sun Feb 20 20:58:52 2011 PST by vadim # # files: * firewall2-4.fw /etc/fw/firewall2-4.fw # @@ -331,8 +331,8 @@ script_body() { echo "Rule 5 (NAT)" # # firewall2-4:NAT:5: error: Non-contiguous address range in Translated Destination in load balancing NAT rule + $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10-192.168.1.20 - # firewall2-4:NAT:5: error: Non-contiguous address range in Translated Destination in load balancing NAT rule $IPTABLES -t nat -A OUTPUT -p tcp -m tcp -d 22.22.22.22 --dport 80 -j DNAT --to-destination 192.168.1.10-192.168.1.20 # # Rule 6 (NAT) @@ -424,7 +424,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:57 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:52 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall2-5.fw.orig b/test/ipt/firewall2-5.fw.orig index 45ebb1718..6891c0000 100755 --- a/test/ipt/firewall2-5.fw.orig +++ b/test/ipt/firewall2-5.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:00 2011 PST by vadim +# Generated Sun Feb 20 20:58:55 2011 PST by vadim # # files: * firewall2-5.fw /etc/fw/firewall2-5.fw # @@ -351,6 +351,7 @@ script_body() { # # should be -o eth1 # firewall2-5:NAT:4: warning: Adding of virtual address for address range is not implemented (object r-222.222.222.0) + $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 222.222.222.10-222.222.222.100 # # Rule 5 (NAT) @@ -366,6 +367,7 @@ script_body() { # # partially matches eth3 # firewall2-5:NAT:7: warning: Adding of virtual address for address range is not implemented (object range 33 30-33) + $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 33.33.33.30-33.33.33.33 # # Rule 8 (NAT) @@ -453,7 +455,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:00 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:55 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall2-6.fw.orig b/test/ipt/firewall2-6.fw.orig index 071f2eaed..8acd7c04e 100755 --- a/test/ipt/firewall2-6.fw.orig +++ b/test/ipt/firewall2-6.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:04 2011 PST by vadim +# Generated Sun Feb 20 20:58:59 2011 PST by vadim # # files: * firewall2-6.fw /etc/fw/firewall2-6.fw # @@ -566,7 +566,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:04 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:59 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall2-7.fw.orig b/test/ipt/firewall2-7.fw.orig index f4a2e4595..ac02f0d73 100755 --- a/test/ipt/firewall2-7.fw.orig +++ b/test/ipt/firewall2-7.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:07 2011 PST by vadim +# Generated Sun Feb 20 20:59:02 2011 PST by vadim # # files: * firewall2-7.fw /etc/fw/firewall2-7.fw # @@ -424,7 +424,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:07 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:02 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall2.fw.orig b/test/ipt/firewall2.fw.orig index 339e5f62e..260c40106 100755 --- a/test/ipt/firewall2.fw.orig +++ b/test/ipt/firewall2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:37 2011 PST by vadim +# Generated Sun Feb 20 20:58:32 2011 PST by vadim # # files: * firewall2.fw /etc/fw/firewall2.fw # @@ -595,6 +595,7 @@ script_body() { echo "Rule 22 (NAT)" # # firewall2:NAT:22: warning: Adding of virtual address for address range is not implemented (object ext_range) + $IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.100-22.22.22.110 # # Rule 23 (NAT) @@ -863,6 +864,9 @@ script_body() { echo "Rule 0 (eth1)" # # Anti-spoofing rule + # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '2 (fw2i1,3)' below it + # firewall2:Policy:0: error: Rule '0 (eth1)' shadows rule '3 (eth1,eth3)' below it + $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_0 $IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_0 @@ -909,6 +913,8 @@ script_body() { # # testing group in "interface" # this rule should be identical to rule 3 + # firewall2:Policy:2: error: Rule '2 (fw2i1,3)' shadows rule '3 (eth1,eth3)' below it + $IPTABLES -N In_RULE_2 $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -s 192.168.1.0/24 --dports 68,67 -j In_RULE_2 @@ -936,6 +942,9 @@ script_body() { # testing choice of chains in case when several # interfaces are used and rule matches 'any' or # broadcast + # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '5 (eth1,eth3)' below it + # firewall2:Policy:4: error: Rule '4 (eth1,eth3)' shadows rule '6 (eth1,eth3)' below it + $IPTABLES -A INPUT -i eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth3 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -p udp -m udp -m multiport -d 255.255.255.255 --dports 68,67 -m state --state NEW -j ACCEPT @@ -998,16 +1007,18 @@ script_body() { # echo "Rule 10 (global)" # + # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it + # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '12 (global)' below it + # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '13 (global)' below it + # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '14 (global)' below it + # firewall2:Policy:10: error: Rule '10 (global)' shadows rule '20 (global)' below it # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p udp -m udp --dport 161 -j RULE_10 - # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -p udp -m udp --dport 161 -j RULE_10 - # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A FORWARD -p udp -m udp --dport 161 -j RULE_10 - # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_10 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 10 - REJECT **" --ulog-qthreshold 1 - # firewall2:Policy:10: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_10 -j REJECT --reject-with icmp-net-unreachable # # Rule 11 (global) @@ -1347,6 +1358,8 @@ script_body() { # echo "Rule 25 (global)" # + # firewall2:Policy:25: error: Rule '25 (global)' shadows rule '26 (global)' below it + $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s 192.168.2.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT @@ -1407,11 +1420,10 @@ script_body() { # # 'catch all' rule # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error. + $IPTABLES -N RULE_29 $IPTABLES -A INPUT -s 1.2.3.0/0 -j RULE_29 - # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error. $IPTABLES -A OUTPUT -s 1.2.3.0/0 -j RULE_29 - # firewall2:Policy:29: error: Object 'net-err' has address or netmask 0.0.0.0, which is equivalent to 'any'. This is likely an error. $IPTABLES -A FORWARD -s 1.2.3.0/0 -j RULE_29 $IPTABLES -A RULE_29 -m limit --limit 5/second -j ULOG --ulog-nlgroup 1 --ulog-prefix "RULE 29 - DENY **" --ulog-qthreshold 1 $IPTABLES -A RULE_29 -j DROP @@ -1470,7 +1482,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:37 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:32 2011 by vadim" check_tools check_run_time_address_table_files diff --git a/test/ipt/firewall20-ipv6.fw.orig b/test/ipt/firewall20-ipv6.fw.orig index 820bfcc2d..3fb1d4082 100755 --- a/test/ipt/firewall20-ipv6.fw.orig +++ b/test/ipt/firewall20-ipv6.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:40 2011 PST by vadim +# Generated Sun Feb 20 20:58:35 2011 PST by vadim # # files: * firewall20-ipv6.fw /etc/fw/firewall20-ipv6.fw # @@ -456,7 +456,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:40 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:35 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall20.fw.orig b/test/ipt/firewall20.fw.orig index 7e2d316ed..a44daec83 100755 --- a/test/ipt/firewall20.fw.orig +++ b/test/ipt/firewall20.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:38 2011 PST by vadim +# Generated Sun Feb 20 20:58:32 2011 PST by vadim # # files: * firewall20.fw /etc/fw/firewall20.fw # @@ -674,7 +674,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:38 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:32 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall21-1.fw.orig b/test/ipt/firewall21-1.fw.orig index c7b53b7b4..754a72b0c 100755 --- a/test/ipt/firewall21-1.fw.orig +++ b/test/ipt/firewall21-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:44 2011 PST by vadim +# Generated Sun Feb 20 20:58:39 2011 PST by vadim # # files: * firewall21-1.fw /etc/fw/firewall21-1.fw # @@ -470,7 +470,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:44 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:39 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall21.fw.orig b/test/ipt/firewall21.fw.orig index 732914d63..e6061cedf 100755 --- a/test/ipt/firewall21.fw.orig +++ b/test/ipt/firewall21.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:41 2011 PST by vadim +# Generated Sun Feb 20 20:58:36 2011 PST by vadim # # files: * firewall21.fw /etc/fw/firewall21.fw # @@ -469,7 +469,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:41 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:36 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall22.fw.orig b/test/ipt/firewall22.fw.orig index 184fef39b..63e5ee008 100755 --- a/test/ipt/firewall22.fw.orig +++ b/test/ipt/firewall22.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:47 2011 PST by vadim +# Generated Sun Feb 20 20:58:42 2011 PST by vadim # # files: * firewall22.fw /etc/fw/firewall22.fw # @@ -390,7 +390,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:47 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:42 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall23-1.fw.orig b/test/ipt/firewall23-1.fw.orig index 41d217a7d..e08c3bb59 100755 --- a/test/ipt/firewall23-1.fw.orig +++ b/test/ipt/firewall23-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:54 2011 PST by vadim +# Generated Sun Feb 20 20:58:48 2011 PST by vadim # # files: * firewall23-1.fw /etc/fw/firewall23-1.fw # @@ -564,7 +564,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:54 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:48 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall23.fw.orig b/test/ipt/firewall23.fw.orig index d7dfae95e..b79363310 100755 --- a/test/ipt/firewall23.fw.orig +++ b/test/ipt/firewall23.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:51 2011 PST by vadim +# Generated Sun Feb 20 20:58:45 2011 PST by vadim # # files: * firewall23.fw /etc/fw/firewall23.fw # @@ -476,7 +476,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:51 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:45 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall24.fw.orig b/test/ipt/firewall24.fw.orig index 126939552..47a26991e 100755 --- a/test/ipt/firewall24.fw.orig +++ b/test/ipt/firewall24.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:04:56 2011 PST by vadim +# Generated Sun Feb 20 20:58:50 2011 PST by vadim # # files: * firewall24.fw /etc/fw/firewall24.fw # @@ -493,7 +493,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:04:56 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:50 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall25.fw.orig b/test/ipt/firewall25.fw.orig index ea8e66045..7f8e86877 100755 --- a/test/ipt/firewall25.fw.orig +++ b/test/ipt/firewall25.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:00 2011 PST by vadim +# Generated Sun Feb 20 20:58:55 2011 PST by vadim # # files: * firewall25.fw /etc/fw/firewall25.fw # @@ -551,8 +551,12 @@ script_body() { # Rule policy_2_mangle 1 (global) # SF bug report 3034628 # "iptables does not allow target REJECT in mangle table" + # firewall25:policy_2_mangle:1: error: Action Reject is not allowed in mangle table + echo ":policy_2_mangle_1 - [0:0]" echo "-A policy_2_mangle -p tcp -m tcp --dport 70 -j policy_2_mangle_1 " + # firewall25:policy_2_mangle:1: error: Action Reject is not allowed in mangle table + echo "-A policy_2_mangle_1 -j LOG " # # Rule policy_2_mangle 2 (global) @@ -687,7 +691,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:00 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:55 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall26.fw.orig b/test/ipt/firewall26.fw.orig index 3aa4a57f8..57173632d 100755 --- a/test/ipt/firewall26.fw.orig +++ b/test/ipt/firewall26.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:03 2011 PST by vadim +# Generated Sun Feb 20 20:58:58 2011 PST by vadim # # files: * firewall26.fw /etc/fw/firewall26.fw # @@ -562,7 +562,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:03 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:58:58 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall27.fw.orig b/test/ipt/firewall27.fw.orig index b5b5e3cd4..c20f0b640 100755 --- a/test/ipt/firewall27.fw.orig +++ b/test/ipt/firewall27.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:06 2011 PST by vadim +# Generated Sun Feb 20 20:59:02 2011 PST by vadim # # files: * firewall27.fw /etc/fw/firewall27.fw # @@ -546,7 +546,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:06 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:02 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall28.fw.orig b/test/ipt/firewall28.fw.orig index e76ce2010..8f585d016 100755 --- a/test/ipt/firewall28.fw.orig +++ b/test/ipt/firewall28.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:09 2011 PST by vadim +# Generated Sun Feb 20 20:59:05 2011 PST by vadim # # files: * firewall28.fw /etc/fw/firewall28.fw # @@ -319,6 +319,8 @@ script_body() { # # this rule should shadow rule #1 because # it uses IPService object with protocol 0 + # firewall28:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)' below it + $IPTABLES -A OUTPUT -p all -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p all -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p all -m state --state NEW -j ACCEPT @@ -407,7 +409,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:09 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:05 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall29.fw.orig b/test/ipt/firewall29.fw.orig index 253c6113a..b0b8a6204 100755 --- a/test/ipt/firewall29.fw.orig +++ b/test/ipt/firewall29.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:10 2011 PST by vadim +# Generated Sun Feb 20 20:59:05 2011 PST by vadim # # files: * firewall29.fw /etc/fw/firewall29.fw # @@ -440,7 +440,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:10 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:05 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall3.fw.orig b/test/ipt/firewall3.fw.orig index 803e83d9d..20d357751 100755 --- a/test/ipt/firewall3.fw.orig +++ b/test/ipt/firewall3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:13 2011 PST by vadim +# Generated Sun Feb 20 20:59:08 2011 PST by vadim # # files: * firewall3.fw /etc/fw/firewall3.fw # @@ -578,7 +578,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:13 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:08 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall30.fw.orig b/test/ipt/firewall30.fw.orig index ac15e81e9..886031e01 100755 --- a/test/ipt/firewall30.fw.orig +++ b/test/ipt/firewall30.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:13 2011 PST by vadim +# Generated Sun Feb 20 20:59:09 2011 PST by vadim # # files: * firewall30.fw /etc/fw/firewall30.fw # @@ -375,7 +375,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:13 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:09 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall31.fw.orig b/test/ipt/firewall31.fw.orig index 817ea5892..6e0f338b7 100755 --- a/test/ipt/firewall31.fw.orig +++ b/test/ipt/firewall31.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:16 2011 PST by vadim +# Generated Sun Feb 20 20:59:11 2011 PST by vadim # # files: * firewall31.fw /etc/fw/firewall31.fw # @@ -445,7 +445,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:16 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:11 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall32.fw.orig b/test/ipt/firewall32.fw.orig index e3aedeaa5..490011eb5 100755 --- a/test/ipt/firewall32.fw.orig +++ b/test/ipt/firewall32.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:17 2011 PST by vadim +# Generated Sun Feb 20 20:59:12 2011 PST by vadim # # files: * firewall32.fw /etc/fw/firewall32.fw # @@ -416,7 +416,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:17 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:12 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall33-1.fw.orig b/test/ipt/firewall33-1.fw.orig index c84aa1b7c..04c40169d 100755 --- a/test/ipt/firewall33-1.fw.orig +++ b/test/ipt/firewall33-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:31 2011 PST by vadim +# Generated Sun Feb 20 20:59:27 2011 PST by vadim # # files: * firewall33-1.fw /etc/fw/firewall33-1.fw # @@ -337,6 +337,7 @@ script_body() { echo "Rule 2 (global)" # # firewall33-1:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -A Policy -s 192.0.2.1 -m state --state NEW -j ACCEPT # # Rule 3 (global) @@ -372,9 +373,10 @@ script_body() { # echo "Rule 6 (global)" # + # firewall33-1:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -N Cid43867C3018346.0 $IPTABLES -A Policy -m state --state NEW -j Cid43867C3018346.0 - # firewall33-1:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A Cid43867C3018346.0 -d 192.0.2.1 -j RETURN $IPTABLES -A Cid43867C3018346.0 -j ACCEPT # @@ -445,6 +447,7 @@ script_body() { echo "Rule 12 (global)" # # firewall33-1:Policy:12: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -A Policy -d 192.0.2.1 -m state --state NEW -j ACCEPT $IPTABLES -A Policy -d 207.251.84.150 -m state --state NEW -j ACCEPT # @@ -522,7 +525,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:31 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:27 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall33.fw.orig b/test/ipt/firewall33.fw.orig index 1fc0d22ba..d9f70df41 100755 --- a/test/ipt/firewall33.fw.orig +++ b/test/ipt/firewall33.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:31 2011 PST by vadim +# Generated Sun Feb 20 20:59:26 2011 PST by vadim # # files: * firewall33.fw /etc/fw/firewall33.fw # @@ -373,8 +373,8 @@ script_body() { echo "Rule 2 (global)" # # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -A INPUT -s 192.0.2.1 -m state --state NEW -j ACCEPT - # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A FORWARD -s 192.0.2.1 -m state --state NEW -j ACCEPT # # Rule 3 (global) @@ -415,11 +415,12 @@ script_body() { # echo "Rule 6 (global)" # + # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -N Cid43867C3018346.0 $IPTABLES -A OUTPUT -m state --state NEW -j Cid43867C3018346.0 $IPTABLES -A INPUT -m state --state NEW -j Cid43867C3018346.0 $IPTABLES -A FORWARD -m state --state NEW -j Cid43867C3018346.0 - # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A Cid43867C3018346.0 -d 192.0.2.1 -j RETURN $IPTABLES -A Cid43867C3018346.0 -j ACCEPT # @@ -500,9 +501,9 @@ script_body() { echo "Rule 12 (global)" # # firewall33:Policy:12: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -A OUTPUT -d 192.0.2.1 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -d 207.251.84.150 -m state --state NEW -j ACCEPT - # firewall33:Policy:12: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -A FORWARD -d 192.0.2.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -d 207.251.84.150 -m state --state NEW -j ACCEPT # @@ -571,7 +572,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:31 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:26 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall34.fw.orig b/test/ipt/firewall34.fw.orig index cfa112fdf..eeb086ccd 100755 --- a/test/ipt/firewall34.fw.orig +++ b/test/ipt/firewall34.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:35 2011 PST by vadim +# Generated Sun Feb 20 20:59:30 2011 PST by vadim # # files: * firewall34.fw /etc/fw/firewall34.fw # @@ -648,7 +648,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:35 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:30 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall35.fw.orig b/test/ipt/firewall35.fw.orig index e0a46b992..6d2ab7408 100755 --- a/test/ipt/firewall35.fw.orig +++ b/test/ipt/firewall35.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:35 2011 PST by vadim +# Generated Sun Feb 20 20:59:30 2011 PST by vadim # # files: * firewall35.fw /etc/fw/firewall35.fw # @@ -540,7 +540,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:35 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:30 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall36-1.fw.orig b/test/ipt/firewall36-1.fw.orig index f3996f208..d8c3d0fc6 100755 --- a/test/ipt/firewall36-1.fw.orig +++ b/test/ipt/firewall36-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:39 2011 PST by vadim +# Generated Sun Feb 20 20:59:34 2011 PST by vadim # # files: * firewall36-1.fw /etc/firewall36-1.fw # @@ -433,7 +433,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:39 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:34 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall36-2.fw.orig b/test/ipt/firewall36-2.fw.orig index 16cf33893..e4b3014d4 100755 --- a/test/ipt/firewall36-2.fw.orig +++ b/test/ipt/firewall36-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:41 2011 PST by vadim +# Generated Sun Feb 20 20:59:36 2011 PST by vadim # # files: * firewall36-2.fw /etc/firewall36-2.fw # @@ -433,7 +433,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:41 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:36 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall36.fw.orig b/test/ipt/firewall36.fw.orig index 13e0dbd24..32ef286c6 100755 --- a/test/ipt/firewall36.fw.orig +++ b/test/ipt/firewall36.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:38 2011 PST by vadim +# Generated Sun Feb 20 20:59:33 2011 PST by vadim # # files: * firewall36.fw /etc/firewall36.fw # @@ -535,7 +535,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:38 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:33 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall37-1.fw.orig b/test/ipt/firewall37-1.fw.orig index ff2cbfa09..5ea961450 100755 --- a/test/ipt/firewall37-1.fw.orig +++ b/test/ipt/firewall37-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:45 2011 PST by vadim +# Generated Sun Feb 20 20:59:40 2011 PST by vadim # # files: * firewall37-1.fw /etc/fw/firewall37-1.fw # @@ -769,7 +769,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:45 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:40 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall37.fw.orig b/test/ipt/firewall37.fw.orig index fa8fce0d6..fb01f0e31 100755 --- a/test/ipt/firewall37.fw.orig +++ b/test/ipt/firewall37.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:54 2011 PST by vadim +# Generated Sun Feb 20 20:59:49 2011 PST by vadim # # files: * firewall37.fw /etc/fw/firewall37.fw # @@ -851,8 +851,8 @@ script_body() { echo "Rule mangle_rules 4 (global)" # # firewall37:mangle_rules:4: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -t mangle -A INPUT -s 192.0.2.1 -m mark --mark 1 -m state --state NEW -j ACCEPT - # firewall37:mangle_rules:4: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -t mangle -A PREROUTING -s 192.0.2.1 -m mark --mark 1 -m state --state NEW -j ACCEPT # # Rule mangle_rules 5 (global) @@ -914,9 +914,10 @@ script_body() { # echo "Rule mangle_rules 13 (global)" # + # firewall37:mangle_rules:13: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -N Cid480281X13558.0 -t mangle $IPTABLES -t mangle -A PREROUTING -i + -m mark --mark 1 -m state --state NEW -j Cid480281X13558.0 - # firewall37:mangle_rules:13: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode $IPTABLES -t mangle -A Cid480281X13558.0 -s 192.0.2.1 -j RETURN $IPTABLES -t mangle -A Cid480281X13558.0 -j ACCEPT # @@ -1049,7 +1050,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:54 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:49 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall38.fw.orig b/test/ipt/firewall38.fw.orig index 2e42083dd..9a48dceb4 100755 --- a/test/ipt/firewall38.fw.orig +++ b/test/ipt/firewall38.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:47 2011 PST by vadim +# Generated Sun Feb 20 20:59:43 2011 PST by vadim # # files: * firewall38.fw /etc/fw/firewall38.fw # @@ -498,7 +498,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:47 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:43 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall39.fw.orig b/test/ipt/firewall39.fw.orig index 2e499c54f..7e2ba1f50 100755 --- a/test/ipt/firewall39.fw.orig +++ b/test/ipt/firewall39.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:55 2011 PST by vadim +# Generated Sun Feb 20 20:59:50 2011 PST by vadim # # files: * firewall39.fw /etc/fw/firewall39.fw # @@ -631,7 +631,6 @@ script_body() { # echo "Rule rule6_branch 0 (global)" # - # firewall39:rule6_branch:0: warning: Rule branches to rule set Policy which branches back to it, creating a loop $IPTABLES -N rule6_branch $IPTABLES -N Policy $IPTABLES -A rule6_branch -j Policy @@ -809,11 +808,8 @@ script_body() { echo "Rule 14 (global)" # # testing loop in branching rules - # firewall39:Policy:14: warning: Rule branches to rule set rule6_branch which branches back to it, creating a loop $IPTABLES -A INPUT -s 192.168.1.0/24 -j rule6_branch - # firewall39:Policy:14: warning: Rule branches to rule set rule6_branch which branches back to it, creating a loop $IPTABLES -A OUTPUT -s 192.168.1.0/24 -j rule6_branch - # firewall39:Policy:14: warning: Rule branches to rule set rule6_branch which branches back to it, creating a loop $IPTABLES -A FORWARD -s 192.168.1.0/24 -j rule6_branch # # Rule 15 (global) @@ -899,7 +895,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:55 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:50 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall4.fw.orig b/test/ipt/firewall4.fw.orig index 72573c495..b69947bb2 100755 --- a/test/ipt/firewall4.fw.orig +++ b/test/ipt/firewall4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:57 2011 PST by vadim +# Generated Sun Feb 20 20:59:52 2011 PST by vadim # # files: * firewall4.fw /etc/fw/firewall4.fw # @@ -710,7 +710,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:57 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:52 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall40-1.fw.orig b/test/ipt/firewall40-1.fw.orig index 3ecbf931a..a66967b4f 100755 --- a/test/ipt/firewall40-1.fw.orig +++ b/test/ipt/firewall40-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:01 2011 PST by vadim +# Generated Sun Feb 20 20:59:56 2011 PST by vadim # # files: * firewall40-1.fw /etc/firewall40-1.fw # @@ -450,7 +450,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:01 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:56 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall40-2.fw.orig b/test/ipt/firewall40-2.fw.orig index b2186d61c..555c596d2 100755 --- a/test/ipt/firewall40-2.fw.orig +++ b/test/ipt/firewall40-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:01 2011 PST by vadim +# Generated Sun Feb 20 20:59:57 2011 PST by vadim # # files: * firewall40-2.fw /etc/firewall40-2.fw # @@ -437,7 +437,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:01 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:57 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall40.fw.orig b/test/ipt/firewall40.fw.orig index ad5b612d1..b7a140ac3 100755 --- a/test/ipt/firewall40.fw.orig +++ b/test/ipt/firewall40.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:05:58 2011 PST by vadim +# Generated Sun Feb 20 20:59:53 2011 PST by vadim # # files: * firewall40.fw /etc/firewall40.fw # @@ -439,7 +439,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:05:58 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 20:59:53 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall41-1.fw.orig b/test/ipt/firewall41-1.fw.orig index 9d6916e51..eb920015c 100755 --- a/test/ipt/firewall41-1.fw.orig +++ b/test/ipt/firewall41-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:04 2011 PST by vadim +# Generated Sun Feb 20 21:00:00 2011 PST by vadim # # files: * firewall41-1.fw /etc/firewall41-1.fw # @@ -575,7 +575,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:04 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:00 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall41.fw.orig b/test/ipt/firewall41.fw.orig index de52717f5..a149218fd 100755 --- a/test/ipt/firewall41.fw.orig +++ b/test/ipt/firewall41.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:09 2011 PST by vadim +# Generated Sun Feb 20 21:00:04 2011 PST by vadim # # files: * firewall41.fw /etc/firewall41.fw # @@ -387,6 +387,8 @@ script_body() { # # there should be warning saying the table could not be found # firewall41:Policy:5: error: File not found for Address Table: missing table (this_table_does_not_exist.tbl) Using dummy address in test mode + # firewall41:Policy:5: error: Rule '5 (global)' shadows rule '6 (global)' below it + $IPTABLES -N RULE_5 $IPTABLES -A OUTPUT -d 192.0.2.0/24 -j RULE_5 $IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY " @@ -397,6 +399,7 @@ script_body() { echo "Rule 6 (global)" # # firewall41:Policy:6: error: DNSName object "does not resolve" (compile time) can not resolve dns name "does_not_resolve.local" (AF_INET): Host or network 'does_not_resolve.local' not found; last error: Unknown error Using dummy address in test mode + $IPTABLES -N RULE_6 $IPTABLES -A OUTPUT -d 192.0.2.1 -j RULE_6 $IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY " @@ -456,7 +459,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:09 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:04 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall42.fw.orig b/test/ipt/firewall42.fw.orig index 91889d796..658865a11 100755 --- a/test/ipt/firewall42.fw.orig +++ b/test/ipt/firewall42.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:10 2011 PST by vadim +# Generated Sun Feb 20 21:00:06 2011 PST by vadim # # files: * firewall42.fw /etc/fw/firewall42.fw # @@ -382,7 +382,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:10 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:06 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall5.fw.orig b/test/ipt/firewall5.fw.orig index 73589983d..ede42fe60 100755 --- a/test/ipt/firewall5.fw.orig +++ b/test/ipt/firewall5.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:12 2011 PST by vadim +# Generated Sun Feb 20 21:00:07 2011 PST by vadim # # files: * firewall5.fw /etc/fw/firewall5.fw # @@ -622,7 +622,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:12 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:07 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall50.fw.orig b/test/ipt/firewall50.fw.orig index 9ba0530b4..b5ef78803 100755 --- a/test/ipt/firewall50.fw.orig +++ b/test/ipt/firewall50.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:14 2011 PST by vadim +# Generated Sun Feb 20 21:00:10 2011 PST by vadim # # files: * firewall50.fw /etc/fw/firewall50.fw # @@ -407,7 +407,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:14 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:10 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall51.fw.orig b/test/ipt/firewall51.fw.orig index d049bcda8..3a41efaf8 100755 --- a/test/ipt/firewall51.fw.orig +++ b/test/ipt/firewall51.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:18 2011 PST by vadim +# Generated Sun Feb 20 21:00:14 2011 PST by vadim # # files: * firewall51.fw /etc/fw/firewall51.fw # @@ -491,7 +491,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:18 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:14 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall6.fw.orig b/test/ipt/firewall6.fw.orig index eb1c3bfc3..9f9fb58f3 100755 --- a/test/ipt/firewall6.fw.orig +++ b/test/ipt/firewall6.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:17 2011 PST by vadim +# Generated Sun Feb 20 21:00:13 2011 PST by vadim # # files: * firewall6.fw /etc/fw/firewall6.fw # @@ -513,7 +513,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:17 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:13 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall60.fw.orig b/test/ipt/firewall60.fw.orig index 751d84c18..4bef47c11 100755 --- a/test/ipt/firewall60.fw.orig +++ b/test/ipt/firewall60.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:20 2011 PST by vadim +# Generated Sun Feb 20 21:00:17 2011 PST by vadim # # files: * firewall60.fw /etc/firewall60.fw # @@ -419,7 +419,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:20 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:17 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall61-1.2.5.fw.orig b/test/ipt/firewall61-1.2.5.fw.orig index f179068bf..1617b3366 100755 --- a/test/ipt/firewall61-1.2.5.fw.orig +++ b/test/ipt/firewall61-1.2.5.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:22 2011 PST by vadim +# Generated Sun Feb 20 21:00:18 2011 PST by vadim # # files: * firewall61-1.2.5.fw /etc/firewall61-1.2.5.fw # @@ -499,7 +499,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:22 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:18 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall61-1.2.6.fw.orig b/test/ipt/firewall61-1.2.6.fw.orig index e888abb59..5f2cba547 100755 --- a/test/ipt/firewall61-1.2.6.fw.orig +++ b/test/ipt/firewall61-1.2.6.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:25 2011 PST by vadim +# Generated Sun Feb 20 21:00:21 2011 PST by vadim # # files: * firewall61-1.2.6.fw /etc/firewall61-1.2.6.fw # @@ -505,7 +505,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:25 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:21 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall61-1.3.x.fw.orig b/test/ipt/firewall61-1.3.x.fw.orig index ff92645e3..996d2030e 100755 --- a/test/ipt/firewall61-1.3.x.fw.orig +++ b/test/ipt/firewall61-1.3.x.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:26 2011 PST by vadim +# Generated Sun Feb 20 21:00:22 2011 PST by vadim # # files: * firewall61-1.3.x.fw /etc/firewall61-1.3.x.fw # @@ -492,7 +492,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:26 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:22 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall61-1.4.fw.orig b/test/ipt/firewall61-1.4.fw.orig index 825f771ef..31969ffc3 100755 --- a/test/ipt/firewall61-1.4.fw.orig +++ b/test/ipt/firewall61-1.4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:29 2011 PST by vadim +# Generated Sun Feb 20 21:00:26 2011 PST by vadim # # files: * firewall61-1.4.fw /etc/firewall61-1.4.fw # @@ -493,7 +493,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:29 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:26 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall62.fw.orig b/test/ipt/firewall62.fw.orig index c40c66ae6..753fa63d3 100755 --- a/test/ipt/firewall62.fw.orig +++ b/test/ipt/firewall62.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:29 2011 PST by vadim +# Generated Sun Feb 20 21:00:25 2011 PST by vadim # # files: * firewall62.fw /etc/firewall62.fw # @@ -340,6 +340,8 @@ script_body() { # echo "Rule 0 (global)" # + # firewall62:Policy:0: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 1 (global) @@ -353,6 +355,8 @@ script_body() { # echo "Rule 2 (global)" # + # firewall62:Policy:2: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -N Cid484A599620246.0 $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid484A599620246.0 $IPTABLES -A Cid484A599620246.0 -s 192.168.1.1 -j ACCEPT @@ -371,18 +375,24 @@ script_body() { # echo "Rule 4 (global)" # + # firewall62:Policy:4: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -s 192.168.1.1 -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 5 (global) # echo "Rule 5 (global)" # + # firewall62:Policy:5: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 6 (global) # echo "Rule 6 (global)" # + # firewall62:Policy:6: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -N Cid4848F1BB20246.0 $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j Cid4848F1BB20246.0 $IPTABLES -A Cid4848F1BB20246.0 -d 192.168.1.1 -j ACCEPT @@ -392,12 +402,16 @@ script_body() { # echo "Rule 8 (global)" # + # firewall62:Policy:8: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -s ! 192.168.1.0/24 -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # + # firewall62:Policy:9: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 10 (global) @@ -405,6 +419,8 @@ script_body() { echo "Rule 10 (global)" # # bug 2186568 + # firewall62:Policy:10: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -m owner --uid-owner 500 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT # @@ -413,6 +429,8 @@ script_body() { echo "Rule 11 (global)" # # bug 2186568 + # firewall62:Policy:11: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -N Cid55369X1137.0 $IPTABLES -A OUTPUT -m owner --uid-owner 500 -m state --state NEW -j Cid55369X1137.0 $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j Cid55369X1137.0 @@ -424,6 +442,8 @@ script_body() { echo "Rule 12 (global)" # # bug 2186568 + # firewall62:Policy:12: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -m owner ! --uid-owner 2000 -m state --state NEW -j ACCEPT # # Rule 13 (global) @@ -431,6 +451,8 @@ script_body() { echo "Rule 13 (global)" # # bug 2186568 + # firewall62:Policy:13: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -N Cid72626X1137.0 $IPTABLES -A OUTPUT -m owner ! --uid-owner 2000 -m state --state NEW -j Cid72626X1137.0 $IPTABLES -A Cid72626X1137.0 -d 192.168.1.1 -j ACCEPT @@ -467,6 +489,8 @@ script_body() { echo "Rule 16 (global)" # # bug 2186568 + # firewall62:Policy:16: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner 500 -m state --state NEW -j ACCEPT # @@ -475,6 +499,8 @@ script_body() { echo "Rule 17 (global)" # # bug 2186568 + # firewall62:Policy:17: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -N Cid89930X1137.0 $IPTABLES -A OUTPUT -m owner --uid-owner 2000 -m state --state NEW -j Cid89930X1137.0 $IPTABLES -A OUTPUT -m owner --uid-owner 500 -m state --state NEW -j Cid89930X1137.0 @@ -543,7 +569,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:29 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:25 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall63.fw.orig b/test/ipt/firewall63.fw.orig index be1226b85..69002f6c6 100755 --- a/test/ipt/firewall63.fw.orig +++ b/test/ipt/firewall63.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:32 2011 PST by vadim +# Generated Sun Feb 20 21:00:29 2011 PST by vadim # # files: * firewall63.fw /etc/firewall63.fw # @@ -389,7 +389,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:32 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:29 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall7.fw.orig b/test/ipt/firewall7.fw.orig index 146c9ee89..386dc330b 100755 --- a/test/ipt/firewall7.fw.orig +++ b/test/ipt/firewall7.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:33 2011 PST by vadim +# Generated Sun Feb 20 21:00:29 2011 PST by vadim # # files: * firewall7.fw /etc/fw/firewall7.fw # @@ -473,7 +473,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:33 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:29 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall70.fw.orig b/test/ipt/firewall70.fw.orig index 39332c44e..ecef7c439 100755 --- a/test/ipt/firewall70.fw.orig +++ b/test/ipt/firewall70.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:37 2011 PST by vadim +# Generated Sun Feb 20 21:00:33 2011 PST by vadim # # files: * firewall70.fw iptables.sh # @@ -332,12 +332,12 @@ script_body() { echo "Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global)" # # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) + # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) + $IPTABLES -N very_long_ruleset_name_should_be_gt_30_chars $IPTABLES -N very_long_ruleset_name_should_be_gt_30_chars_0 $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars -j very_long_ruleset_name_should_be_gt_30_chars_0 - # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " - # firewall70:very_long_ruleset_name_should_be_gt_30_chars:0: error: Chain name 'very_long_ruleset_name_should_be_gt_30_chars_0' is longer than 30 characters. Rule very_long_ruleset_name_should_be_gt_30_chars 0 (global) $IPTABLES -A very_long_ruleset_name_should_be_gt_30_chars_0 -j DROP # ================ Table 'filter', rule set not_quite_long_ruleset_name # @@ -345,6 +345,8 @@ script_body() { # echo "Rule not_quite_long_ruleset_name 0 (global)" # + # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global) + $IPTABLES -N not_quite_long_ruleset_name $IPTABLES -N Cid208737X59595.0 $IPTABLES -A not_quite_long_ruleset_name -s 22.22.22.0/24 -j Cid208737X59595.0 @@ -353,9 +355,7 @@ script_body() { $IPTABLES -A Cid208737X59595.0 -d 192.168.1.1 -j RETURN $IPTABLES -N not_quite_long_ruleset_name_0_3 $IPTABLES -A Cid208737X59595.0 -j not_quite_long_ruleset_name_0_3 - # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global) $IPTABLES -A not_quite_long_ruleset_name_0_3 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " - # firewall70:not_quite_long_ruleset_name:0: error: Chain name 'not_quite_long_ruleset_name_0_3' is longer than 30 characters. Rule not_quite_long_ruleset_name 0 (global) $IPTABLES -A not_quite_long_ruleset_name_0_3 -j DROP } @@ -412,7 +412,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:37 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:33 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall71.fw.orig b/test/ipt/firewall71.fw.orig index b1f1178b9..06f3374b0 100755 --- a/test/ipt/firewall71.fw.orig +++ b/test/ipt/firewall71.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:37 2011 PST by vadim +# Generated Sun Feb 20 21:00:34 2011 PST by vadim # # files: * firewall71.fw /etc/fw/firewall71.fw # @@ -428,7 +428,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:37 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:34 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall72-1.3.x.fw.orig b/test/ipt/firewall72-1.3.x.fw.orig index 328e05b70..7c98655c3 100755 --- a/test/ipt/firewall72-1.3.x.fw.orig +++ b/test/ipt/firewall72-1.3.x.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:40 2011 PST by vadim +# Generated Sun Feb 20 21:00:37 2011 PST by vadim # # files: * firewall72-1.3.x.fw /etc/fw/firewall72-1.3.x.fw # @@ -457,6 +457,9 @@ script_body() { echo "Rule 10 (eth1)" # # Should use ! -i eth1 eventually + # firewall72-1.3.x:Policy:10: error: Rule '10 (eth1)' shadows rule '13 (eth1)' below it + # firewall72-1.3.x:Policy:10: error: Rule '10 (eth1)' shadows rule '14 (eth1)' below it + $IPTABLES -A FORWARD -i ! eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 11 (eth1) @@ -499,6 +502,8 @@ script_body() { # echo "Rule 15 (global)" # + # firewall72-1.3.x:Policy:15: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -d 172.16.1.1 -m owner ! --uid-owner 500 -j DROP } @@ -555,7 +560,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:40 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:37 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall72-1.4.3.fw.orig b/test/ipt/firewall72-1.4.3.fw.orig index 7abd397eb..f9543a5cd 100755 --- a/test/ipt/firewall72-1.4.3.fw.orig +++ b/test/ipt/firewall72-1.4.3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:41 2011 PST by vadim +# Generated Sun Feb 20 21:00:37 2011 PST by vadim # # files: * firewall72-1.4.3.fw /etc/fw/firewall72-1.4.3.fw # @@ -457,6 +457,9 @@ script_body() { echo "Rule 10 (eth1)" # # Should use ! -i eth1 eventually + # firewall72-1.4.3:Policy:10: error: Rule '10 (eth1)' shadows rule '13 (eth1)' below it + # firewall72-1.4.3:Policy:10: error: Rule '10 (eth1)' shadows rule '14 (eth1)' below it + $IPTABLES -A FORWARD ! -i eth1 -p tcp -m tcp -d 192.168.1.0/24 --tcp-flags ALL NONE -j DROP # # Rule 11 (eth1) @@ -499,6 +502,8 @@ script_body() { # echo "Rule 15 (global)" # + # firewall72-1.4.3:Policy:15: warning: Iptables does not support module 'owner' in a chain other than OUTPUT + $IPTABLES -A OUTPUT -d 172.16.1.1 -m owner ! --uid-owner 500 -j DROP } @@ -555,7 +560,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:41 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:37 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall73.fw.orig b/test/ipt/firewall73.fw.orig index 86ce610ba..6a688f9e6 100755 --- a/test/ipt/firewall73.fw.orig +++ b/test/ipt/firewall73.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:43 2011 PST by vadim +# Generated Sun Feb 20 21:00:40 2011 PST by vadim # # files: * firewall73.fw /etc/fw/firewall73.fw # @@ -523,7 +523,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:43 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:40 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall74.fw.orig b/test/ipt/firewall74.fw.orig index 39628ec6f..0d81918be 100755 --- a/test/ipt/firewall74.fw.orig +++ b/test/ipt/firewall74.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:44 2011 PST by vadim +# Generated Sun Feb 20 21:00:41 2011 PST by vadim # # files: * firewall74.fw /etc/fw/firewall74.fw # @@ -375,7 +375,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:44 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:41 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall8.fw.orig b/test/ipt/firewall8.fw.orig index 5ef436c7a..ca103bd05 100755 --- a/test/ipt/firewall8.fw.orig +++ b/test/ipt/firewall8.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:47 2011 PST by vadim +# Generated Sun Feb 20 21:00:44 2011 PST by vadim # # files: * firewall8.fw /etc/fw/firewall8.fw # @@ -358,7 +358,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:47 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:44 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall80.fw.orig b/test/ipt/firewall80.fw.orig index 6f8428201..9606d2df6 100755 --- a/test/ipt/firewall80.fw.orig +++ b/test/ipt/firewall80.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:48 2011 PST by vadim +# Generated Sun Feb 20 21:00:44 2011 PST by vadim # # files: * firewall80.fw /etc/fw/firewall80.fw # @@ -317,8 +317,8 @@ script_body() { # # Branch rule with actual translation. Translation is ignored and warning should be issued # firewall80:NAT:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' + $IPTABLES -t nat -A POSTROUTING -d 192.0.2.1 -j NAT_1_POSTROUTING - # firewall80:NAT:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' $IPTABLES -t nat -A PREROUTING -d 192.0.2.1 -j NAT_1_PREROUTING # # Rule 1 (NAT) @@ -399,7 +399,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:48 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:44 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall81.fw.orig b/test/ipt/firewall81.fw.orig index 4f52470a3..664ff7bff 100755 --- a/test/ipt/firewall81.fw.orig +++ b/test/ipt/firewall81.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:51 2011 PST by vadim +# Generated Sun Feb 20 21:00:48 2011 PST by vadim # # files: * firewall81.fw /etc/fw/firewall81.fw # @@ -302,9 +302,10 @@ script_body() { # Branch rule with actual translation. # Translation is ignored and warning should be issued # firewall81:NAT_2:0: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING + # firewall81:NAT_2:0: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' + $IPTABLES -t nat -N NAT_1 $IPTABLES -t nat -A POSTROUTING -d 192.0.2.1 -j NAT_1 - # firewall81:NAT_2:0: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING $IPTABLES -t nat -A PREROUTING -d 192.0.2.1 -j NAT_1 # # Rule NAT_2 1 (NAT) @@ -313,8 +314,8 @@ script_body() { # # DNAT Rule # firewall81:NAT_2:1: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING + $IPTABLES -t nat -A POSTROUTING -j NAT_1 - # firewall81:NAT_2:1: warning: NAT branching rule does not have information about targets used in the branch ruleset to choose proper chain in the nat table. Will split the rule and place it in both PREROUTNING and POSTROUTING $IPTABLES -t nat -A PREROUTING -j NAT_1 # ================ Table 'nat', rule set NAT_1 @@ -419,7 +420,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:51 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:48 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall82.fw.orig b/test/ipt/firewall82.fw.orig index ec22ff533..0f8425520 100755 --- a/test/ipt/firewall82.fw.orig +++ b/test/ipt/firewall82.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:52 2011 PST by vadim +# Generated Sun Feb 20 21:00:49 2011 PST by vadim # # files: * firewall82.fw /etc/firewall82.fw # @@ -353,11 +353,8 @@ script_body() { # echo "Rule 0 (global)" # - # firewall82:Policy:0: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop $IPTABLES -A OUTPUT -j Policy_A - # firewall82:Policy:0: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop $IPTABLES -A INPUT -j Policy_A - # firewall82:Policy:0: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop $IPTABLES -A FORWARD -j Policy_A } @@ -414,7 +411,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:52 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:49 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall82_A.fw.orig b/test/ipt/firewall82_A.fw.orig index 28f706a72..5ea87c033 100755 --- a/test/ipt/firewall82_A.fw.orig +++ b/test/ipt/firewall82_A.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:55 2011 PST by vadim +# Generated Sun Feb 20 21:00:52 2011 PST by vadim # # files: * firewall82_A.fw /etc/fw/firewall82_A.fw # @@ -334,22 +334,16 @@ script_body() { echo "Rule Policy_A 1 (global)" # # recursive branching - # firewall82_A:Policy_A:1: warning: Rule branches to rule set Policy which branches back to it, creating a loop $IPTABLES -A OUTPUT -j Policy - # firewall82_A:Policy_A:1: warning: Rule branches to rule set Policy which branches back to it, creating a loop $IPTABLES -A INPUT -j Policy - # firewall82_A:Policy_A:1: warning: Rule branches to rule set Policy which branches back to it, creating a loop $IPTABLES -A FORWARD -j Policy # # Rule Policy_A 2 (global) # echo "Rule Policy_A 2 (global)" # - # firewall82_A:Policy_A:2: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop $IPTABLES -A OUTPUT -j Policy_A - # firewall82_A:Policy_A:2: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop $IPTABLES -A INPUT -j Policy_A - # firewall82_A:Policy_A:2: warning: Rule branches to rule set Policy_A which branches back to it, creating a loop $IPTABLES -A FORWARD -j Policy_A } @@ -406,7 +400,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:55 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:52 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall82_B.fw.orig b/test/ipt/firewall82_B.fw.orig index 5cfca2216..898fa053f 100755 --- a/test/ipt/firewall82_B.fw.orig +++ b/test/ipt/firewall82_B.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:55 2011 PST by vadim +# Generated Sun Feb 20 21:00:52 2011 PST by vadim # # files: * firewall82_B.fw /etc/fw/firewall82_B.fw # @@ -363,7 +363,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:55 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:52 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall9.fw.orig b/test/ipt/firewall9.fw.orig index 38c5be7ae..ac13bf346 100755 --- a/test/ipt/firewall9.fw.orig +++ b/test/ipt/firewall9.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:58 2011 PST by vadim +# Generated Sun Feb 20 21:00:56 2011 PST by vadim # # files: * firewall9.fw /etc/fw/firewall9.fw # @@ -317,18 +317,14 @@ script_body() { echo "Rule 1 (global)" # # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -N Cid3D4DF36C.0 $IPTABLES -A OUTPUT -p udp -m udp --dport 53 -j Cid3D4DF36C.0 - # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N RULE_1 $IPTABLES -A Cid3D4DF36C.0 -d 22.22.22.22 -j RULE_1 - # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A Cid3D4DF36C.0 -d 192.168.1.1 -j RULE_1 - # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -p udp -m udp --dport 53 -j RULE_1 - # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_1 -j LOG --log-level debug --log-prefix "RULE 1 -- REJECT global" - # firewall9:Policy:1: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_1 -j REJECT --reject-with icmp-net-unreachable # # Rule 2 (global) @@ -336,22 +332,16 @@ script_body() { echo "Rule 2 (global)" # # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -N Cid3D4DF376.0 $IPTABLES -A OUTPUT -p icmp -j Cid3D4DF376.0 - # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A OUTPUT -p 50 -j Cid3D4DF376.0 - # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -N RULE_2 $IPTABLES -A Cid3D4DF376.0 -d 22.22.22.22 -j RULE_2 - # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A Cid3D4DF376.0 -d 192.168.1.1 -j RULE_2 - # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -p icmp -j RULE_2 - # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -p 50 -j RULE_2 - # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_2 -j LOG --log-level debug --log-prefix "RULE 2 -- REJECT global" - # firewall9:Policy:2: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A RULE_2 -j REJECT --reject-with icmp-net-unreachable # # Rule 3 (global) @@ -421,11 +411,10 @@ script_body() { echo "Rule 6 (global)" # # firewall9:Policy:6: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -N Cid3D4DF39E.0 $IPTABLES -A OUTPUT -d 22.22.22.22 -j Cid3D4DF39E.0 - # firewall9:Policy:6: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A OUTPUT -d 192.168.1.1 -j Cid3D4DF39E.0 - # firewall9:Policy:6: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -j Cid3D4DF39E.0 $IPTABLES -A Cid3D4DF39E.0 -p tcp -m tcp --dport 10000:11000 -j RETURN $IPTABLES -A Cid3D4DF39E.0 -p tcp -m tcp --dport 113 -j RETURN @@ -437,11 +426,10 @@ script_body() { echo "Rule 7 (global)" # # firewall9:Policy:7: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. + $IPTABLES -N Cid3D4DF3A8.0 $IPTABLES -A OUTPUT -d 22.22.22.22 -j Cid3D4DF3A8.0 - # firewall9:Policy:7: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A OUTPUT -d 192.168.1.1 -j Cid3D4DF3A8.0 - # firewall9:Policy:7: warning: Rule action 'Reject' with TCP RST can be used only with TCP services. $IPTABLES -A INPUT -j Cid3D4DF3A8.0 $IPTABLES -A Cid3D4DF3A8.0 -p tcp -m tcp --dport 10000:11000 -j RETURN $IPTABLES -A Cid3D4DF3A8.0 -p tcp -m tcp --dport 113 -j RETURN @@ -633,7 +621,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:58 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:56 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall90.fw.orig b/test/ipt/firewall90.fw.orig index 53b3875ef..f2c4b3abe 100755 --- a/test/ipt/firewall90.fw.orig +++ b/test/ipt/firewall90.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:58 2011 PST by vadim +# Generated Sun Feb 20 21:00:56 2011 PST by vadim # # files: * firewall90.fw /etc/fw/firewall90.fw # @@ -383,7 +383,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:06:58 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:56 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall91.fw.orig b/test/ipt/firewall91.fw.orig index 13a0599a1..fc5da8cea 100755 --- a/test/ipt/firewall91.fw.orig +++ b/test/ipt/firewall91.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:07:02 2011 PST by vadim +# Generated Sun Feb 20 21:00:59 2011 PST by vadim # # files: * firewall91.fw /etc/fw/firewall91.fw # @@ -383,7 +383,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:07:02 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:59 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall92.fw.orig b/test/ipt/firewall92.fw.orig index f7b5fe866..32fe58bbe 100755 --- a/test/ipt/firewall92.fw.orig +++ b/test/ipt/firewall92.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:07:03 2011 PST by vadim +# Generated Sun Feb 20 21:01:00 2011 PST by vadim # # files: * firewall92.fw /etc/fw/firewall92.fw # @@ -419,7 +419,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:07:03 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:01:00 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/firewall93.fw.orig b/test/ipt/firewall93.fw.orig index 25991a13f..e6c773325 100755 --- a/test/ipt/firewall93.fw.orig +++ b/test/ipt/firewall93.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:07:06 2011 PST by vadim +# Generated Sun Feb 20 21:01:03 2011 PST by vadim # # files: * firewall93.fw /etc/fw/firewall93.fw # @@ -458,7 +458,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:07:06 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:01:03 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/fw-A.fw.orig b/test/ipt/fw-A.fw.orig index dad08f444..df93d7423 100755 --- a/test/ipt/fw-A.fw.orig +++ b/test/ipt/fw-A.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:38 2011 PST by vadim +# Generated Sun Feb 20 21:02:37 2011 PST by vadim # # files: * fw-A.fw /sw/FWbuilder/fw-A.fw # @@ -611,6 +611,8 @@ script_body() { # # # fw-A:Routing:0: error: Object "gw_200" used as gateway in the routing rule 0 (main) is not in the same local network as interface eth3 + fw-A:Routing:0: error: Object "gw_200" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall + $IP route add default via 200.200.200.200 dev eth3 \ || route_command_error "0 (main)" @@ -722,7 +724,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:38 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:37 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/fw1.fw.orig b/test/ipt/fw1.fw.orig index 70fc7001e..b6cabc7fe 100755 --- a/test/ipt/fw1.fw.orig +++ b/test/ipt/fw1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:35 2011 PST by vadim +# Generated Sun Feb 20 21:02:33 2011 PST by vadim # # files: * fw1.fw /etc/fw1.fw # @@ -405,6 +405,12 @@ script_body() { # echo "Rule 1 (global)" # + # fw1:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it + # fw1:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it + # fw1:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it + # fw1:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it + # fw1:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it + $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m state --state NEW -j ACCEPT @@ -519,7 +525,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:35 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:33 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/fwbuilder.fw.orig b/test/ipt/fwbuilder.fw.orig index 86fa44b27..25d79d29f 100755 --- a/test/ipt/fwbuilder.fw.orig +++ b/test/ipt/fwbuilder.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:06:07 2011 PST by vadim +# Generated Sun Feb 20 21:00:03 2011 PST by vadim # # files: * fwbuilder.fw /etc/init.d/fwbuilder.fw # @@ -483,7 +483,7 @@ status_action() { } start() { - log "Activating firewall script generated Sun Feb 20 20:06:07 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:00:03 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/heartbeat_cluster_1_d_linux-1-d.fw.orig b/test/ipt/heartbeat_cluster_1_d_linux-1-d.fw.orig index 831927b7d..f24f0078b 100755 --- a/test/ipt/heartbeat_cluster_1_d_linux-1-d.fw.orig +++ b/test/ipt/heartbeat_cluster_1_d_linux-1-d.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:51 2011 PST by vadim +# Generated Sun Feb 20 21:02:49 2011 PST by vadim # # files: * heartbeat_cluster_1_d_linux-1-d.fw firewall.sh # @@ -489,6 +489,8 @@ script_body() { # echo "Rule 7 (global)" # + # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-2-d' because its address in unknown. + for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT @@ -720,7 +722,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:51 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:49 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig b/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig index 428767172..db32eab3b 100755 --- a/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig +++ b/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:51 2011 PST by vadim +# Generated Sun Feb 20 21:02:50 2011 PST by vadim # # files: * heartbeat_cluster_1_d_linux-2-d.fw firewall.sh # @@ -356,6 +356,7 @@ script_body() { echo "Rule 4 (NAT)" # # heartbeat_cluster_1_d:NAT:4: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown. + $IPTABLES -t nat -A PREROUTING -d -j DNAT --to-destination 192.168.1.100 @@ -492,6 +493,8 @@ script_body() { # echo "Rule 7 (global)" # + # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown. + for i_eth0 in $i_eth0_list do test -n "$i_eth0" && $IPTABLES -A OUTPUT -p tcp -m tcp -s $i_eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT @@ -723,7 +726,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:51 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:50 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/heartbeat_cluster_1_linux-1.fw.orig b/test/ipt/heartbeat_cluster_1_linux-1.fw.orig index 77f53ae50..d10fc98ac 100755 --- a/test/ipt/heartbeat_cluster_1_linux-1.fw.orig +++ b/test/ipt/heartbeat_cluster_1_linux-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:50 2011 PST by vadim +# Generated Sun Feb 20 21:02:48 2011 PST by vadim # # files: * heartbeat_cluster_1_linux-1.fw /etc/heartbeat_cluster_1_linux-1.fw # @@ -843,7 +843,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:50 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:48 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/heartbeat_cluster_1_linux-2.fw.orig b/test/ipt/heartbeat_cluster_1_linux-2.fw.orig index 149f86a0e..4898f6189 100755 --- a/test/ipt/heartbeat_cluster_1_linux-2.fw.orig +++ b/test/ipt/heartbeat_cluster_1_linux-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:50 2011 PST by vadim +# Generated Sun Feb 20 21:02:49 2011 PST by vadim # # files: * heartbeat_cluster_1_linux-2.fw /etc/heartbeat_cluster_1_linux-2.fw # @@ -741,7 +741,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:50 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:49 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/heartbeat_cluster_2_linux-1.fw.orig b/test/ipt/heartbeat_cluster_2_linux-1.fw.orig index 540176938..c50deeed4 100755 --- a/test/ipt/heartbeat_cluster_2_linux-1.fw.orig +++ b/test/ipt/heartbeat_cluster_2_linux-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:52 2011 PST by vadim +# Generated Sun Feb 20 21:02:50 2011 PST by vadim # # files: * heartbeat_cluster_2_linux-1.fw /etc/heartbeat_cluster_2_linux-1.fw # @@ -707,7 +707,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:52 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:50 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/heartbeat_cluster_2_linux-2.fw.orig b/test/ipt/heartbeat_cluster_2_linux-2.fw.orig index 781f0cf8c..1d1789fc9 100755 --- a/test/ipt/heartbeat_cluster_2_linux-2.fw.orig +++ b/test/ipt/heartbeat_cluster_2_linux-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:52 2011 PST by vadim +# Generated Sun Feb 20 21:02:51 2011 PST by vadim # # files: * heartbeat_cluster_2_linux-2.fw /etc/heartbeat_cluster_2_linux-2.fw # @@ -620,7 +620,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:52 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:51 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/host.fw.orig b/test/ipt/host.fw.orig index 8c021eb13..187da637a 100755 --- a/test/ipt/host.fw.orig +++ b/test/ipt/host.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:38 2011 PST by vadim +# Generated Sun Feb 20 21:02:37 2011 PST by vadim # # files: * host.fw /etc/fw/host.fw # @@ -422,7 +422,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:38 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:37 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/openais_cluster_1_linux-1.fw.orig b/test/ipt/openais_cluster_1_linux-1.fw.orig index e35ca9ed6..27358a0ed 100755 --- a/test/ipt/openais_cluster_1_linux-1.fw.orig +++ b/test/ipt/openais_cluster_1_linux-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:53 2011 PST by vadim +# Generated Sun Feb 20 21:02:51 2011 PST by vadim # # files: * openais_cluster_1_linux-1.fw /etc/openais_cluster_1_linux-1.fw # @@ -707,7 +707,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:53 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:51 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/openais_cluster_1_linux-2.fw.orig b/test/ipt/openais_cluster_1_linux-2.fw.orig index 11646daf6..886713752 100755 --- a/test/ipt/openais_cluster_1_linux-2.fw.orig +++ b/test/ipt/openais_cluster_1_linux-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:53 2011 PST by vadim +# Generated Sun Feb 20 21:02:52 2011 PST by vadim # # files: * openais_cluster_1_linux-2.fw /etc/openais_cluster_1_linux-2.fw # @@ -611,7 +611,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:53 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/rc.firewall.local b/test/ipt/rc.firewall.local index 711ff2144..d9fd4c40a 100755 --- a/test/ipt/rc.firewall.local +++ b/test/ipt/rc.firewall.local @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:42 2011 PST by vadim +# Generated Sun Feb 20 21:02:40 2011 PST by vadim # # files: * rc.firewall.local /etc/rc.d//rc.firewall.local # diff --git a/test/ipt/rh90.fw.orig b/test/ipt/rh90.fw.orig index 3ec6acef6..5c3130af9 100755 --- a/test/ipt/rh90.fw.orig +++ b/test/ipt/rh90.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:42 2011 PST by vadim +# Generated Sun Feb 20 21:02:40 2011 PST by vadim # # files: * rh90.fw /etc/rh90.fw # @@ -421,7 +421,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:42 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:40 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/secuwall_cluster_1_secuwall-1.fw.orig b/test/ipt/secuwall_cluster_1_secuwall-1.fw.orig index 5ffd41794..37999d96b 100755 --- a/test/ipt/secuwall_cluster_1_secuwall-1.fw.orig +++ b/test/ipt/secuwall_cluster_1_secuwall-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:53 2011 PST by vadim +# Generated Sun Feb 20 21:02:51 2011 PST by vadim # # files: * secuwall_cluster_1_secuwall-1.fw /etc/secuwall_cluster_1_secuwall-1.fw # @@ -405,7 +405,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:53 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:51 2011 by vadim" log "Database was cluster-tests.fwb" check_tools check_run_time_address_table_files diff --git a/test/ipt/server-cluster-1_server-1.fw.orig b/test/ipt/server-cluster-1_server-1.fw.orig index 78d0da443..a9706691e 100755 --- a/test/ipt/server-cluster-1_server-1.fw.orig +++ b/test/ipt/server-cluster-1_server-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:53 2011 PST by vadim +# Generated Sun Feb 20 21:02:52 2011 PST by vadim # # files: * server-cluster-1_server-1.fw /etc/fw/server-cluster-1_server-1.fw # @@ -341,6 +341,8 @@ script_body() { echo "Rule 0 (global)" # # test for ticket #1338 + # server-cluster-1:Policy:0: error: Rule '0 (global)' shadows rule '1 (global)' below it + $IPTABLES -A INPUT -s 192.168.1.1 -j DROP $IPTABLES -A INPUT -s 192.168.1.100 -j DROP } @@ -398,7 +400,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:53 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/server-cluster-1_server-2.fw.orig b/test/ipt/server-cluster-1_server-2.fw.orig index 13c1122b0..13869b1df 100755 --- a/test/ipt/server-cluster-1_server-2.fw.orig +++ b/test/ipt/server-cluster-1_server-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:54 2011 PST by vadim +# Generated Sun Feb 20 21:02:52 2011 PST by vadim # # files: * server-cluster-1_server-2.fw /etc/fw/server-cluster-1_server-2.fw # @@ -397,7 +397,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:54 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/test-shadowing-1.fw.orig b/test/ipt/test-shadowing-1.fw.orig index 843ea98fe..b4d710b8d 100755 --- a/test/ipt/test-shadowing-1.fw.orig +++ b/test/ipt/test-shadowing-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:46 2011 PST by vadim +# Generated Sun Feb 20 21:02:44 2011 PST by vadim # # files: * test-shadowing-1.fw /etc/test-shadowing-1.fw # @@ -324,6 +324,8 @@ script_body() { echo "Rule 0 (eth0)" # # shades rule below + # test-shadowing-1:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)' below it + $IPTABLES -A OUTPUT -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # @@ -342,6 +344,8 @@ script_body() { # # firewall is part # of any for this rule + # test-shadowing-1:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it + $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT @@ -361,6 +365,8 @@ script_body() { # echo "Rule 4 (global)" # + # test-shadowing-1:Policy:4: error: Rule '4 (global)' shadows rule '5 (global)' below it + $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT @@ -377,6 +383,8 @@ script_body() { # echo "Rule 6 (global)" # + # test-shadowing-1:Policy:6: error: Rule '6 (global)' shadows rule '7 (global)' below it + $IPTABLES -A INPUT -p udp -m udp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m udp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -m udp -s 192.168.1.0/24 -m state --state NEW -j ACCEPT @@ -395,6 +403,8 @@ script_body() { # # this rule should shadow rule below it because # it uses IPService object with protocol 0 + # test-shadowing-1:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it + $IPTABLES -A INPUT -p all -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p all -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p all -s 192.168.1.0/24 -m state --state NEW -j ACCEPT @@ -461,7 +471,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:46 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:44 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/test-shadowing-2.fw.orig b/test/ipt/test-shadowing-2.fw.orig index 8ca858464..dc56ad16e 100755 --- a/test/ipt/test-shadowing-2.fw.orig +++ b/test/ipt/test-shadowing-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:49 2011 PST by vadim +# Generated Sun Feb 20 21:02:47 2011 PST by vadim # # files: * test-shadowing-2.fw /etc/test-shadowing-2.fw # @@ -322,6 +322,8 @@ script_body() { echo "Rule 0 (eth0)" # # shades rule below + # test-shadowing-2:Policy:0: error: Rule '0 (eth0)' shadows rule '1 (eth0)' below it + $IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 1 (eth0) @@ -336,6 +338,8 @@ script_body() { # # firewall is part # of any for this rule + # test-shadowing-2:Policy:2: error: Rule '2 (global)' shadows rule '3 (global)' below it + $IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT @@ -352,6 +356,8 @@ script_body() { # # this rule should shadow rule below it because # it uses IPService object with protocol 0 + # test-shadowing-2:Policy:4: error: Rule '4 (global)' shadows rule '5 (global)' below it + $IPTABLES -A FORWARD -p all -m state --state NEW -j ACCEPT # # Rule 5 (global) @@ -423,7 +429,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:49 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:47 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/test-shadowing-3.fw.orig b/test/ipt/test-shadowing-3.fw.orig index c38e50f24..0432dbbbf 100755 --- a/test/ipt/test-shadowing-3.fw.orig +++ b/test/ipt/test-shadowing-3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:52 2011 PST by vadim +# Generated Sun Feb 20 21:02:51 2011 PST by vadim # # files: * test-shadowing-3.fw /etc/test-shadowing-3.fw # @@ -350,6 +350,8 @@ script_body() { echo "Rule Policy_3 0 (eth0)" # # 50/sec + # test-shadowing-3:Policy_3:0: error: Rule 'Policy_3 0 (eth0)' shadows rule 'Policy_3 1 (eth0)' below it + $IPTABLES -N Policy_3 $IPTABLES -A Policy_3 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 50/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT # @@ -396,6 +398,8 @@ script_body() { echo "Rule Policy_5 0 (eth0)" # # 50/sec + # test-shadowing-3:Policy_5:0: error: Rule 'Policy_5 0 (eth0)' shadows rule 'Policy_5 1 (eth0)' below it + $IPTABLES -N Policy_5 $IPTABLES -A Policy_5 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 50/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT # @@ -474,7 +478,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:52 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:51 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/test_fw.fw.orig b/test/ipt/test_fw.fw.orig index e54f35815..dea2c135d 100755 --- a/test/ipt/test_fw.fw.orig +++ b/test/ipt/test_fw.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:47 2011 PST by vadim +# Generated Sun Feb 20 21:02:45 2011 PST by vadim # # files: * test_fw.fw /etc/test_fw.fw # @@ -570,7 +570,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:47 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:45 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/vrrp_cluster_1_linux-1.fw.orig b/test/ipt/vrrp_cluster_1_linux-1.fw.orig index 20062a71b..96b30a922 100755 --- a/test/ipt/vrrp_cluster_1_linux-1.fw.orig +++ b/test/ipt/vrrp_cluster_1_linux-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:54 2011 PST by vadim +# Generated Sun Feb 20 21:02:52 2011 PST by vadim # # files: * vrrp_cluster_1_linux-1.fw /etc/vrrp_cluster_1_linux-1.fw # @@ -710,7 +710,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:54 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/vrrp_cluster_1_linux-2.fw.orig b/test/ipt/vrrp_cluster_1_linux-2.fw.orig index a2e281377..279abb0eb 100755 --- a/test/ipt/vrrp_cluster_1_linux-2.fw.orig +++ b/test/ipt/vrrp_cluster_1_linux-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:54 2011 PST by vadim +# Generated Sun Feb 20 21:02:52 2011 PST by vadim # # files: * vrrp_cluster_1_linux-2.fw /etc/vrrp_cluster_1_linux-2.fw # @@ -615,7 +615,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:54 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:52 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/vrrp_cluster_2_linux-1.fw.orig b/test/ipt/vrrp_cluster_2_linux-1.fw.orig index c17ca73a8..6752d0938 100755 --- a/test/ipt/vrrp_cluster_2_linux-1.fw.orig +++ b/test/ipt/vrrp_cluster_2_linux-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:54 2011 PST by vadim +# Generated Sun Feb 20 21:02:53 2011 PST by vadim # # files: * vrrp_cluster_2_linux-1.fw /etc/vrrp_cluster_2_linux-1.fw # @@ -642,7 +642,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:54 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:53 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/vrrp_cluster_2_linux-2.fw.orig b/test/ipt/vrrp_cluster_2_linux-2.fw.orig index 6e3f5de4d..d3e61b15a 100755 --- a/test/ipt/vrrp_cluster_2_linux-2.fw.orig +++ b/test/ipt/vrrp_cluster_2_linux-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:55 2011 PST by vadim +# Generated Sun Feb 20 21:02:53 2011 PST by vadim # # files: * vrrp_cluster_2_linux-2.fw /etc/vrrp_cluster_2_linux-2.fw # @@ -547,7 +547,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:55 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:53 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/ipt/vrrp_cluster_2_linux-3.fw.orig b/test/ipt/vrrp_cluster_2_linux-3.fw.orig index 7e4ffd5f5..01453f41b 100755 --- a/test/ipt/vrrp_cluster_2_linux-3.fw.orig +++ b/test/ipt/vrrp_cluster_2_linux-3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_ipt v4.2.0.3483 # -# Generated Sun Feb 20 20:08:55 2011 PST by vadim +# Generated Sun Feb 20 21:02:53 2011 PST by vadim # # files: * vrrp_cluster_2_linux-3.fw /etc/vrrp_cluster_2_linux-3.fw # @@ -523,7 +523,7 @@ test -z "$cmd" && { case "$cmd" in start) - log "Activating firewall script generated Sun Feb 20 20:08:55 2011 by vadim" + log "Activating firewall script generated Sun Feb 20 21:02:53 2011 by vadim" check_tools prolog_commands check_run_time_address_table_files diff --git a/test/pf/firewall-base-rulesets.fw.orig b/test/pf/firewall-base-rulesets.fw.orig index 18d3a94d7..c64549bf8 100755 --- a/test/pf/firewall-base-rulesets.fw.orig +++ b/test/pf/firewall-base-rulesets.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:18 2011 PST by vadim +# Generated Sun Feb 20 21:16:40 2011 PST by vadim # # files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw # files: firewall-base-rulesets.conf /etc/fw/firewall-base-rulesets.conf @@ -163,7 +163,7 @@ configure_interfaces() { update_addresses_of_interface "en2 192.168.100.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:18 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:40 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall-ipv6-1.conf.orig b/test/pf/firewall-ipv6-1.conf.orig index 256238a00..5fe45b730 100644 --- a/test/pf/firewall-ipv6-1.conf.orig +++ b/test/pf/firewall-ipv6-1.conf.orig @@ -32,13 +32,25 @@ pass quick on lo inet6 from any to any keep state label "RULE 0 -- ACCEPT " pass quick inet6 proto tcp from fe80::/64 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 1 -- ACCEPT " # # Rule 2 (global) +# firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it +# firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it +# firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it +# firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it + pass quick inet6 proto tcp from 2001:5c0:0:2::24 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 2 -- ACCEPT " # # Rule 3 (global) +# firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it +# firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it +# firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it +# firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:3: warning: Changing rule direction due to self reference + pass in log quick inet6 proto tcp from 3ffe:1200:2001:1:8000::1 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) +# firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it + pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 4 -- ACCEPT " # # Rule 5 (global) @@ -46,10 +58,12 @@ pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 po # # Rule 6 (global) # firewall-ipv6-1:Policy:6: warning: Changing rule direction due to self reference + pass in log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 6 -- ACCEPT " # # Rule 7 (global) # firewall-ipv6-1:Policy:7: warning: Changing rule direction due to self reference + pass in log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 7 -- ACCEPT " # # Rule 8 (global) @@ -59,6 +73,8 @@ pass in log quick inet6 from any to fe80::21d:9ff:fe8b:8e94 keep state lab pass log quick inet6 from fe80::/64 to any keep state label "RULE 9 -- ACCEPT " # # Rule 10 (global) +# firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it + pass log quick inet6 from to any keep state label "RULE 10 -- ACCEPT " # # Rule 11 (global) diff --git a/test/pf/firewall-ipv6-1.fw.orig b/test/pf/firewall-ipv6-1.fw.orig index aba371477..01475e08e 100755 --- a/test/pf/firewall-ipv6-1.fw.orig +++ b/test/pf/firewall-ipv6-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:18 2011 PST by vadim +# Generated Sun Feb 20 21:16:40 2011 PST by vadim # # files: * firewall-ipv6-1.fw pf-ipv6.fw # files: firewall-ipv6-1.conf /etc/fw/pf-ipv6.conf @@ -175,7 +175,7 @@ configure_interfaces() { update_addresses_of_interface "lo ::1/128 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:10:18 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:40 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall-ipv6-2.conf.orig b/test/pf/firewall-ipv6-2.conf.orig index 6ae5d445a..ea447ea05 100644 --- a/test/pf/firewall-ipv6-2.conf.orig +++ b/test/pf/firewall-ipv6-2.conf.orig @@ -21,10 +21,13 @@ pass quick on lo inet from any to any keep state label "RULE 0 -- ACCEPT " pass log quick inet proto tcp from to 1.1.1.1 port 22 keep state label "RULE 4 -- ACCEPT " # # Rule 5 (global) +# firewall-ipv6-2:Policy:5: error: Rule '5 (global)' shadows rule '7 (global)' below it + pass log quick inet proto tcp from to 1.1.1.1 port 22 keep state label "RULE 5 -- ACCEPT " # # Rule 7 (global) # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference + pass in log quick inet proto tcp from to 1.1.1.1 port 22 keep state label "RULE 7 -- ACCEPT " # # Rule 8 (global) @@ -66,13 +69,25 @@ pass quick on lo inet6 from any to any keep state label "RULE 0 -- ACCEPT " pass quick inet6 proto tcp from fe80::/64 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 1 -- ACCEPT " # # Rule 2 (global) +# firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it +# firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it +# firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it +# firewall-ipv6-2:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it + pass quick inet6 proto tcp from 2001:5c0:0:2::24 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 2 -- ACCEPT " # # Rule 3 (global) +# firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it +# firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it +# firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it +# firewall-ipv6-2:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-2:Policy:3: warning: Changing rule direction due to self reference + pass in log quick inet6 proto tcp from 3ffe:1200:2001:1:8000::1 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) +# firewall-ipv6-2:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it + pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 4 -- ACCEPT " # # Rule 5 (global) @@ -80,10 +95,12 @@ pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 p # # Rule 6 (global) # firewall-ipv6-2:Policy:6: warning: Changing rule direction due to self reference + pass in log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 6 -- ACCEPT " # # Rule 7 (global) # firewall-ipv6-2:Policy:7: warning: Changing rule direction due to self reference + pass in log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 7 -- ACCEPT " # # Rule 8 (global) @@ -93,6 +110,8 @@ pass in log quick inet6 from any to fe80::21d:9ff:fe8b:8e94 keep state lab pass log quick inet6 from fe80::/64 to any keep state label "RULE 9 -- ACCEPT " # # Rule 10 (global) +# firewall-ipv6-2:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it + pass log quick inet6 from to any keep state label "RULE 10 -- ACCEPT " # # Rule 11 (global) diff --git a/test/pf/firewall-ipv6-2.fw.orig b/test/pf/firewall-ipv6-2.fw.orig index 4a1930bb2..67643d0e1 100755 --- a/test/pf/firewall-ipv6-2.fw.orig +++ b/test/pf/firewall-ipv6-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:19 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * firewall-ipv6-2.fw pf.fw # files: firewall-ipv6-2.conf pf.conf @@ -179,7 +179,7 @@ configure_interfaces() { update_addresses_of_interface "lo ::1/128 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:10:19 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:42 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall-ipv6-3.fw.orig b/test/pf/firewall-ipv6-3.fw.orig index b4116acde..a6972744d 100755 --- a/test/pf/firewall-ipv6-3.fw.orig +++ b/test/pf/firewall-ipv6-3.fw.orig @@ -3,7 +3,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:19 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw # files: firewall-ipv6-3.conf /etc/firewall-ipv6-3.conf diff --git a/test/pf/firewall.conf.orig b/test/pf/firewall.conf.orig index 6fa85d9a2..7558d7183 100644 --- a/test/pf/firewall.conf.orig +++ b/test/pf/firewall.conf.orig @@ -67,6 +67,7 @@ block in log quick on eth1 inet from 192.168.1.0/24 to any label "RULE 2 - # Rule 3 (eth0) # комментарий по-русски, Проверяем конвертацию в Utf-8 # firewall:Policy:3: warning: Changing rule direction due to self reference + pass in quick on eth0 inet proto udp from 192.168.1.0/24 to port 53 keep state label "RULE 3 - ACCEPT" # # Rule 4 (eth0) @@ -105,7 +106,9 @@ pass quick inet from any to 192.168.1.10 keep state label "RULE 16 - ACCEPT" # # Rule 18 (global) # Automatically generated 'masquerading' rule +# firewall:Policy:18: error: Rule '18 (global)' shadows rule '21 (global)' below it # firewall:Policy:18: warning: Changing rule direction due to self reference + pass out quick inet from to any keep state label "RULE 18 - ACCEPT" pass quick inet from 192.168.1.0/24 to any keep state label "RULE 18 - ACCEPT" # @@ -117,6 +120,9 @@ pass quick inet proto {tcp udp icmp gre} from any to any keep state label # Rule 20 (global) # bug #2791950 "no way to generate "pass out" rule with no interface" # Interface field should be "any", direction "outbound" +# firewall:Policy:20: error: Rule '20 (global)' shadows rule '22 (global)' below it +# firewall:Policy:20: error: Rule '20 (global)' shadows rule '23 (global)' below it + pass out quick inet from any to any keep state label "RULE 20 - ACCEPT" # # Rule 21 (global) diff --git a/test/pf/firewall.fw.orig b/test/pf/firewall.fw.orig index 2d36f9164..54c1bfc41 100755 --- a/test/pf/firewall.fw.orig +++ b/test/pf/firewall.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:41 2011 PST by vadim +# Generated Sun Feb 20 21:16:04 2011 PST by vadim # # files: * firewall.fw /etc/pf.fw # files: firewall.conf /etc/pf.conf @@ -167,7 +167,7 @@ configure_interfaces() { update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:09:41 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:04 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall1.conf.orig b/test/pf/firewall1.conf.orig index d026b86fb..b15d4e962 100644 --- a/test/pf/firewall1.conf.orig +++ b/test/pf/firewall1.conf.orig @@ -142,6 +142,7 @@ block log quick inet proto icmp from ! to any icmp-type 3 # Rule 10 (global) # this rule is shaded by rule above. # firewall1:Policy:10: warning: Changing rule direction due to self reference + block in log quick inet proto icmp from ! to icmp-type 3 # # Rule 11 (global) @@ -165,6 +166,7 @@ pass quick inet from 192.168.1.0/24 to any keep state # # Rule 18 (global) # firewall1:Policy:18: warning: Changing rule direction due to self reference + pass in quick inet proto tcp from any to port 3128 keep state # # Rule 19 (eth0) diff --git a/test/pf/firewall1.fw.orig b/test/pf/firewall1.fw.orig index 1213d55d3..ceb913634 100755 --- a/test/pf/firewall1.fw.orig +++ b/test/pf/firewall1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:41 2011 PST by vadim +# Generated Sun Feb 20 21:16:05 2011 PST by vadim # # files: * firewall1.fw /etc/fw/firewall1.fw # files: firewall1.conf /etc/fw/firewall1.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:41 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:05 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall10-1.fw.orig b/test/pf/firewall10-1.fw.orig index ca29e9f40..b0d956364 100755 --- a/test/pf/firewall10-1.fw.orig +++ b/test/pf/firewall10-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:43 2011 PST by vadim +# Generated Sun Feb 20 21:16:06 2011 PST by vadim # # files: * firewall10-1.fw /etc/fw/firewall10-1.fw # files: firewall10-1.conf /etc/fw/firewall10-1.conf @@ -74,7 +74,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:43 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:06 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall10-2.fw.orig b/test/pf/firewall10-2.fw.orig index 7785bde07..ab5032314 100755 --- a/test/pf/firewall10-2.fw.orig +++ b/test/pf/firewall10-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:44 2011 PST by vadim +# Generated Sun Feb 20 21:16:07 2011 PST by vadim # # files: * firewall10-2.fw /etc/fw/firewall10-2.fw # files: firewall10-2.conf /etc/fw/firewall10-2.conf @@ -74,7 +74,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:44 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:07 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall10-3.fw.orig b/test/pf/firewall10-3.fw.orig index 39d1d7dce..aca663546 100755 --- a/test/pf/firewall10-3.fw.orig +++ b/test/pf/firewall10-3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:46 2011 PST by vadim +# Generated Sun Feb 20 21:16:09 2011 PST by vadim # # files: * firewall10-3.fw /etc/fw/firewall10-3.fw # files: firewall10-3.conf /etc/fw/firewall10-3.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:46 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:09 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall10-4.fw.orig b/test/pf/firewall10-4.fw.orig index 8e97d890a..a9a8b7cf6 100755 --- a/test/pf/firewall10-4.fw.orig +++ b/test/pf/firewall10-4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:48 2011 PST by vadim +# Generated Sun Feb 20 21:16:11 2011 PST by vadim # # files: * firewall10-4.fw /etc/fw/firewall10-4.fw # files: firewall10-4.conf /etc/fw/firewall10-4.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:48 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:11 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall10-5.fw.orig b/test/pf/firewall10-5.fw.orig index 2d61edc87..a4f1f5c83 100755 --- a/test/pf/firewall10-5.fw.orig +++ b/test/pf/firewall10-5.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:50 2011 PST by vadim +# Generated Sun Feb 20 21:16:13 2011 PST by vadim # # files: * firewall10-5.fw /etc/fw/firewall10-5.fw # files: firewall10-5.conf /etc/fw/firewall10-5.conf @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:50 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:13 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall10-6.fw.orig b/test/pf/firewall10-6.fw.orig index 5d26287cd..4c12edc2e 100755 --- a/test/pf/firewall10-6.fw.orig +++ b/test/pf/firewall10-6.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:51 2011 PST by vadim +# Generated Sun Feb 20 21:16:14 2011 PST by vadim # # files: * firewall10-6.fw /etc/fw/firewall10-6.fw # files: firewall10-6.conf /etc/fw/firewall10-6.conf @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:51 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:14 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall100.fw.orig b/test/pf/firewall100.fw.orig index 2c0cebf34..df3029390 100755 --- a/test/pf/firewall100.fw.orig +++ b/test/pf/firewall100.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:42 2011 PST by vadim +# Generated Sun Feb 20 21:16:05 2011 PST by vadim # # files: * firewall100.fw /etc/fw/pf.fw # files: firewall100.conf /etc/fw/path\ with\ space/pf.conf @@ -161,7 +161,7 @@ configure_interfaces() { update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:42 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:05 2011 by vadim" set_kernel_vars configure_interfaces @@ -234,7 +234,9 @@ echo "Routing rule 1 (main)" # # empty rule # +# firewall100:Routing:1: error: Gateway and interface are both empty in the rule # firewall100:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for openbsd + route add default || route_command_error "1 (main)" # @@ -256,6 +258,8 @@ route add 22.22.22.0/24 10.1.1.1 || route_command_error "3 (main)" # echo "Routing rule 4 (main)" # +# firewall100:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning + route add 33.33.33.0/24 10.1.1.1 || route_command_error "4 (main)" diff --git a/test/pf/firewall101.fw.orig b/test/pf/firewall101.fw.orig index 5556ec55a..a28e4db1d 100755 --- a/test/pf/firewall101.fw.orig +++ b/test/pf/firewall101.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:43 2011 PST by vadim +# Generated Sun Feb 20 21:16:06 2011 PST by vadim # # files: * firewall101.fw /etc/fw/pf.fw # files: firewall101.conf /etc/fw/path\ with\ space/pf.conf @@ -164,7 +164,7 @@ configure_interfaces() { update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:43 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:06 2011 by vadim" set_kernel_vars configure_interfaces @@ -237,7 +237,9 @@ echo "Routing rule 1 (main)" # # empty rule # +# firewall101:Routing:1: error: Gateway and interface are both empty in the rule # firewall101:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd + route add default || route_command_error "1 (main)" # @@ -259,6 +261,8 @@ route add 22.22.22.0/24 10.1.1.1 || route_command_error "3 (main)" # echo "Routing rule 4 (main)" # +# firewall101:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning + route add 33.33.33.0/24 10.1.1.1 || route_command_error "4 (main)" diff --git a/test/pf/firewall102.fw.orig b/test/pf/firewall102.fw.orig index f27faf0cc..c43ade68f 100755 --- a/test/pf/firewall102.fw.orig +++ b/test/pf/firewall102.fw.orig @@ -3,7 +3,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:44 2011 PST by vadim +# Generated Sun Feb 20 21:16:07 2011 PST by vadim # # files: * firewall102.fw /etc/fw/pf.fw # files: firewall102.conf /etc/fw/path\ with\ space/pf.conf diff --git a/test/pf/firewall103-1.fw.orig b/test/pf/firewall103-1.fw.orig index 7665534f9..b24c93a6c 100755 --- a/test/pf/firewall103-1.fw.orig +++ b/test/pf/firewall103-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:46 2011 PST by vadim +# Generated Sun Feb 20 21:16:09 2011 PST by vadim # # files: * firewall103-1.fw /etc/fw/pf.fw # files: firewall103-1.conf /etc/fw/path\ with\ space/pf.conf @@ -388,7 +388,7 @@ configure_interfaces() { update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:46 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:09 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall103-2.fw.orig b/test/pf/firewall103-2.fw.orig index 4473a9ddc..38c314510 100755 --- a/test/pf/firewall103-2.fw.orig +++ b/test/pf/firewall103-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:47 2011 PST by vadim +# Generated Sun Feb 20 21:16:10 2011 PST by vadim # # files: * firewall103-2.fw /etc/fw/pf.fw # files: firewall103-2.conf /etc/fw/path\ with\ space/pf.conf @@ -388,7 +388,7 @@ configure_interfaces() { update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:47 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:10 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall103.fw.orig b/test/pf/firewall103.fw.orig index 804e68775..36c0e61d6 100755 --- a/test/pf/firewall103.fw.orig +++ b/test/pf/firewall103.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:45 2011 PST by vadim +# Generated Sun Feb 20 21:16:08 2011 PST by vadim # # files: * firewall103.fw /etc/fw/pf.fw # files: firewall103.conf /etc/fw/path\ with\ space/pf.conf @@ -391,7 +391,7 @@ configure_interfaces() { update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:45 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:08 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall104-1.fw.orig b/test/pf/firewall104-1.fw.orig index 2c17b1ace..8ea764330 100755 --- a/test/pf/firewall104-1.fw.orig +++ b/test/pf/firewall104-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:49 2011 PST by vadim +# Generated Sun Feb 20 21:16:11 2011 PST by vadim # # files: * firewall104-1.fw /etc/fw/pf.fw # files: firewall104-1.conf /etc/fw/path\ with\ space/pf.conf @@ -387,7 +387,7 @@ configure_interfaces() { $IFCONFIG bridge0 -stp em3 } -log "Activating firewall script generated Sun Feb 20 20:09:49 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:11 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall104.fw.orig b/test/pf/firewall104.fw.orig index 3d7749b67..00640a13b 100755 --- a/test/pf/firewall104.fw.orig +++ b/test/pf/firewall104.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:47 2011 PST by vadim +# Generated Sun Feb 20 21:16:10 2011 PST by vadim # # files: * firewall104.fw /etc/fw/pf.fw # files: firewall104.conf /etc/fw/path\ with\ space/pf.conf @@ -390,7 +390,7 @@ configure_interfaces() { $IFCONFIG bridge0 stp em3 } -log "Activating firewall script generated Sun Feb 20 20:09:47 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:10 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall105.fw.orig b/test/pf/firewall105.fw.orig index 115ec3693..f689efa4b 100755 --- a/test/pf/firewall105.fw.orig +++ b/test/pf/firewall105.fw.orig @@ -3,7 +3,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:49 2011 PST by vadim +# Generated Sun Feb 20 21:16:12 2011 PST by vadim # # files: * firewall105.fw /etc/fw/pf.fw # files: firewall105.conf /etc/fw/path\ with\ space/pf.conf diff --git a/test/pf/firewall106.fw.orig b/test/pf/firewall106.fw.orig index fcebb3766..5abec0d03 100755 --- a/test/pf/firewall106.fw.orig +++ b/test/pf/firewall106.fw.orig @@ -3,7 +3,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:50 2011 PST by vadim +# Generated Sun Feb 20 21:16:13 2011 PST by vadim # # files: * firewall106.fw /etc/fw/pf.fw # files: firewall106.conf /etc/fw/path\ with\ space/pf.conf diff --git a/test/pf/firewall107.fw.orig b/test/pf/firewall107.fw.orig index 4b8d7aa66..21c05475b 100755 --- a/test/pf/firewall107.fw.orig +++ b/test/pf/firewall107.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:51 2011 PST by vadim +# Generated Sun Feb 20 21:16:14 2011 PST by vadim # # files: * firewall107.fw /etc/fw/pf.fw # files: firewall107.conf /etc/fw/path\ with\ space/pf.conf @@ -389,7 +389,7 @@ configure_interfaces() { update_addresses_of_interface "vlan102 192.168.102.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:51 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:14 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall108.fw.orig b/test/pf/firewall108.fw.orig index 98d723112..2a58fc055 100755 --- a/test/pf/firewall108.fw.orig +++ b/test/pf/firewall108.fw.orig @@ -3,7 +3,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:52 2011 PST by vadim +# Generated Sun Feb 20 21:16:15 2011 PST by vadim # # files: * firewall108.fw /etc/fw/pf.fw # files: firewall108.conf /etc/fw/path\ with\ space/pf.conf diff --git a/test/pf/firewall109-1.fw.orig b/test/pf/firewall109-1.fw.orig index 30369b085..21ef1a106 100755 --- a/test/pf/firewall109-1.fw.orig +++ b/test/pf/firewall109-1.fw.orig @@ -3,7 +3,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:53 2011 PST by vadim +# Generated Sun Feb 20 21:16:16 2011 PST by vadim # # files: * firewall109-1.fw /etc/fw/pf.fw # files: firewall109-1.conf /etc/fw/path\ with\ space/pf.conf diff --git a/test/pf/firewall109-2.fw.orig b/test/pf/firewall109-2.fw.orig index 0a4437e6e..03e92483b 100755 --- a/test/pf/firewall109-2.fw.orig +++ b/test/pf/firewall109-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:54 2011 PST by vadim +# Generated Sun Feb 20 21:16:17 2011 PST by vadim # # files: * firewall109-2.fw /etc/fw/pf.fw # files: firewall109-2.conf /etc/fw/path\ with\ space/pf.conf @@ -394,7 +394,7 @@ configure_interfaces() { update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:54 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:17 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall109-3.fw.orig b/test/pf/firewall109-3.fw.orig index e73094ed0..321f6878c 100755 --- a/test/pf/firewall109-3.fw.orig +++ b/test/pf/firewall109-3.fw.orig @@ -3,7 +3,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:55 2011 PST by vadim +# Generated Sun Feb 20 21:16:17 2011 PST by vadim # # files: * firewall109-3.fw /etc/fw/pf.fw # files: firewall109-3.conf /etc/fw/path\ with\ space/pf.conf diff --git a/test/pf/firewall109.fw.orig b/test/pf/firewall109.fw.orig index b0c4bf90e..ba1256268 100755 --- a/test/pf/firewall109.fw.orig +++ b/test/pf/firewall109.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:53 2011 PST by vadim +# Generated Sun Feb 20 21:16:16 2011 PST by vadim # # files: * firewall109.fw /etc/fw/pf.fw # files: firewall109.conf /etc/fw/path\ with\ space/pf.conf @@ -395,7 +395,7 @@ configure_interfaces() { update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:53 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:16 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall11.conf.orig b/test/pf/firewall11.conf.orig index e7800d61a..e26e2d41f 100644 --- a/test/pf/firewall11.conf.orig +++ b/test/pf/firewall11.conf.orig @@ -13,10 +13,12 @@ table { 192.168.1.0/24 , 192.168.2.0/24 } # # Rule 0 (global) # firewall11:Policy:0: warning: Changing rule direction due to self reference + pass in quick inet proto tcp from to port 22 flags S/SA keep state # # Rule 1 (global) # firewall11:Policy:1: warning: Changing rule direction due to self reference + block in quick inet from any to # # Rule 2 (global) diff --git a/test/pf/firewall11.fw.orig b/test/pf/firewall11.fw.orig index 3d002199b..7201247cd 100755 --- a/test/pf/firewall11.fw.orig +++ b/test/pf/firewall11.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:55 2011 PST by vadim +# Generated Sun Feb 20 21:16:18 2011 PST by vadim # # files: * firewall11.fw /etc/firewall11.fw # files: firewall11.conf /etc/firewall11.conf @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:55 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:18 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall110.conf.orig b/test/pf/firewall110.conf.orig index 0551ed8be..e1467fdc4 100644 --- a/test/pf/firewall110.conf.orig +++ b/test/pf/firewall110.conf.orig @@ -13,6 +13,8 @@ scrub in all fragment reassemble pass inet from any to any tag tag2 # # Rule 1 (global) +# firewall110:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it + pass quick inet from any to any keep state queue ssh_q # # Rule 2 (global) diff --git a/test/pf/firewall110.fw.orig b/test/pf/firewall110.fw.orig index 622b84e87..a68306bfd 100755 --- a/test/pf/firewall110.fw.orig +++ b/test/pf/firewall110.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:56 2011 PST by vadim +# Generated Sun Feb 20 21:16:19 2011 PST by vadim # # files: * firewall110.fw /etc/fw/firewall110.fw # files: firewall110.conf /etc/fw/firewall110.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:56 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:19 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall12.fw.orig b/test/pf/firewall12.fw.orig index d8674888b..9e498722d 100755 --- a/test/pf/firewall12.fw.orig +++ b/test/pf/firewall12.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:56 2011 PST by vadim +# Generated Sun Feb 20 21:16:19 2011 PST by vadim # # files: * firewall12.fw /etc/fw/firewall12.fw # files: firewall12.conf /etc/fw/firewall12.conf @@ -159,7 +159,7 @@ configure_interfaces() { update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:09:56 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:19 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall13.conf.orig b/test/pf/firewall13.conf.orig index e294f3539..348f7de63 100644 --- a/test/pf/firewall13.conf.orig +++ b/test/pf/firewall13.conf.orig @@ -12,6 +12,7 @@ # # Rule 1 (NAT) # firewall13:NAT:1: warning: Empty group or address table object 'egroup' + rdr proto tcp from 200.200.200.200 to 22.22.22.23 port 6667 -> 192.168.1.10 port 6667 # Policy compiler errors and warnings: @@ -22,6 +23,7 @@ rdr proto tcp from 200.200.200.200 to 22.22.22.23 port 6667 -> 192.168.1.10 port # # Rule 0 (global) # firewall13:Policy:0: warning: Empty group or address table object 'egroup2' + pass quick inet from 200.200.200.200 to 192.168.1.10 keep state # # Rule 2 (global) diff --git a/test/pf/firewall13.fw.orig b/test/pf/firewall13.fw.orig index b536a7e34..a362afdb5 100755 --- a/test/pf/firewall13.fw.orig +++ b/test/pf/firewall13.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:57 2011 PST by vadim +# Generated Sun Feb 20 21:16:20 2011 PST by vadim # # files: * firewall13.fw /etc/fw/firewall13.fw # files: firewall13.conf /etc/fw/firewall13.conf @@ -88,7 +88,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:57 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:20 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall14-1.fw.orig b/test/pf/firewall14-1.fw.orig index 4a653fb68..7d7e23e83 100755 --- a/test/pf/firewall14-1.fw.orig +++ b/test/pf/firewall14-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:58 2011 PST by vadim +# Generated Sun Feb 20 21:16:21 2011 PST by vadim # # files: * firewall14-1.fw /etc/firewall14-1.fw # files: firewall14-1.conf /etc/firewall14-1.conf @@ -242,7 +242,7 @@ configure_interfaces() { update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:58 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:21 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall14.fw.orig b/test/pf/firewall14.fw.orig index b0885cb92..1b67ee12b 100755 --- a/test/pf/firewall14.fw.orig +++ b/test/pf/firewall14.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:57 2011 PST by vadim +# Generated Sun Feb 20 21:16:20 2011 PST by vadim # # files: * firewall14.fw /etc/firewall14.fw # files: firewall14.conf /etc/firewall14.conf @@ -242,7 +242,7 @@ configure_interfaces() { update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:09:57 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:20 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall2-1.conf.orig b/test/pf/firewall2-1.conf.orig index 5b9950b51..9dcca5ef2 100644 --- a/test/pf/firewall2-1.conf.orig +++ b/test/pf/firewall2-1.conf.orig @@ -61,6 +61,7 @@ nat proto {tcp udp icmp} from 192.168.1.0/24 to any -> 22.22.22.0/28 # # Rule 17 (NAT) # firewall2-1:NAT:17: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' + nat-anchor "NAT" proto tcp from 192.168.1.0/24 to any port 1080 rdr-anchor "NAT" proto tcp from 192.168.1.0/24 to any port 1080 diff --git a/test/pf/firewall2-1.fw.orig b/test/pf/firewall2-1.fw.orig index b8ec1b8ed..ad2400249 100755 --- a/test/pf/firewall2-1.fw.orig +++ b/test/pf/firewall2-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:00 2011 PST by vadim +# Generated Sun Feb 20 21:16:23 2011 PST by vadim # # files: * firewall2-1.fw /etc/fw/firewall2-1.fw # files: firewall2-1.conf /etc/fw/firewall2-1.conf @@ -88,7 +88,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:00 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:23 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall2-6.fw.orig b/test/pf/firewall2-6.fw.orig index d554bf506..00394f656 100755 --- a/test/pf/firewall2-6.fw.orig +++ b/test/pf/firewall2-6.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:02 2011 PST by vadim +# Generated Sun Feb 20 21:16:24 2011 PST by vadim # # files: * firewall2-6.fw /etc/firewall2-6.fw # files: firewall2-6.conf /etc/firewall2-6.conf @@ -164,7 +164,7 @@ configure_interfaces() { update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:10:02 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:24 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall2.conf.orig b/test/pf/firewall2.conf.orig index c1662c5af..5fd064f72 100644 --- a/test/pf/firewall2.conf.orig +++ b/test/pf/firewall2.conf.orig @@ -203,6 +203,7 @@ pass quick inet from 192.168.1.0/24 to any keep state label "RULE 10 - ACCEP # # Rule 12 (global) # firewall2:Policy:12: warning: Changing rule direction due to self reference + pass in quick inet proto tcp from any to port { 21, 80, 25 } keep state label "RULE 12 - ACCEPT **" pass quick inet proto tcp from any to 192.168.1.10 port { 21, 80, 25 } keep state label "RULE 12 - ACCEPT **" # diff --git a/test/pf/firewall2.fw.orig b/test/pf/firewall2.fw.orig index 74a0e260a..152a73448 100755 --- a/test/pf/firewall2.fw.orig +++ b/test/pf/firewall2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:59 2011 PST by vadim +# Generated Sun Feb 20 21:16:22 2011 PST by vadim # # files: * firewall2.fw /etc/fw/firewall2.fw # files: firewall2.conf /etc/fw/firewall2.conf @@ -73,7 +73,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:59 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:22 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall20.fw.orig b/test/pf/firewall20.fw.orig index 25ce72497..6e22675be 100755 --- a/test/pf/firewall20.fw.orig +++ b/test/pf/firewall20.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:09:59 2011 PST by vadim +# Generated Sun Feb 20 21:16:22 2011 PST by vadim # # files: * firewall20.fw /etc/fw/firewall20.fw # files: firewall20.conf /etc/fw/firewall20.conf @@ -73,7 +73,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:09:59 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:22 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall21.conf.orig b/test/pf/firewall21.conf.orig index d58106e51..4aadeb27c 100644 --- a/test/pf/firewall21.conf.orig +++ b/test/pf/firewall21.conf.orig @@ -17,6 +17,7 @@ rdr-anchor "NAT_1" proto {tcp udp icmp} from 192.168.1.0/24 to any # # Rule 3 (NAT) # firewall21:NAT:3: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' + nat-anchor "NAT_1" proto {tcp udp icmp} from 192.168.1.0/24 to any rdr-anchor "NAT_1" proto {tcp udp icmp} from 192.168.1.0/24 to any diff --git a/test/pf/firewall21.fw.orig b/test/pf/firewall21.fw.orig index bb7eba335..cf741c078 100755 --- a/test/pf/firewall21.fw.orig +++ b/test/pf/firewall21.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:00 2011 PST by vadim +# Generated Sun Feb 20 21:16:23 2011 PST by vadim # # files: * firewall21.fw /etc/fw/firewall21.fw # files: firewall21.conf /etc/fw/firewall21.conf @@ -81,7 +81,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:00 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:23 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall22.conf.orig b/test/pf/firewall22.conf.orig index 074d91738..1501b5f07 100644 --- a/test/pf/firewall22.conf.orig +++ b/test/pf/firewall22.conf.orig @@ -19,6 +19,7 @@ rdr-anchor "NAT_1" proto {tcp udp icmp} from 192.168.1.0/24 to any # # Rule 2 (NAT) # firewall22:NAT:2: warning: Translated Src, Dst and Srv are ignored in the NAT rule with action 'Branch' + nat-anchor "NAT_1" proto {tcp udp icmp} from 192.168.1.0/24 to any rdr-anchor "NAT_1" proto {tcp udp icmp} from 192.168.1.0/24 to any diff --git a/test/pf/firewall22.fw.orig b/test/pf/firewall22.fw.orig index 3082e4552..c701a9919 100755 --- a/test/pf/firewall22.fw.orig +++ b/test/pf/firewall22.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:01 2011 PST by vadim +# Generated Sun Feb 20 21:16:24 2011 PST by vadim # # files: * firewall22.fw /etc/fw/firewall22.fw # files: firewall22.conf /etc/fw/firewall22.conf @@ -80,7 +80,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:01 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:24 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall3.conf.orig b/test/pf/firewall3.conf.orig index 67c4d1741..f68efdd8d 100644 --- a/test/pf/firewall3.conf.orig +++ b/test/pf/firewall3.conf.orig @@ -44,6 +44,7 @@ rdr proto {tcp udp icmp} from any to 22.22.22.21 -> { 192.168.1.10 , 192.168.1.2 # All other attempts to connect to # the firewall are denied and logged # firewall3:Policy:0: warning: Changing rule direction due to self reference + block in log quick inet from any to label "RULE 0 -- DROP " # # Rule 1 (global) diff --git a/test/pf/firewall3.fw.orig b/test/pf/firewall3.fw.orig index 260eaca54..88f497fdc 100755 --- a/test/pf/firewall3.fw.orig +++ b/test/pf/firewall3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:03 2011 PST by vadim +# Generated Sun Feb 20 21:16:25 2011 PST by vadim # # files: * firewall3.fw /etc/firewall3.fw # files: firewall3.conf /etc/firewall3.conf @@ -159,7 +159,7 @@ configure_interfaces() { update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:10:03 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:25 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall33.conf.orig b/test/pf/firewall33.conf.orig index 2e6d8dfb9..4ca33ac63 100644 --- a/test/pf/firewall33.conf.orig +++ b/test/pf/firewall33.conf.orig @@ -33,6 +33,7 @@ pass quick inet from www.cnn.com to any keep state label "RULE 1 -- ACCEPT o # # Rule 2 (global) # firewall33:Policy:2: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + pass quick inet from 192.0.2.1 to any keep state label "RULE 2 -- ACCEPT on global " # # Rule 3 (global) @@ -46,6 +47,7 @@ block quick inet from any to ! www.cnn.com label "RULE 5 -- DROP on global " # # Rule 6 (global) # firewall33:Policy:6: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + pass quick inet from any to ! 192.0.2.1 keep state label "RULE 6 -- ACCEPT on global " # # Rule 7 (global) diff --git a/test/pf/firewall33.fw.orig b/test/pf/firewall33.fw.orig index ed96210b7..9502a50bd 100755 --- a/test/pf/firewall33.fw.orig +++ b/test/pf/firewall33.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:03 2011 PST by vadim +# Generated Sun Feb 20 21:16:26 2011 PST by vadim # # files: * firewall33.fw /etc/fw/firewall33.fw # files: firewall33.conf /etc/fw/firewall33.conf @@ -162,7 +162,7 @@ configure_interfaces() { update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:10:03 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:26 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall34.fw.orig b/test/pf/firewall34.fw.orig index 738ede56d..27553c208 100755 --- a/test/pf/firewall34.fw.orig +++ b/test/pf/firewall34.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:04 2011 PST by vadim +# Generated Sun Feb 20 21:16:27 2011 PST by vadim # # files: * firewall34.fw /etc/fw/firewall34.fw # files: firewall34.conf /etc/fw/firewall34.conf @@ -158,7 +158,7 @@ configure_interfaces() { update_addresses_of_interface "lo 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:10:04 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:27 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall38.fw.orig b/test/pf/firewall38.fw.orig index 3abfd94ab..881711a78 100755 --- a/test/pf/firewall38.fw.orig +++ b/test/pf/firewall38.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:04 2011 PST by vadim +# Generated Sun Feb 20 21:16:27 2011 PST by vadim # # files: * firewall38.fw /etc/fw/firewall38.fw # files: firewall38.conf /etc/fw/firewall38.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:04 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:27 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall39-rule2_branch.conf.orig b/test/pf/firewall39-rule2_branch.conf.orig index 7e3416319..ee5f7ddd4 100644 --- a/test/pf/firewall39-rule2_branch.conf.orig +++ b/test/pf/firewall39-rule2_branch.conf.orig @@ -7,6 +7,7 @@ table { 192.168.1.1 , 192.168.2.1 } # # Rule rule2_branch 0 (global) # firewall39:rule2_branch:0: warning: Changing rule direction due to self reference + pass in quick inet from any to keep state # # Rule rule2_branch 1 (global) diff --git a/test/pf/firewall39.fw.orig b/test/pf/firewall39.fw.orig index bf5d6cc53..04d417ba4 100755 --- a/test/pf/firewall39.fw.orig +++ b/test/pf/firewall39.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:06 2011 PST by vadim +# Generated Sun Feb 20 21:16:28 2011 PST by vadim # # files: * firewall39.fw pf.fw # files: firewall39.conf pf.conf @@ -79,7 +79,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:06 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:28 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall4.conf.orig b/test/pf/firewall4.conf.orig index f08fe2606..a041e4170 100644 --- a/test/pf/firewall4.conf.orig +++ b/test/pf/firewall4.conf.orig @@ -72,6 +72,7 @@ pass log quick inet proto icmp from any to 192.168.1.1 icmp-type 8 code 0 k # # Rule 6 (global) # firewall4:Policy:6: warning: Changing rule direction due to self reference + block in log quick inet proto icmp from ! to icmp-type 3 # # Rule 7 (global) diff --git a/test/pf/firewall4.fw.orig b/test/pf/firewall4.fw.orig index 8d86ae824..75067327c 100755 --- a/test/pf/firewall4.fw.orig +++ b/test/pf/firewall4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:06 2011 PST by vadim +# Generated Sun Feb 20 21:16:28 2011 PST by vadim # # files: * firewall4.fw pf.fw # files: firewall4.conf /etc/fw/pf.conf @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:06 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:28 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall40-1.fw.orig b/test/pf/firewall40-1.fw.orig index dcb94bc15..fa3217344 100755 --- a/test/pf/firewall40-1.fw.orig +++ b/test/pf/firewall40-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:08 2011 PST by vadim +# Generated Sun Feb 20 21:16:30 2011 PST by vadim # # files: * firewall40-1.fw /etc/firewall40-1.fw # files: firewall40-1.conf /etc/firewall40-1.conf @@ -176,7 +176,7 @@ configure_interfaces() { update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:10:08 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:30 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall40.fw.orig b/test/pf/firewall40.fw.orig index 059bb344b..cebf3b80d 100755 --- a/test/pf/firewall40.fw.orig +++ b/test/pf/firewall40.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:07 2011 PST by vadim +# Generated Sun Feb 20 21:16:29 2011 PST by vadim # # files: * firewall40.fw /etc/firewall40.fw # files: firewall40.conf /etc/firewall40.conf @@ -160,7 +160,7 @@ configure_interfaces() { update_addresses_of_interface "lo0 127.0.0.1/0xff000000" "" } -log "Activating firewall script generated Sun Feb 20 20:10:07 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:29 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall41.conf.orig b/test/pf/firewall41.conf.orig index 0ee625c5e..c8bca35c1 100644 --- a/test/pf/firewall41.conf.orig +++ b/test/pf/firewall41.conf.orig @@ -25,6 +25,7 @@ pass out log quick inet from to keep state label "RUL # # Rule 3 (global) # firewall41:Policy:3: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode + pass out log quick inet from to 192.0.2.0/24 keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) diff --git a/test/pf/firewall41.fw.orig b/test/pf/firewall41.fw.orig index b832dcf17..7e6d15b2a 100755 --- a/test/pf/firewall41.fw.orig +++ b/test/pf/firewall41.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:08 2011 PST by vadim +# Generated Sun Feb 20 21:16:31 2011 PST by vadim # # files: * firewall41.fw /etc/firewall41.fw # files: firewall41.conf /etc/firewall41.conf @@ -163,7 +163,7 @@ configure_interfaces() { update_addresses_of_interface "eth1 2.2.2.2/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:08 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:31 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall5.fw.orig b/test/pf/firewall5.fw.orig index 466e3c4de..6a0dcd4d8 100755 --- a/test/pf/firewall5.fw.orig +++ b/test/pf/firewall5.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:09 2011 PST by vadim +# Generated Sun Feb 20 21:16:31 2011 PST by vadim # # files: * firewall5.fw /etc/fw/firewall5.fw # files: firewall5.conf /etc/fw/firewall5.conf @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:09 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:31 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall51.fw.orig b/test/pf/firewall51.fw.orig index 7f4a36bfb..07dfc26a4 100755 --- a/test/pf/firewall51.fw.orig +++ b/test/pf/firewall51.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:10 2011 PST by vadim +# Generated Sun Feb 20 21:16:32 2011 PST by vadim # # files: * firewall51.fw /etc/fw/firewall51.fw # files: firewall51.conf /etc/fw/firewall51.conf @@ -80,7 +80,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:10 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:32 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall6.conf.orig b/test/pf/firewall6.conf.orig index 67e33970a..1ae8eb5d7 100644 --- a/test/pf/firewall6.conf.orig +++ b/test/pf/firewall6.conf.orig @@ -13,6 +13,7 @@ block in log quick on eth1 inet from any to ! # # Rule 1 (global) # firewall6:Policy:1: warning: Changing rule direction due to self reference + block in quick inet from any to ! # # Rule fallback rule diff --git a/test/pf/firewall6.fw.orig b/test/pf/firewall6.fw.orig index c6090a31f..e4df3356c 100755 --- a/test/pf/firewall6.fw.orig +++ b/test/pf/firewall6.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:10 2011 PST by vadim +# Generated Sun Feb 20 21:16:32 2011 PST by vadim # # files: * firewall6.fw /etc/fw/firewall6.fw # files: firewall6.conf /etc/fw/firewall6.conf @@ -73,7 +73,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:10 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:32 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall62.conf.orig b/test/pf/firewall62.conf.orig index 171b0f049..a3a55261c 100644 --- a/test/pf/firewall62.conf.orig +++ b/test/pf/firewall62.conf.orig @@ -37,21 +37,31 @@ table { 192.168.1.1 , 222.222.222.222 } pass in quick on en0 inet from any to any user proxy label "RULE 0 -- ACCEPT " # # Rule 1 (global) +# firewall62:Policy:1: error: Rule '1 (global)' shadows rule '2 (global)' below it +# firewall62:Policy:1: error: Rule '1 (global)' shadows rule '3 (global)' below it +# firewall62:Policy:1: error: Rule '1 (global)' shadows rule '4 (global)' below it +# firewall62:Policy:1: error: Rule '1 (global)' shadows rule '5 (global)' below it +# firewall62:Policy:1: error: Rule '1 (global)' shadows rule '6 (global)' below it # firewall62:Policy:1: warning: Changing rule direction due to self reference + pass out quick inet from to any user { 2000, 500 } label "RULE 1 -- ACCEPT " # # Rule 2 (global) # firewall62:Policy:2: warning: Changing rule direction due to self reference + pass out quick inet from to any user 2000 label "RULE 2 -- ACCEPT " # # Rule 3 (global) +# firewall62:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it +# firewall62:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it + pass out quick inet proto tcp from to any port 80 flags any label "RULE 3 -- ACCEPT " pass out quick inet from to any user 2000 label "RULE 3 -- ACCEPT " # # Rule 4 (global) # firewall62:Policy:4: warning: Changing rule direction due to self reference + pass out quick inet proto tcp from to any port 80 flags any label "RULE 4 -- ACCEPT " -# firewall62:Policy:4: warning: Changing rule direction due to self reference pass out quick inet from to any user 2000 label "RULE 4 -- ACCEPT " # # Rule 5 (global) @@ -65,11 +75,15 @@ pass quick inet from 192.168.1.1 to any user 2000 label "RULE 6 -- ACCEPT " pass quick inet from 192.168.1.0/24 to any user 2000 label "RULE 7 -- ACCEPT " # # Rule 8 (global) +# firewall62:Policy:8: error: Rule '8 (global)' shadows rule '10 (global)' below it +# firewall62:Policy:8: error: Rule '8 (global)' shadows rule '9 (global)' below it # firewall62:Policy:8: warning: Changing rule direction due to self reference + pass in quick inet from any to user 2000 label "RULE 8 -- ACCEPT " # # Rule 9 (global) # firewall62:Policy:9: warning: Changing rule direction due to self reference + pass in quick inet from any to user { 2000, 500 } label "RULE 9 -- ACCEPT " # # Rule 10 (global) @@ -80,6 +94,7 @@ pass quick inet from ! 192.168.1.0/24 to any user 2000 label "RULE 11 -- AC # # Rule 12 (global) # firewall62:Policy:12: warning: Changing rule direction due to self reference + pass in quick inet from any to ! user 2000 label "RULE 12 -- ACCEPT " # # Rule 13 (global) diff --git a/test/pf/firewall62.fw.orig b/test/pf/firewall62.fw.orig index f5c616e25..38cb784a4 100755 --- a/test/pf/firewall62.fw.orig +++ b/test/pf/firewall62.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:11 2011 PST by vadim +# Generated Sun Feb 20 21:16:33 2011 PST by vadim # # files: * firewall62.fw /etc/firewall62.fw # files: firewall62.conf /etc/firewall62.conf @@ -185,7 +185,7 @@ configure_interfaces() { update_addresses_of_interface "en1 222.222.222.222/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:11 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:33 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall63.fw.orig b/test/pf/firewall63.fw.orig index 37abc92a6..39296059e 100755 --- a/test/pf/firewall63.fw.orig +++ b/test/pf/firewall63.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:11 2011 PST by vadim +# Generated Sun Feb 20 21:16:34 2011 PST by vadim # # files: * firewall63.fw /etc/fw/firewall63.fw # files: firewall63.conf /etc/fw/firewall63.conf @@ -77,7 +77,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:11 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:34 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall7.fw.orig b/test/pf/firewall7.fw.orig index e161eb003..5dd478784 100755 --- a/test/pf/firewall7.fw.orig +++ b/test/pf/firewall7.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:12 2011 PST by vadim +# Generated Sun Feb 20 21:16:35 2011 PST by vadim # # files: * firewall7.fw /etc/fw/firewall7.fw # files: firewall7.conf /etc/fw/firewall7.conf @@ -73,7 +73,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:12 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:35 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall70.conf.orig b/test/pf/firewall70.conf.orig index b31e1e0b0..757f15fd0 100644 --- a/test/pf/firewall70.conf.orig +++ b/test/pf/firewall70.conf.orig @@ -15,26 +15,32 @@ table { 22.22.22.22 , 192.0.2.1 , 192.168.1.1 } # # Rule 0 (global) # firewall70:Policy:0: warning: Changing rule direction due to self reference + pass in quick inet proto tcp from any to port 22 flags S/SA keep state # # Rule 1 (en0) # firewall70:Policy:1: warning: Changing rule direction due to self reference + pass in quick on en0 inet proto tcp from any to port 22 flags S/SA keep state # # Rule 2 (en0,en1) # firewall70:Policy:2: warning: Changing rule direction due to self reference + pass in quick on { en0 en1 } inet proto tcp from any to port 22 flags S/SA keep state # # Rule 3 (en2,en0,en1,en3) # firewall70:Policy:3: warning: Changing rule direction due to self reference + pass in quick on { en2 en0 en1 en3 } inet proto tcp from any to port 22 flags S/SA keep state # # Rule 4 (en0) # firewall70:Policy:4: warning: Changing rule direction due to self reference + pass in quick on { en1 en2 } inet proto tcp from any to port 22 flags S/SA keep state # # Rule 5 (en0,en1) # firewall70:Policy:5: warning: Changing rule direction due to self reference + pass in quick on en2 inet proto tcp from any to port 22 flags S/SA keep state # # Rule fallback rule diff --git a/test/pf/firewall70.fw.orig b/test/pf/firewall70.fw.orig index e133f390a..e6e3006d1 100755 --- a/test/pf/firewall70.fw.orig +++ b/test/pf/firewall70.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:13 2011 PST by vadim +# Generated Sun Feb 20 21:16:35 2011 PST by vadim # # files: * firewall70.fw /etc/fw/firewall70.fw # files: firewall70.conf /etc/fw/firewall70.conf @@ -82,7 +82,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:13 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:35 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall8.fw.orig b/test/pf/firewall8.fw.orig index 2e40ba2de..f27bc7c3d 100755 --- a/test/pf/firewall8.fw.orig +++ b/test/pf/firewall8.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:14 2011 PST by vadim +# Generated Sun Feb 20 21:16:36 2011 PST by vadim # # files: * firewall8.fw /etc/firewall8.fw # files: firewall8.conf /etc/firewall8.conf @@ -72,7 +72,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:14 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:36 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall80-4.5.fw.orig b/test/pf/firewall80-4.5.fw.orig index 7f9d68a6d..1cdeb7463 100755 --- a/test/pf/firewall80-4.5.fw.orig +++ b/test/pf/firewall80-4.5.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:15 2011 PST by vadim +# Generated Sun Feb 20 21:16:37 2011 PST by vadim # # files: * firewall80-4.5.fw /etc/firewall80-4.5.fw # files: firewall80-4.5.conf /etc/firewall80-4.5.conf @@ -73,7 +73,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:15 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:37 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall80.fw.orig b/test/pf/firewall80.fw.orig index 116b6a05b..9d9605366 100755 --- a/test/pf/firewall80.fw.orig +++ b/test/pf/firewall80.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:14 2011 PST by vadim +# Generated Sun Feb 20 21:16:36 2011 PST by vadim # # files: * firewall80.fw /etc/firewall80.fw # files: firewall80.conf /etc/firewall80.conf @@ -73,7 +73,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:14 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:36 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall9.fw.orig b/test/pf/firewall9.fw.orig index 7ef62ba01..377caab20 100755 --- a/test/pf/firewall9.fw.orig +++ b/test/pf/firewall9.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:15 2011 PST by vadim +# Generated Sun Feb 20 21:16:37 2011 PST by vadim # # files: * firewall9.fw /etc/fw/firewall9.fw # files: firewall9.conf /etc/fw/firewall9.conf @@ -76,7 +76,7 @@ configure_interfaces() { } -log "Activating firewall script generated Sun Feb 20 20:10:15 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:37 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall91.fw.orig b/test/pf/firewall91.fw.orig index 2c546d8c3..fb7e795ca 100755 --- a/test/pf/firewall91.fw.orig +++ b/test/pf/firewall91.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:16 2011 PST by vadim +# Generated Sun Feb 20 21:16:38 2011 PST by vadim # # files: * firewall91.fw /etc/fw/pf.fw # files: firewall91.conf /etc/fw/pf.conf @@ -241,7 +241,7 @@ configure_interfaces() { update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:16 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:38 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/firewall92.conf.orig b/test/pf/firewall92.conf.orig index 089781b1f..10605080e 100644 --- a/test/pf/firewall92.conf.orig +++ b/test/pf/firewall92.conf.orig @@ -32,6 +32,7 @@ pass in quick inet proto tcp from 10.3.14.30 to port 22 label # # Rule 0 (global) # firewall92:Policy:0: warning: Changing rule direction due to self reference + pass in quick inet proto tcp from 10.3.14.0/24 to port 22 label "RULE 0 -- ACCEPT " # # Rule 1 (global) diff --git a/test/pf/firewall92.fw.orig b/test/pf/firewall92.fw.orig index 0d4b63569..34f823d81 100755 --- a/test/pf/firewall92.fw.orig +++ b/test/pf/firewall92.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:16 2011 PST by vadim +# Generated Sun Feb 20 21:16:39 2011 PST by vadim # # files: * firewall92.fw /etc/fw/pf.fw # files: firewall92.conf /etc/fw/path\ with\ space/pf.conf @@ -160,7 +160,7 @@ configure_interfaces() { update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:16 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:39 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/pf_cluster_1_openbsd-1.fw.orig b/test/pf/pf_cluster_1_openbsd-1.fw.orig index d90ce01cd..99f962f68 100755 --- a/test/pf/pf_cluster_1_openbsd-1.fw.orig +++ b/test/pf/pf_cluster_1_openbsd-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * pf_cluster_1_openbsd-1.fw /etc/pf_cluster_1_openbsd-1.fw # files: pf_cluster_1_openbsd-1.conf /etc/pf_cluster_1_openbsd-1.conf @@ -293,7 +293,7 @@ configure_interfaces() { update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:20 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:42 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/pf_cluster_1_openbsd-2.fw.orig b/test/pf/pf_cluster_1_openbsd-2.fw.orig index fc9ce9cba..ba2aa12b9 100755 --- a/test/pf/pf_cluster_1_openbsd-2.fw.orig +++ b/test/pf/pf_cluster_1_openbsd-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * pf_cluster_1_openbsd-2.fw /etc/pf_cluster_1_openbsd-2.fw # files: pf_cluster_1_openbsd-2.conf /etc/pf_cluster_1_openbsd-2.conf @@ -189,7 +189,7 @@ configure_interfaces() { update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:20 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:42 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/pf_cluster_2_freebsd-1.fw.orig b/test/pf/pf_cluster_2_freebsd-1.fw.orig index 24d328d7e..b50f05d0e 100755 --- a/test/pf/pf_cluster_2_freebsd-1.fw.orig +++ b/test/pf/pf_cluster_2_freebsd-1.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * pf_cluster_2_freebsd-1.fw /etc/pf_cluster_2_freebsd-1.fw # files: pf_cluster_2_freebsd-1.conf /etc/pf_cluster_2_freebsd-1.conf @@ -295,7 +295,7 @@ configure_interfaces() { update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:20 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:42 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/pf_cluster_2_freebsd-2.fw.orig b/test/pf/pf_cluster_2_freebsd-2.fw.orig index d705e2a9d..ea9297a30 100755 --- a/test/pf/pf_cluster_2_freebsd-2.fw.orig +++ b/test/pf/pf_cluster_2_freebsd-2.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * pf_cluster_2_freebsd-2.fw /etc/pf_cluster_2_freebsd-2.fw # files: pf_cluster_2_freebsd-2.conf /etc/pf_cluster_2_freebsd-2.conf @@ -191,7 +191,7 @@ configure_interfaces() { update_addresses_of_interface "carp1 192.168.1.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:20 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:42 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/pf_cluster_3_openbsd-3.fw.orig b/test/pf/pf_cluster_3_openbsd-3.fw.orig index 10d617888..e443ac14c 100755 --- a/test/pf/pf_cluster_3_openbsd-3.fw.orig +++ b/test/pf/pf_cluster_3_openbsd-3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * pf_cluster_3_openbsd-3.fw /etc/pf_cluster_3_openbsd-3.fw # files: pf_cluster_3_openbsd-3.conf /etc/pf_cluster_3_openbsd-3.conf @@ -296,7 +296,7 @@ configure_interfaces() { update_addresses_of_interface "carp2 172.20.0.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:20 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:42 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/pf_cluster_3_openbsd-4.fw.orig b/test/pf/pf_cluster_3_openbsd-4.fw.orig index e6c4c23a0..f04b7a627 100755 --- a/test/pf/pf_cluster_3_openbsd-4.fw.orig +++ b/test/pf/pf_cluster_3_openbsd-4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * pf_cluster_3_openbsd-4.fw /etc/pf_cluster_3_openbsd-4.fw # files: pf_cluster_3_openbsd-4.conf /etc/pf_cluster_3_openbsd-4.conf @@ -193,7 +193,7 @@ configure_interfaces() { update_addresses_of_interface "carp2 172.20.0.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:20 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:42 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/pf_cluster_4_rc.conf.local b/test/pf/pf_cluster_4_rc.conf.local index 7686e07f9..f3a3a7f1e 100755 --- a/test/pf/pf_cluster_4_rc.conf.local +++ b/test/pf/pf_cluster_4_rc.conf.local @@ -3,7 +3,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:42 2011 PST by vadim # # files: * pf_cluster_4_rc.conf.local /etc/pf_cluster_4_rc.conf.local # files: pf_cluster_4_pf.conf /etc/pf_cluster_4_pf.conf diff --git a/test/pf/pf_cluster_5_openbsd-3.fw.orig b/test/pf/pf_cluster_5_openbsd-3.fw.orig index 66c158094..c304a4055 100755 --- a/test/pf/pf_cluster_5_openbsd-3.fw.orig +++ b/test/pf/pf_cluster_5_openbsd-3.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:43 2011 PST by vadim # # files: * pf_cluster_5_openbsd-3.fw /etc/pf_cluster_5_openbsd-3.fw # files: pf_cluster_5_openbsd-3.conf /etc/pf_cluster_5_openbsd-3.conf @@ -296,7 +296,7 @@ configure_interfaces() { update_addresses_of_interface "carp2 172.20.0.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:20 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:43 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pf/pf_cluster_5_openbsd-4.fw.orig b/test/pf/pf_cluster_5_openbsd-4.fw.orig index 02eb00f21..cc2193c54 100755 --- a/test/pf/pf_cluster_5_openbsd-4.fw.orig +++ b/test/pf/pf_cluster_5_openbsd-4.fw.orig @@ -4,7 +4,7 @@ # # Firewall Builder fwb_pf v4.2.0.3483 # -# Generated Sun Feb 20 20:10:20 2011 PST by vadim +# Generated Sun Feb 20 21:16:43 2011 PST by vadim # # files: * pf_cluster_5_openbsd-4.fw /etc/pf_cluster_5_openbsd-4.fw # files: pf_cluster_5_openbsd-4.conf /etc/pf_cluster_5_openbsd-4.conf @@ -193,7 +193,7 @@ configure_interfaces() { update_addresses_of_interface "carp2 172.20.0.1/0xffffff00" "" } -log "Activating firewall script generated Sun Feb 20 20:10:20 2011 by vadim" +log "Activating firewall script generated Sun Feb 20 21:16:43 2011 by vadim" set_kernel_vars configure_interfaces diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 22e773d35..2f58232d8 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:19 2011 PST by vadim +! Generated Sun Feb 20 21:18:36 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index f45c53c73..940a451a4 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:19 2011 PST by vadim +! Generated Sun Feb 20 21:18:36 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 5b5e33678..f66acb180 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:18 2011 PST by vadim +! Generated Sun Feb 20 21:18:35 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 7130a5742..c63e0ac3f 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:19 2011 PST by vadim +! Generated Sun Feb 20 21:18:35 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index 30316d562..d858edc98 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:00:59 2011 PST by vadim +! Generated Sun Feb 20 21:18:16 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -402,6 +402,28 @@ access-group tmp_acl in interface inside ssh 192.168.1.100 255.255.255.255 inside ! ! Rule 0 (global) +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '1 (ethernet1)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '10 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '12 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '13 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '14 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '15 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '16 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '17 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '18 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '19 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '2 (ethernet1)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '20 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '23 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '24 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '25 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '3 (ethernet1)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '4 (ethernet0)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '5 (ethernet0)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '6 (ethernet0)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '8 (global)' below it +! firewall:Policy:0: error: Rule '0 (global)' shadows rule '9 (global)' below it + access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any access-list dmz_acl_in deny ip any any @@ -414,6 +436,8 @@ access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule +! firewall:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any ! ! Rule 4 (ethernet0) @@ -467,6 +491,7 @@ access-list outside_acl_in permit ip object-group id3C4E4C38.dst.net.0 object-gr ! ! Rule 13 (global) ! firewall:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule + access-list inside_acl_in permit tcp host 192.168.1.10 object-group id3E155E82.dst.net.0 eq 3128 ! ! Rule 14 (global) @@ -561,6 +586,7 @@ static (inside,outside) tcp interface 25 192.168.1.10 25 0 0 ! ! Rule 6 (NAT) ! firewall:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. + global (inside) 8 interface nat (dmz) 8 192.168.2.0 255.255.255.0 outside ! @@ -620,27 +646,30 @@ route inside 10.1.2.0 255.255.255.0 192.168.1.254 1 ! ! "Routing rule 3 (main)" ! -# firewall:Routing:3: error: Interface and gateway rule elements can not be empty in the PIX routing rule ! ! +! firewall:Routing:3: error: Interface and gateway rule elements can not be empty in the PIX routing rule + route 10.1.3.0 255.255.255.0 192.168.1.254 1 ! ! Rule 4 (main) ! ! "Routing rule 4 (main)" ! -# firewall:Routing:4: error: Interface and gateway rule elements can not be empty in the PIX routing rule ! ! +! firewall:Routing:4: error: Interface and gateway rule elements can not be empty in the PIX routing rule + route inside 10.1.4.0 255.255.255.0 1 ! ! Rule 5 (main) ! ! "Routing rule 5 (main)" ! -# firewall:Routing:5: error: Interface and gateway rule elements can not be empty in the PIX routing rule ! ! +! firewall:Routing:5: error: Interface and gateway rule elements can not be empty in the PIX routing rule + route 10.1.5.0 255.255.255.0 1 ! ! Rule 6 (main) diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index ca80715c7..f61c41732 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:00:58 2011 PST by vadim +! Generated Sun Feb 20 21:18:16 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported @@ -99,6 +99,8 @@ icmp permit any 11 dmz access-list dmz_acl_in permit icmp any host 192.168.2.1 11 ! ! Rule 9 (global) +! firewall1:Policy:9: error: Dynamic interface can be used in the policy rule only in v6.3 or later. + telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 dmz ssh 0.0.0.0 0.0.0.0 inside @@ -135,19 +137,21 @@ global (outside) 1 interface nat (inside) 1 192.168.1.10 255.255.255.255 0 0 ! ! Rule 4 (NAT) +! firewall1:NAT:4: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. + global (outside) 2 interface nat (inside) 2 192.168.1.0 255.255.255.0 0 0 global (dmz) 2 interface ! nat (dmz) 2 192.168.2.0 255.255.255.0 0 0 -! firewall1:NAT:4: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. ! ! ! Rule 5 (NAT) -! -! -! ! firewall1:NAT:5: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'dmz' is going to be used as real and mapped interface in the generated nat command. + +! +! +! ! diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index 21477c638..31868b772 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:00 2011 PST by vadim +! Generated Sun Feb 20 21:18:17 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -228,6 +228,8 @@ exit ! ! Rule 3 (ethernet1) ! anti-spoofing rule +! firewall10:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 6 interval 300 ! ! Rule 5 (ethernet0) diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index 68a31fc93..4ce3ad415 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:00 2011 PST by vadim +! Generated Sun Feb 20 21:18:17 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 83aa546e1..b4a9e969e 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:01 2011 PST by vadim +! Generated Sun Feb 20 21:18:18 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index a9c168b5d..fa5120cbe 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:01 2011 PST by vadim +! Generated Sun Feb 20 21:18:18 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index fa093cf8b..13dc24034 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:02 2011 PST by vadim +! Generated Sun Feb 20 21:18:19 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 90fab12b5..92aafc5f2 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:02 2011 PST by vadim +! Generated Sun Feb 20 21:18:19 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -96,6 +96,8 @@ access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 6 interva ! ! Rule 1 (eth1) ! Anti-spoofing rule +! firewall2:Policy:1: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list inside_acl_in deny ip 192.168.1.0 255.255.255.0 any log 6 interval 300 ! ! Rule 2 (global) diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index bb6e112db..4c2660521 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:03 2011 PST by vadim +! Generated Sun Feb 20 21:18:20 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -103,6 +103,8 @@ access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 5 (eth1,eth2) ! dmz -> intnet +! firewall20:Policy:5: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 @@ -118,6 +120,8 @@ access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 7 (eth0,eth1) +! firewall20:Policy:7: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 12f7c06fd..45ebc8138 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:04 2011 PST by vadim +! Generated Sun Feb 20 21:18:21 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -131,6 +131,8 @@ access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 12 (eth1) ! dmz -> intnet +! firewall21-1:Policy:12: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 13 (eth1) @@ -152,6 +154,8 @@ access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 18 (eth1,eth2) ! dmz -> intnet +! firewall21-1:Policy:18: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 @@ -167,6 +171,8 @@ access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 20 (eth0,eth1) +! firewall21-1:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index b0077ea67..d042a59e3 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:03 2011 PST by vadim +! Generated Sun Feb 20 21:18:21 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -146,6 +146,8 @@ access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 host 192.168.1.10 ! ! Rule 12 (eth1) ! dmz -> intnet +! firewall21:Policy:12: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 13 (eth1) @@ -167,6 +169,8 @@ access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 ! ! Rule 18 (eth1,eth2) ! dmz -> intnet +! firewall21:Policy:18: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list inside_acl_in permit ip host 192.168.2.23 host 192.168.1.10 access-list dmz_acl_in permit ip host 192.168.2.23 host 192.168.1.10 @@ -182,6 +186,8 @@ access-list dmz_acl_in deny ip host 192.168.1.20 any log 0 interval 300 access-list dmz_acl_in deny ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 20 (eth0,eth1) +! firewall21:Policy:20: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit ip 192.168.2.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 49f92da9b..a32aa8222 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:04 2011 PST by vadim +! Generated Sun Feb 20 21:18:22 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall23.fw.orig b/test/pix/firewall23.fw.orig index 2fbed52e9..bcff0f48b 100755 --- a/test/pix/firewall23.fw.orig +++ b/test/pix/firewall23.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:05 2011 PST by vadim +! Generated Sun Feb 20 21:18:22 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index fd2bdf8aa..23b853abe 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:05 2011 PST by vadim +! Generated Sun Feb 20 21:18:23 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index 11f94ccdf..c3feab43f 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:06 2011 PST by vadim +! Generated Sun Feb 20 21:18:23 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -110,6 +110,7 @@ access-list outside_acl_in permit ip object-group id43867C2418346.src.net.0 any ! ! Rule 3 (global) ! firewall33:Policy:3: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + access-list outside_acl_in permit ip host 192.0.2.1 any ! ! Rule 5 (global) @@ -118,8 +119,8 @@ access-list inside_acl_in deny ip any object-group id43867C2418346.src.net.0 ! ! Rule 7 (global) ! firewall33:Policy:7: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode + access-list outside_acl_in permit ip any host 192.0.2.1 -! firewall33:Policy:7: error: DNSName object "buildmaster (ct)" (compile time) can not resolve dns name "buildmaster" (AF_INET): Host or network 'buildmaster' not found; last error: Unknown error Using dummy address in test mode access-list inside_acl_in permit ip any host 192.0.2.1 ! ! Rule 9 (global) @@ -141,17 +142,13 @@ static (inside,outside) interface access-list id43867C4918346.0 0 0 ! ! Rule 1 (NAT) ! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. + global (outside) 1 interface access-list id43876E2618346.0 permit ip any host 157.166.224.25 -! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.224.26 -! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.226.25 -! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.226.26 -! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.255.18 -! firewall33:NAT:1: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. access-list id43876E2618346.0 permit ip any host 157.166.255.19 nat (outside) 1 access-list id43876E2618346.0 0 0 diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index c8fbbfe4e..911771f70 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:07 2011 PST by vadim +! Generated Sun Feb 20 21:18:24 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -201,8 +201,8 @@ access-list inside_acl_in permit ip any object-group id16988X10208.dst.net.0 ! ! Rule 1 (global) ! firewall34:Policy:1: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode + access-list outside_acl_in permit ip any 192.0.2.0 255.255.255.0 -! firewall34:Policy:1: error: File not found for Address Table: missing table (file_does_not_exist.tbl) Using dummy address in test mode access-list inside_acl_in permit ip any 192.0.2.0 255.255.255.0 ! ! Rule 2 (global) diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 64b777686..538b307a3 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:07 2011 PST by vadim +! Generated Sun Feb 20 21:18:24 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index 2424dd57f..4811e2c59 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:08 2011 PST by vadim +! Generated Sun Feb 20 21:18:25 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -257,6 +257,8 @@ access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule +! firewall50:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) @@ -274,6 +276,8 @@ access-list inside_acl_in deny ip any host 192.168.1.255 access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22 ! ! Rule 9 (ethernet2,ethernet0) +! firewall50:Policy:9: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22 access-list inside_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22 access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22 @@ -318,6 +322,7 @@ access-list outside_acl_in permit ip object-group id45142FA628543.dst.net.0 obje ! ! Rule 15 (global) ! firewall50:Policy:15: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule + access-list inside_acl_in permit tcp host 192.168.1.10 object-group id4514300A28543.dst.net.0 eq 3128 ! ! Rule 16 (global) diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 469611345..d590352c5 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:08 2011 PST by vadim +! Generated Sun Feb 20 21:18:26 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index 937b49868..c46c0634d 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:10 2011 PST by vadim +! Generated Sun Feb 20 21:18:27 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -121,11 +121,13 @@ static (dmz,outside) interface 192.168.2.100 0 0 ! ! Rule 5 (NAT) ! firewall8:NAT:5: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. + global (inside) 1 interface ! ! ! Rule 6 (NAT) ! firewall8:NAT:6: warning: Original destination is ignored in 'nat' NAT rules when compiling for PIX v6.2 and earlier. + global (dmz) 1 interface ! diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 1f75284b5..f7e1b8896 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:10 2011 PST by vadim +! Generated Sun Feb 20 21:18:27 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index fbea70176..0c29e823d 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:11 2011 PST by vadim +! Generated Sun Feb 20 21:18:28 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -120,17 +120,20 @@ access-list outside_acl_in deny tcp any object hostA:eth0.0 ! Rule 1 (FastEthernet1) ! test rule using translated address in dst ! firewall81:Policy:1: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. + access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 2 (global) ! test rule using translated address in dst ! firewall81:Policy:2: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. + access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 3 (global) ! test rule using translated address in dst -access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 ! firewall81:Policy:3: warning: Object firewall81:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. + +access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 4 (global) diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 463d45023..d43e6b0f2 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:11 2011 PST by vadim +! Generated Sun Feb 20 21:18:28 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -120,17 +120,20 @@ access-list outside_acl_in deny tcp any object hostA:eth0.0 ! Rule 1 (FastEthernet1) ! test rule using translated address in dst ! firewall82:Policy:1: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. + access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 2 (global) ! test rule using translated address in dst ! firewall82:Policy:2: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. + access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 3 (global) ! test rule using translated address in dst -access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 ! firewall82:Policy:3: warning: Object firewall82:FastEthernet1:ip that represents translated address in a NAT rule 0 (NAT) is used in a policy rule of ASA v8.3 firewall. Starting with v8.3, ASA requires using real IP addresses in the firewall policy rules. + +access-list inside_acl_in permit tcp any host 192.168.1.1 eq 80 access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! ! Rule 4 (global) diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 730421687..542665d2b 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:12 2011 PST by vadim +! Generated Sun Feb 20 21:18:29 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index 7de0395ee..f9f94e179 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:12 2011 PST by vadim +! Generated Sun Feb 20 21:18:29 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index 9307c0f73..b96f16a09 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:13 2011 PST by vadim +! Generated Sun Feb 20 21:18:30 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -314,12 +314,14 @@ nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1 ! for #1902 ! can't use dns with destination matching or translation ! firewall90:NAT:13: error: Option 'translate dns' can not be used in combination with destination matching or translation + nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 destination static spamhost1.0 spamhost1.0 dns description "13 (NAT)" ! ! Rule 14 (NAT) ! for #1902 ! cant use dns with service translation either ! firewall90:NAT:14: error: Option 'translate dns' can not be used in combination with service matching or translation + nat (inside,outside) source dynamic internal_subnet_1.0 firewall90:FastEthernet1:ip-1.0 service smtp.0 smtp.0 dns description "14 (NAT)" ! ! Rule 15 (NAT) @@ -348,6 +350,7 @@ nat (inside,outside) source dynamic hostA:eth0.0 id21177X3720.tsrc.net.0 interfa ! for #1908 ! "static" vs "dynamic" ! firewall90:NAT:19: warning: Objects used in Original Source and Translated Source of the rule dictate that the same interface 'outside' is going to be used as real and mapped interface in the generated nat command. + nat (outside,outside) source dynamic outside_range.0 firewall90:FastEthernet1:ip-1.0 description "19 (NAT)" ! ! Rule 20 (NAT) diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 71b75bd61..a45d87f08 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:13 2011 PST by vadim +! Generated Sun Feb 20 21:18:30 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index c97a26c57..edd049a6b 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:14 2011 PST by vadim +! Generated Sun Feb 20 21:18:31 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index 8b19901c8..acc750e23 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:14 2011 PST by vadim +! Generated Sun Feb 20 21:18:31 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall94.fw.orig b/test/pix/firewall94.fw.orig index c1f3bf9bb..af47ebbfa 100755 --- a/test/pix/firewall94.fw.orig +++ b/test/pix/firewall94.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:15 2011 PST by vadim +! Generated Sun Feb 20 21:18:32 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index 8c69503bd..dc564f762 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:15 2011 PST by vadim +! Generated Sun Feb 20 21:18:32 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported @@ -239,6 +239,8 @@ access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule +! fwsm1:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) @@ -292,6 +294,7 @@ access-list outside_acl_in permit ip object-group id444A03DE9567.dst.net.0 objec ! ! Rule 13 (global) ! fwsm1:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule + access-list inside_acl_in permit tcp host 192.168.1.10 object-group id444A04429567.dst.net.0 eq 3128 ! ! Rule 14 (global) @@ -318,6 +321,8 @@ access-list inside_acl_in permit tcp any object-group id444A04749567.dst.net.0 o access-list dmz_acl_in permit tcp any object-group id444A04749567.dst.net.0 object-group id444A04679567.srv.tcp.0 ! ! Rule 18 (global) +! fwsm1:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it + access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id444A04819567.srv.tcp.0 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id444A04819567.srv.tcp.0 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id444A04819567.srv.tcp.0 diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index c52f2ac7f..5ce95c923 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:16 2011 PST by vadim +! Generated Sun Feb 20 21:18:33 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported @@ -252,6 +252,8 @@ access-list outside_acl_in permit icmp any any 3 ! ! Rule 3 (ethernet1) ! anti-spoofing rule +! fwsm2:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings + access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300 ! ! Rule 4 (ethernet0) @@ -305,6 +307,7 @@ access-list outside_acl_in permit ip object-group id17298X54624.dst.net.0 object ! ! Rule 13 (global) ! fwsm2:Policy:13: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule + access-list inside_acl_in permit tcp host 192.168.1.10 object-group id17398X54624.dst.net.0 eq 3128 ! ! Rule 14 (global) @@ -331,6 +334,8 @@ access-list inside_acl_in permit tcp any object-group id17448X54624.dst.net.0 ob access-list dmz_acl_in permit tcp any object-group id17448X54624.dst.net.0 object-group id17435X54624.srv.tcp.0 ! ! Rule 18 (global) +! fwsm2:Policy:18: error: Rule '18 (global)' shadows rule '20 (global)' below it + access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id17461X54624.srv.tcp.0 access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id17461X54624.srv.tcp.0 access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id17461X54624.srv.tcp.0 diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index acfe8a65c..ef9d7317a 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:17 2011 PST by vadim +! Generated Sun Feb 20 21:18:34 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 0ef3c4547..7b0a5b7ca 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3483 ! -! Generated Sun Feb 20 18:01:17 2011 PST by vadim +! Generated Sun Feb 20 21:18:34 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/procurve_acl/testhp1.fw.orig b/test/procurve_acl/testhp1.fw.orig index 13cd98b70..c29c409ad 100755 --- a/test/procurve_acl/testhp1.fw.orig +++ b/test/procurve_acl/testhp1.fw.orig @@ -1,9 +1,9 @@ ; ; This is automatically generated file. DO NOT MODIFY ! ; -; Firewall Builder fwb_procurve_acl v4.2.0.3441 +; Firewall Builder fwb_procurve_acl v4.2.0.3483 ; -; Generated Sat Jan 22 10:08:30 2011 PST by vadim +; Generated Sun Feb 20 21:30:07 2011 PST by vadim ; ; Compiled for procurve_acl K.13 ; diff --git a/test/procurve_acl/testhp2.fw.orig b/test/procurve_acl/testhp2.fw.orig index 359f1056d..7ae32109f 100755 --- a/test/procurve_acl/testhp2.fw.orig +++ b/test/procurve_acl/testhp2.fw.orig @@ -1,9 +1,9 @@ ; ; This is automatically generated file. DO NOT MODIFY ! ; -; Firewall Builder fwb_procurve_acl v4.2.0.3441 +; Firewall Builder fwb_procurve_acl v4.2.0.3483 ; -; Generated Sat Jan 22 10:08:30 2011 PST by vadim +; Generated Sun Feb 20 21:30:07 2011 PST by vadim ; ; Compiled for procurve_acl K.13 ; diff --git a/test/procurve_acl/testhp3.fw.orig b/test/procurve_acl/testhp3.fw.orig index c4b3529a1..2528e7a98 100755 --- a/test/procurve_acl/testhp3.fw.orig +++ b/test/procurve_acl/testhp3.fw.orig @@ -1,9 +1,9 @@ ; ; This is automatically generated file. DO NOT MODIFY ! ; -; Firewall Builder fwb_procurve_acl v4.2.0.3441 +; Firewall Builder fwb_procurve_acl v4.2.0.3483 ; -; Generated Sat Jan 22 10:08:30 2011 PST by vadim +; Generated Sun Feb 20 21:30:07 2011 PST by vadim ; ; Compiled for procurve_acl K.13 ; diff --git a/test/procurve_acl/testhp4.fw.orig b/test/procurve_acl/testhp4.fw.orig index 5307afb39..087389262 100755 --- a/test/procurve_acl/testhp4.fw.orig +++ b/test/procurve_acl/testhp4.fw.orig @@ -1,9 +1,9 @@ ; ; This is automatically generated file. DO NOT MODIFY ! ; -; Firewall Builder fwb_procurve_acl v4.2.0.3441 +; Firewall Builder fwb_procurve_acl v4.2.0.3483 ; -; Generated Sat Jan 22 10:08:30 2011 PST by vadim +; Generated Sun Feb 20 21:30:07 2011 PST by vadim ; ; Compiled for procurve_acl K.13 ;