onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM

Browse Source 
move up the "access-list mode auto-commit" command". Command that
configures access list commit mode should be issued before any
commands that clear and configure access lists. Also in this
change moving commands that set up temporary access list to the
top of the script.
This commit is contained in:
Vadim Kurland 2011-04-14 12:11:15 -07:00
parent 3c0554c003
commit 59f40e5d71
48 changed files with 308 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/ChangeLog
View File

@ -1,5 +1,12 @@
2011-04-14 vadim <vadim@netcitadel.com>
* PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM
move up the "access-list mode auto-commit" command". Command that
configures access list commit mode should be issued before any
commands that clear and configure access lists. Also in this
change moving commands that set up temporary access list to the
top of the script.
* PolicyCompiler_pix.cpp (printClearCommands): see #2322 If this
is FWSM and if manual commit mode is used, need to commit after
clearing ACLs before we clear object groups.

4
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -397,6 +397,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
oscnf->processFirewallOptions();
string clear_commands;
string preamble_commands;
bool have_named_objects = false;
bool have_object_groups = false;
@ -432,6 +433,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
n->compile();
n->epilog();
preamble_commands += n->printPreambleCommands();
clear_commands += n->printClearCommands();
have_named_objects = (have_named_objects ||
named_objects_manager.haveNamedObjects());
@ -467,6 +469,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
c->compile();
c->epilog();
preamble_commands += c->printPreambleCommands();
clear_commands += c->printClearCommands();
have_named_objects = (have_named_objects ||
named_objects_manager.haveNamedObjects());
@ -542,6 +545,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
clear_commands += named_objects_manager.getClearCommands() + "\n";
system_configuration_script += preamble_commands;
system_configuration_script += clear_commands;
system_configuration_script += "\n";

9
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -1405,6 +1405,15 @@ string NATCompiler_pix::printClearCommands()
return output.str();
}
/*
* This includes commands that should be added first, such as commit mode
* for FWSM, setting up temporary access list etc.
*/
string NATCompiler_pix::printPreambleCommands()
{
return "";
}
class MergeConflictRes : public FWObjectDatabase::ConflictResolutionPredicate
{
public:

1
src/cisco_lib/NATCompiler_pix.h
View File

@ -505,6 +505,7 @@ namespace fwcompiler
void regroup();
virtual std::string printClearCommands();
virtual std::string printPreambleCommands();
/**
* scans all rules in source_ruleset and finds rules (if

9
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -800,6 +800,15 @@ string PolicyCompiler_cisco::printClearCommands()
return "";
}
/*
* This includes commands that should be added first, such as commit mode
* for FWSM, setting up temporary access list etc.
*/
string PolicyCompiler_cisco::printPreambleCommands()
{
return "";
}
void PolicyCompiler_cisco::setNamedObjectsManager(NamedObjectsManager *mgr)
{
named_objects_manager = mgr;

3
src/cisco_lib/PolicyCompiler_cisco.h
View File

@ -519,7 +519,8 @@ public:
virtual void epilog();
virtual std::string printClearCommands();
virtual std::string printPreambleCommands();
/**
* sort commands ('icmp', 'telnet', 'ssh') and access lists
* in some kind of 'natural' order. Useful for both IOS and PIX

216
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -78,115 +78,11 @@ PolicyCompiler_pix::PolicyCompiler_pix(FWObjectDatabase *_db,
int PolicyCompiler_pix::prolog()
{
string version = fw->getStr("version");
string platform = fw->getStr("platform");
string host_os = fw->getStr("host_OS");
if (platform!="pix" && platform!="fwsm")
abort("Unsupported platform " + platform );
if (!inSingleRuleCompileMode())
{
output << "!################" << endl;
if (platform=="fwsm")
{
if (fw->getOptionsObject()->getBool("pix_use_manual_commit") )
output << "access-list mode manual" << endl;
else
output << "access-list mode auto" << endl;
}
if ( fw->getOptionsObject()->getBool("pix_acl_substitution") )
{
/* Generate short temporary ACL and assign it to all
* interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500)
as well as ssh from given subnet to any.
*/
string temp_acl = "tmp_acl";
string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr");
if (temp_acl_addr.empty())
{
abort(
"Missing address for management host or subnet for "
"temporary ACL. Enter it in the tab 'Script "
"options' in 'Firewall Settings' dialog");
}
string::size_type slash_idx = temp_acl_addr.find('/');
string addr = temp_acl_addr;
string netmask = "255.255.255.255";
if (slash_idx!=string::npos)
{
addr = temp_acl_addr.substr(0,slash_idx);
netmask = temp_acl_addr.substr(slash_idx+1);
try
{
if (netmask.find(".")!=string::npos)
{
InetAddr nm(netmask);
nm.isAny(); // to avoid warning abt unused var
} else
{
int nm_length;
istringstream str(netmask);
str >> nm_length;
InetAddr nm(nm_length);
netmask = nm.toString();
}
} catch(FWException &ex)
{
abort("Invalid netmask for management subnet: '"+netmask+"'");
}
}
try
{
InetAddr(addr);
} catch(FWException &ex)
{
abort("Invalid address for management subnet: '"+addr+"'");
}
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_acl");
output << endl;
output << clearACLcmd << " " << temp_acl << endl;
if (fw->getStr("platform")=="fwsm" &&
fw->getOptionsObject()->getBool("pix_use_manual_commit") )
{
output << "access-list commit" << endl;
}
output << "access-list " << temp_acl
<< " permit ip "
<< addr << " " << netmask
<< " any "
<< endl;
output << "access-list " << temp_acl
<< " deny ip any any "
<< endl;
if (platform=="fwsm" &&
fw->getOptionsObject()->getBool("pix_use_manual_commit") )
output << "access-list commit" << endl;
output << endl;
output << "access-group " << temp_acl
<< " in interface outside" << endl;
output << "access-group " << temp_acl
<< " in interface inside" << endl;
output << endl;
}
}
return PolicyCompiler::prolog();
}
@ -793,4 +689,116 @@ string PolicyCompiler_pix::printClearCommands()
return output.str();
}
/*
* This includes commands that should be added first, such as commit mode
* for FWSM, setting up temporary access list etc.
*/
string PolicyCompiler_pix::printPreambleCommands()
{
string version = fw->getStr("version");
string platform = fw->getStr("platform");
ostringstream output;
output << "!################" << endl;
if (platform=="fwsm")
{
if (fw->getOptionsObject()->getBool("pix_use_manual_commit") )
output << "access-list mode manual" << endl;
else
output << "access-list mode auto" << endl;
}
if ( fw->getOptionsObject()->getBool("pix_acl_substitution") )
{
/* Generate short temporary ACL and assign it to all
* interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500)
as well as ssh from given subnet to any.
*/
string temp_acl = "tmp_acl";
string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr");
if (temp_acl_addr.empty())
{
abort(
"Missing address for management host or subnet for "
"temporary ACL. Enter it in the tab 'Script "
"options' in 'Firewall Settings' dialog");
}
string::size_type slash_idx = temp_acl_addr.find('/');
string addr = temp_acl_addr;
string netmask = "255.255.255.255";
if (slash_idx!=string::npos)
{
addr = temp_acl_addr.substr(0,slash_idx);
netmask = temp_acl_addr.substr(slash_idx+1);
try
{
if (netmask.find(".")!=string::npos)
{
InetAddr nm(netmask);
nm.isAny(); // to avoid warning abt unused var
} else
{
int nm_length;
istringstream str(netmask);
str >> nm_length;
InetAddr nm(nm_length);
netmask = nm.toString();
}
} catch(FWException &ex)
{
abort("Invalid netmask for management subnet: '"+netmask+"'");
}
}
try
{
InetAddr(addr);
} catch(FWException &ex)
{
abort("Invalid address for management subnet: '"+addr+"'");
}
string clearACLcmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+version+"/pix_commands/clear_acl");
output << endl;
output << clearACLcmd << " " << temp_acl << endl;
if (fw->getStr("platform")=="fwsm" &&
fw->getOptionsObject()->getBool("pix_use_manual_commit") )
{
output << "access-list commit" << endl;
}
output << "access-list " << temp_acl
<< " permit ip "
<< addr << " " << netmask
<< " any "
<< endl;
output << "access-list " << temp_acl
<< " deny ip any any "
<< endl;
if (platform=="fwsm" &&
fw->getOptionsObject()->getBool("pix_use_manual_commit") )
output << "access-list commit" << endl;
output << endl;
output << "access-group " << temp_acl
<< " in interface outside" << endl;
output << "access-group " << temp_acl
<< " in interface inside" << endl;
output << endl;
}
return output.str();
}

1
src/cisco_lib/PolicyCompiler_pix.h
View File

@ -322,6 +322,7 @@ namespace fwcompiler {
virtual void epilog();
virtual std::string printClearCommands();
virtual std::string printPreambleCommands();
};

4
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:23 2011 PDT by vadim
! Generated Thu Apr 14 12:07:26 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,6 +114,7 @@ policy-map global_policy
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
@ -147,7 +148,6 @@ object-group network id56627X61097.src.net.0
network-object host 192.0.2.253
exit
!################
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule

4
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:23 2011 PDT by vadim
! Generated Thu Apr 14 12:07:26 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,6 +114,7 @@ policy-map global_policy
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
@ -147,7 +148,6 @@ object-group network id56627X61097.src.net.0
network-object host 192.0.2.253
exit
!################
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule

4
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:23 2011 PDT by vadim
! Generated Thu Apr 14 12:07:26 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,6 +114,7 @@ policy-map global_policy
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
@ -147,7 +148,6 @@ object-group network id55439X897.src.net.0
network-object host 192.0.2.253
exit
!################
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule

4
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:23 2011 PDT by vadim
! Generated Thu Apr 14 12:07:26 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,6 +114,7 @@ policy-map global_policy
service-policy global_policy global
!################
clear xlate
clear config static
clear config global
@ -152,7 +153,6 @@ object-group network id3401X82678.dst.net.0
network-object host 192.0.2.254
exit
!################
!
! Rule 0 (Ethernet0.101)
! anti spoofing rule

20
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:11 2011 PDT by vadim
! Generated Thu Apr 14 12:07:13 2011 PDT by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -262,6 +262,15 @@ fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
!################
clear access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear static
clear global
@ -386,15 +395,6 @@ object-group service pol-firewall2-4.srv.tcp.0 tcp
port-object eq 7100
exit
!################
clear access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule -1 backup ssh access rule (automatic)
ssh 192.168.1.100 255.255.255.255 inside

7
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:10 2011 PDT by vadim
! Generated Thu Apr 14 12:07:13 2011 PDT by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported
@ -70,8 +70,11 @@ floodguard disable
!################
!
! Rule 2 (eth1)
! Anti-spoofing rule

4
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:11 2011 PDT by vadim
! Generated Thu Apr 14 12:07:13 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -91,6 +91,7 @@ fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
!################
clear object-group
@ -222,7 +223,6 @@ object-group service id3DB0FA12.srv.tcp.0 tcp
port-object eq 7100
exit
!################
!
! Rule 3 (ethernet1)
! anti-spoofing rule

7
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:11 2011 PDT by vadim
! Generated Thu Apr 14 12:07:13 2011 PDT by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -76,8 +76,11 @@ floodguard enable
!################
!
! Rule 0 (global)
access-list outside_acl_in permit tcp any host 10.5.80.20 eq 80

4
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:12 2011 PDT by vadim
! Generated Thu Apr 14 12:07:14 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -87,6 +87,7 @@ fixup protocol ftp 21
fixup protocol http 80
fixup protocol icmp error
!################
clear object-group
@ -96,7 +97,6 @@ object-group network id3F8F95CD.dst.net.0
network-object host 192.0.2.23
exit
!################
!
! Rule 0 (global)
access-list inside_acl_in remark 0 (global)

7
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:12 2011 PDT by vadim
! Generated Thu Apr 14 12:07:14 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -72,8 +72,11 @@ floodguard enable
!################
!
! Rule 0 (global)
access-list outside_acl_in permit ip 192.168.1.0 255.255.255.0 any

7
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:13 2011 PDT by vadim
! Generated Thu Apr 14 12:07:15 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -68,8 +68,11 @@ floodguard enable
!################
!
! Rule 0 (global)
access-list inside_acl_in permit ip 10.1.2.0 255.255.255.0 any

4
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:13 2011 PDT by vadim
! Generated Thu Apr 14 12:07:15 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -63,6 +63,7 @@ floodguard disable
!################
clear xlate
clear static
clear global
@ -83,7 +84,6 @@ object-group network id3D8FCCDE.src.net.0
network-object host 192.168.1.20
exit
!################
!
! Rule 0 (eth1)
! Anti-spoofing rule

9
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:13 2011 PDT by vadim
! Generated Thu Apr 14 12:07:15 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -79,10 +79,11 @@ floodguard enable
fixup protocol ftp 21
!################
!
! Rule 0 (global)
access-list outside_acl_in permit ip any host 192.168.1.10

9
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:14 2011 PDT by vadim
! Generated Thu Apr 14 12:07:16 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -84,10 +84,11 @@ floodguard enable
fixup protocol ftp 21
!################
!
! Rule 0 (global)
access-list outside_acl_in permit ip any host 192.168.1.10

8
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:13 2011 PDT by vadim
! Generated Thu Apr 14 12:07:15 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -100,9 +100,11 @@ policy-map global_policy
service-policy global_policy global
!################
!
! Rule 0 (global)
access-list outside_acl_in permit ip any host 192.168.1.10

8
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:14 2011 PDT by vadim
! Generated Thu Apr 14 12:07:16 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -93,9 +93,11 @@ policy-map global_policy
service-policy global_policy global
!################
!
! Rule 0 (global)
access-list outside_in permit ip any host 192.168.1.10

4
test/pix/firewall23.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:14 2011 PDT by vadim
! Generated Thu Apr 14 12:07:16 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -72,7 +72,7 @@ clear nat
!################
!
! Rule 0 (NAT)

4
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:15 2011 PDT by vadim
! Generated Thu Apr 14 12:07:17 2011 PDT by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -73,6 +73,7 @@ floodguard disable
!################
clear access-list
clear icmp
clear telnet
@ -80,7 +81,6 @@ clear telnet
!################
!
! Rule 0 (eth0)
ssh 0.0.0.0 0.0.0.0 inside

4
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:15 2011 PDT by vadim
! Generated Thu Apr 14 12:07:18 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -72,6 +72,7 @@ floodguard disable
!################
clear object-group
@ -98,7 +99,6 @@ object-group network id438728A918346.dst.net.0
network-object host 157.166.255.19
exit
!################
!
! Rule 0 (eth0.100)
access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any

4
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:15 2011 PDT by vadim
! Generated Thu Apr 14 12:07:18 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -61,6 +61,7 @@ floodguard disable
!################
clear object-group
@ -189,7 +190,6 @@ object-group network id21263X16880.src.net.0
network-object 10.1.4.0 255.255.255.0
exit
!################
!
! Rule 0 (global)
access-list outside_acl_in permit ip any 192.168.2.128 255.255.255.128

4
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:16 2011 PDT by vadim
! Generated Thu Apr 14 12:07:18 2011 PDT by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -75,6 +75,7 @@ floodguard disable
!################
clear xlate
clear static
clear global
@ -95,7 +96,6 @@ object-group network id3D79A1E4.dst.net.0
network-object host 192.168.1.20
exit
!################
!
! Rule 0 (global)
access-list inside_acl_in permit tcp any host 192.168.1.10 eq 22

20
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:16 2011 PDT by vadim
! Generated Thu Apr 14 12:07:19 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -114,6 +114,15 @@ policy-map global_policy
service-policy global_policy global
!################
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear config static
clear config global
@ -239,15 +248,6 @@ object-group service id4514304928543.srv.tcp.0 tcp
port-object eq 7100
exit
!################
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule 2 (ethernet1)
icmp permit any 3 outside

4
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:16 2011 PDT by vadim
! Generated Thu Apr 14 12:07:19 2011 PDT by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -76,6 +76,7 @@ floodguard disable
!################
clear xlate
clear static
clear global
@ -87,7 +88,6 @@ clear telnet
!################
!
! Rule 0 (eth1)
access-list outside_acl_in deny ip any host 22.22.22.22

9
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:17 2011 PDT by vadim
! Generated Thu Apr 14 12:07:19 2011 PDT by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported
@ -77,10 +77,11 @@ floodguard enable
fixup protocol ftp 21
!################
!
! Rule 0 (global)
access-list outside_acl_in permit ip any host 192.168.1.10

4
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:17 2011 PDT by vadim
! Generated Thu Apr 14 12:07:20 2011 PDT by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported
@ -86,6 +86,7 @@ parameters
router-alert action clear
!################
clear xlate
clear config static
clear config global
@ -117,7 +118,6 @@ object-group icmp-type id21447X11252.srv.icmp.0
icmp-object 8
exit
!################
!
! Rule 0 (FastEthernet1)
ssh 0.0.0.0 0.0.0.0 inside

4
test/pix/firewall81.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:18 2011 PDT by vadim
! Generated Thu Apr 14 12:07:20 2011 PDT by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -89,6 +89,7 @@ parameters
router-alert action clear
!################
clear xlate
clear config nat
clear config access-list
@ -105,7 +106,6 @@ object network hostA:eth0.0
host 192.168.1.10
exit
!################
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp

4
test/pix/firewall82.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:18 2011 PDT by vadim
! Generated Thu Apr 14 12:07:21 2011 PDT by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -89,6 +89,7 @@ parameters
router-alert action clear
!################
clear xlate
clear config nat
clear config access-list
@ -105,7 +106,6 @@ object network hostA:eth0.0
host 192.168.1.10
exit
!################
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp

4
test/pix/firewall83.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:18 2011 PDT by vadim
! Generated Thu Apr 14 12:07:21 2011 PDT by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -87,6 +87,7 @@ parameters
router-alert action clear
!################
clear xlate
clear config nat
clear config access-list
@ -103,7 +104,6 @@ object network hostA:eth0.0
host 192.168.1.10
exit
!################
!
! Rule 0 (global)
! matching "any" icmp and "all" tcp

4
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:19 2011 PDT by vadim
! Generated Thu Apr 14 12:07:21 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -96,7 +96,7 @@ fixup protocol tftp 69
!################

4
test/pix/firewall90.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:19 2011 PDT by vadim
! Generated Thu Apr 14 12:07:21 2011 PDT by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -90,6 +90,7 @@ parameters
router-alert action clear
!################
clear xlate
clear config nat
clear config access-list
@ -234,7 +235,6 @@ object-group network id78630X30274.src.net.0
network-object 10.1.3.0 255.255.255.0
exit
!################
!
! Rule 0 (global)
access-list outside_acl_in deny ip object-group id78630X30274.src.net.0 any

4
test/pix/firewall91.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:19 2011 PDT by vadim
! Generated Thu Apr 14 12:07:22 2011 PDT by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -92,6 +92,7 @@ parameters
router-alert action clear
!################
clear xlate
clear config nat
clear config access-list
@ -132,7 +133,6 @@ object network outside_range.0
range 22.22.22.21 22.22.22.25
exit
!################
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any

4
test/pix/firewall92.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:19 2011 PDT by vadim
! Generated Thu Apr 14 12:07:22 2011 PDT by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -87,6 +87,7 @@ parameters
router-alert action clear
!################
clear xlate
clear config nat
clear config access-list
@ -133,7 +134,6 @@ object-group network id20655X6113.osrc.net.0
network-object object internal_subnet_2.0
exit
!################
!
! Rule 0 (global)
access-list inside_acl_in deny ip any any

4
test/pix/firewall93.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:20 2011 PDT by vadim
! Generated Thu Apr 14 12:07:23 2011 PDT by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -102,7 +102,7 @@ object network inside-range-1.0
range 10.0.0.1 10.0.0.5
exit
!################
!
! Rule 0 (NAT)

4
test/pix/firewall94.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:20 2011 PDT by vadim
! Generated Thu Apr 14 12:07:23 2011 PDT by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -74,6 +74,7 @@ service-policy global_policy global
!################
clear config access-list
clear config icmp
clear config telnet
@ -94,7 +95,6 @@ object-group network id26782X14355.src.net.0
network-object object inside-range-2.0
exit
!################
!
! Rule 0 (global)
access-list inside_acl_in remark 0 (global)

22
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:21 2011 PDT by vadim
! Generated Thu Apr 14 12:07:23 2011 PDT by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported
@ -94,6 +94,16 @@ fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
!################
access-list mode auto
clear access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear static
clear global
@ -218,16 +228,6 @@ object-group service id444A04819567.srv.tcp.0 tcp
port-object eq 7100
exit
!################
access-list mode auto
clear access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule 2 (ethernet1)
icmp permit any 3 outside

22
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:21 2011 PDT by vadim
! Generated Thu Apr 14 12:07:24 2011 PDT by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported
@ -110,6 +110,16 @@ service-policy global_policy global
!################
access-list mode auto
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear config static
clear config global
@ -234,16 +244,6 @@ object-group service id17461X54624.srv.tcp.0 tcp
port-object eq 7100
exit
!################
access-list mode auto
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule 2 (ethernet1)
icmp permit any 3 outside

26
test/pix/fwsm3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:46:21 2011 PDT by vadim
! Generated Thu Apr 14 12:07:24 2011 PDT by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported
@ -109,6 +109,18 @@ service-policy global_policy global
!################
access-list mode manual
clear config access-list tmp_acl
access-list commit
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-list commit
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear config static
clear config global
@ -129,18 +141,6 @@ object-group network id59803X13930.src.net.0
network-object 172.16.0.2 255.255.255.255
exit
!################
access-list mode manual
clear config access-list tmp_acl
access-list commit
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-list commit
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule 1 (ethernet1)
! need this rule to generate at least one object group

20
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:22 2011 PDT by vadim
! Generated Thu Apr 14 12:07:25 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
@ -84,6 +84,15 @@ policy-map global_policy
service-policy global_policy global
!################
clear config access-list tmp_acl
access-list tmp_acl permit ip 10.3.14.42 255.255.255.255 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear config static
clear config global
@ -96,15 +105,6 @@ clear config telnet
!################
clear config access-list tmp_acl
access-list tmp_acl permit ip 10.3.14.42 255.255.255.255 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
!
! Rule -1 backup ssh access rule (automatic)
ssh 10.3.14.42 255.255.255.255 inside

4
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:22 2011 PDT by vadim
! Generated Thu Apr 14 12:07:25 2011 PDT by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -86,6 +86,7 @@ fixup protocol ftp 21
fixup protocol http 80
fixup protocol icmp error
!################
clear xlate
clear static
clear global
@ -97,7 +98,6 @@ clear telnet
!################
!
! Rule 0 (global)
access-list inside_acl_in remark 0 (global)

7
test/pix/test_net_zone_2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 11:41:23 2011 PDT by vadim
! Generated Thu Apr 14 12:07:25 2011 PDT by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported
@ -63,8 +63,11 @@ floodguard disable
!################
!
! Rule 0 (global)
access-list outside_acl_in deny ip any any