diff --git a/doc/ChangeLog b/doc/ChangeLog index b540960cb..b95b24a6b 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,12 @@ 2011-04-14 vadim + * PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM + move up the "access-list mode auto-commit" command". Command that + configures access list commit mode should be issued before any + commands that clear and configure access lists. Also in this + change moving commands that set up temporary access list to the + top of the script. + * PolicyCompiler_pix.cpp (printClearCommands): see #2322 If this is FWSM and if manual commit mode is used, need to commit after clearing ACLs before we clear object groups. diff --git a/src/cisco_lib/CompilerDriver_pix_run.cpp b/src/cisco_lib/CompilerDriver_pix_run.cpp index d93ee73dc..15f8731cd 100644 --- a/src/cisco_lib/CompilerDriver_pix_run.cpp +++ b/src/cisco_lib/CompilerDriver_pix_run.cpp @@ -397,6 +397,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, oscnf->processFirewallOptions(); string clear_commands; + string preamble_commands; bool have_named_objects = false; bool have_object_groups = false; @@ -432,6 +433,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, n->compile(); n->epilog(); + preamble_commands += n->printPreambleCommands(); clear_commands += n->printClearCommands(); have_named_objects = (have_named_objects || named_objects_manager.haveNamedObjects()); @@ -467,6 +469,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, c->compile(); c->epilog(); + preamble_commands += c->printPreambleCommands(); clear_commands += c->printClearCommands(); have_named_objects = (have_named_objects || named_objects_manager.haveNamedObjects()); @@ -542,6 +545,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, clear_commands += named_objects_manager.getClearCommands() + "\n"; + system_configuration_script += preamble_commands; system_configuration_script += clear_commands; system_configuration_script += "\n"; diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index 499cfc2f6..306bf3fe3 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -1405,6 +1405,15 @@ string NATCompiler_pix::printClearCommands() return output.str(); } +/* + * This includes commands that should be added first, such as commit mode + * for FWSM, setting up temporary access list etc. + */ +string NATCompiler_pix::printPreambleCommands() +{ + return ""; +} + class MergeConflictRes : public FWObjectDatabase::ConflictResolutionPredicate { public: diff --git a/src/cisco_lib/NATCompiler_pix.h b/src/cisco_lib/NATCompiler_pix.h index 41d38ce7c..09cacb102 100644 --- a/src/cisco_lib/NATCompiler_pix.h +++ b/src/cisco_lib/NATCompiler_pix.h @@ -505,6 +505,7 @@ namespace fwcompiler void regroup(); virtual std::string printClearCommands(); + virtual std::string printPreambleCommands(); /** * scans all rules in source_ruleset and finds rules (if diff --git a/src/cisco_lib/PolicyCompiler_cisco.cpp b/src/cisco_lib/PolicyCompiler_cisco.cpp index 55539f63d..efb32ff95 100644 --- a/src/cisco_lib/PolicyCompiler_cisco.cpp +++ b/src/cisco_lib/PolicyCompiler_cisco.cpp @@ -800,6 +800,15 @@ string PolicyCompiler_cisco::printClearCommands() return ""; } +/* + * This includes commands that should be added first, such as commit mode + * for FWSM, setting up temporary access list etc. + */ +string PolicyCompiler_cisco::printPreambleCommands() +{ + return ""; +} + void PolicyCompiler_cisco::setNamedObjectsManager(NamedObjectsManager *mgr) { named_objects_manager = mgr; diff --git a/src/cisco_lib/PolicyCompiler_cisco.h b/src/cisco_lib/PolicyCompiler_cisco.h index 6d8af8b2b..c4bf81845 100644 --- a/src/cisco_lib/PolicyCompiler_cisco.h +++ b/src/cisco_lib/PolicyCompiler_cisco.h @@ -519,7 +519,8 @@ public: virtual void epilog(); virtual std::string printClearCommands(); - + virtual std::string printPreambleCommands(); + /** * sort commands ('icmp', 'telnet', 'ssh') and access lists * in some kind of 'natural' order. Useful for both IOS and PIX diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index 7f0a5d93f..8adec2c11 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -78,115 +78,11 @@ PolicyCompiler_pix::PolicyCompiler_pix(FWObjectDatabase *_db, int PolicyCompiler_pix::prolog() { - string version = fw->getStr("version"); string platform = fw->getStr("platform"); - string host_os = fw->getStr("host_OS"); if (platform!="pix" && platform!="fwsm") abort("Unsupported platform " + platform ); - if (!inSingleRuleCompileMode()) - { - output << "!################" << endl; - - if (platform=="fwsm") - { - if (fw->getOptionsObject()->getBool("pix_use_manual_commit") ) - output << "access-list mode manual" << endl; - else - output << "access-list mode auto" << endl; - } - - if ( fw->getOptionsObject()->getBool("pix_acl_substitution") ) - { - /* Generate short temporary ACL and assign it to all - * interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500) - as well as ssh from given subnet to any. - */ - - string temp_acl = "tmp_acl"; - string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr"); - if (temp_acl_addr.empty()) - { - abort( - "Missing address for management host or subnet for " - "temporary ACL. Enter it in the tab 'Script " - "options' in 'Firewall Settings' dialog"); - } - - string::size_type slash_idx = temp_acl_addr.find('/'); - string addr = temp_acl_addr; - string netmask = "255.255.255.255"; - - if (slash_idx!=string::npos) - { - addr = temp_acl_addr.substr(0,slash_idx); - netmask = temp_acl_addr.substr(slash_idx+1); - try - { - if (netmask.find(".")!=string::npos) - { - InetAddr nm(netmask); - nm.isAny(); // to avoid warning abt unused var - } else - { - int nm_length; - istringstream str(netmask); - str >> nm_length; - InetAddr nm(nm_length); - netmask = nm.toString(); - } - } catch(FWException &ex) - { - abort("Invalid netmask for management subnet: '"+netmask+"'"); - } - } - - try - { - InetAddr(addr); - } catch(FWException &ex) - { - abort("Invalid address for management subnet: '"+addr+"'"); - } - - string clearACLcmd = Resources::platform_res[platform]->getResourceStr( - string("/FWBuilderResources/Target/options/")+ - "version_"+version+"/pix_commands/clear_acl"); - - output << endl; - - output << clearACLcmd << " " << temp_acl << endl; - - if (fw->getStr("platform")=="fwsm" && - fw->getOptionsObject()->getBool("pix_use_manual_commit") ) - { - output << "access-list commit" << endl; - } - - output << "access-list " << temp_acl - << " permit ip " - << addr << " " << netmask - << " any " - << endl; - output << "access-list " << temp_acl - << " deny ip any any " - << endl; - if (platform=="fwsm" && - fw->getOptionsObject()->getBool("pix_use_manual_commit") ) - output << "access-list commit" << endl; - - output << endl; - - output << "access-group " << temp_acl - << " in interface outside" << endl; - output << "access-group " << temp_acl - << " in interface inside" << endl; - - output << endl; - } - } - return PolicyCompiler::prolog(); } @@ -793,4 +689,116 @@ string PolicyCompiler_pix::printClearCommands() return output.str(); } +/* + * This includes commands that should be added first, such as commit mode + * for FWSM, setting up temporary access list etc. + */ +string PolicyCompiler_pix::printPreambleCommands() +{ + string version = fw->getStr("version"); + string platform = fw->getStr("platform"); + + ostringstream output; + + output << "!################" << endl; + + if (platform=="fwsm") + { + if (fw->getOptionsObject()->getBool("pix_use_manual_commit") ) + output << "access-list mode manual" << endl; + else + output << "access-list mode auto" << endl; + } + + if ( fw->getOptionsObject()->getBool("pix_acl_substitution") ) + { + /* Generate short temporary ACL and assign it to all + * interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500) + as well as ssh from given subnet to any. + */ + + string temp_acl = "tmp_acl"; + string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr"); + if (temp_acl_addr.empty()) + { + abort( + "Missing address for management host or subnet for " + "temporary ACL. Enter it in the tab 'Script " + "options' in 'Firewall Settings' dialog"); + } + + string::size_type slash_idx = temp_acl_addr.find('/'); + string addr = temp_acl_addr; + string netmask = "255.255.255.255"; + + if (slash_idx!=string::npos) + { + addr = temp_acl_addr.substr(0,slash_idx); + netmask = temp_acl_addr.substr(slash_idx+1); + try + { + if (netmask.find(".")!=string::npos) + { + InetAddr nm(netmask); + nm.isAny(); // to avoid warning abt unused var + } else + { + int nm_length; + istringstream str(netmask); + str >> nm_length; + InetAddr nm(nm_length); + netmask = nm.toString(); + } + } catch(FWException &ex) + { + abort("Invalid netmask for management subnet: '"+netmask+"'"); + } + } + + try + { + InetAddr(addr); + } catch(FWException &ex) + { + abort("Invalid address for management subnet: '"+addr+"'"); + } + + string clearACLcmd = Resources::platform_res[platform]->getResourceStr( + string("/FWBuilderResources/Target/options/")+ + "version_"+version+"/pix_commands/clear_acl"); + + output << endl; + + output << clearACLcmd << " " << temp_acl << endl; + + if (fw->getStr("platform")=="fwsm" && + fw->getOptionsObject()->getBool("pix_use_manual_commit") ) + { + output << "access-list commit" << endl; + } + + output << "access-list " << temp_acl + << " permit ip " + << addr << " " << netmask + << " any " + << endl; + output << "access-list " << temp_acl + << " deny ip any any " + << endl; + if (platform=="fwsm" && + fw->getOptionsObject()->getBool("pix_use_manual_commit") ) + output << "access-list commit" << endl; + + output << endl; + + output << "access-group " << temp_acl + << " in interface outside" << endl; + output << "access-group " << temp_acl + << " in interface inside" << endl; + + output << endl; + } + + return output.str(); +} diff --git a/src/cisco_lib/PolicyCompiler_pix.h b/src/cisco_lib/PolicyCompiler_pix.h index 0da77df90..589a6f1e6 100644 --- a/src/cisco_lib/PolicyCompiler_pix.h +++ b/src/cisco_lib/PolicyCompiler_pix.h @@ -322,6 +322,7 @@ namespace fwcompiler { virtual void epilog(); virtual std::string printClearCommands(); + virtual std::string printPreambleCommands(); }; diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 04c6085c6..442227af8 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:26 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,7 @@ policy-map global_policy service-policy global_policy global +!################ clear xlate clear config static clear config global @@ -147,7 +148,6 @@ object-group network id56627X61097.src.net.0 network-object host 192.0.2.253 exit -!################ ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index a38073d57..a078c38fa 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:26 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,7 @@ policy-map global_policy service-policy global_policy global +!################ clear xlate clear config static clear config global @@ -147,7 +148,6 @@ object-group network id56627X61097.src.net.0 network-object host 192.0.2.253 exit -!################ ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 2c4c21614..17200d422 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:26 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,7 @@ policy-map global_policy service-policy global_policy global +!################ clear xlate clear config static clear config global @@ -147,7 +148,6 @@ object-group network id55439X897.src.net.0 network-object host 192.0.2.253 exit -!################ ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 3e57e55f4..f551a10d1 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:26 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,7 @@ policy-map global_policy service-policy global_policy global +!################ clear xlate clear config static clear config global @@ -152,7 +153,6 @@ object-group network id3401X82678.dst.net.0 network-object host 192.0.2.254 exit -!################ ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index bc6b2a917..5590b7325 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:11 2011 PDT by vadim +! Generated Thu Apr 14 12:07:13 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -262,6 +262,15 @@ fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 +!################ + +clear access-list tmp_acl +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear static clear global @@ -386,15 +395,6 @@ object-group service pol-firewall2-4.srv.tcp.0 tcp port-object eq 7100 exit -!################ - -clear access-list tmp_acl -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule -1 backup ssh access rule (automatic) ssh 192.168.1.100 255.255.255.255 inside diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 6865453cd..ddf71520f 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:10 2011 PDT by vadim +! Generated Thu Apr 14 12:07:13 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported @@ -70,8 +70,11 @@ floodguard disable - !################ + + + + ! ! Rule 2 (eth1) ! Anti-spoofing rule diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index afa5c178c..b2cce4f89 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:11 2011 PDT by vadim +! Generated Thu Apr 14 12:07:13 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -91,6 +91,7 @@ fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 +!################ clear object-group @@ -222,7 +223,6 @@ object-group service id3DB0FA12.srv.tcp.0 tcp port-object eq 7100 exit -!################ ! ! Rule 3 (ethernet1) ! anti-spoofing rule diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index ebf629591..0cf30c07d 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:11 2011 PDT by vadim +! Generated Thu Apr 14 12:07:13 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -76,8 +76,11 @@ floodguard enable - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit tcp any host 10.5.80.20 eq 80 diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 66138fd8b..84a648785 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:12 2011 PDT by vadim +! Generated Thu Apr 14 12:07:14 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -87,6 +87,7 @@ fixup protocol ftp 21 fixup protocol http 80 fixup protocol icmp error +!################ clear object-group @@ -96,7 +97,6 @@ object-group network id3F8F95CD.dst.net.0 network-object host 192.0.2.23 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 85755a794..67a1ed471 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:12 2011 PDT by vadim +! Generated Thu Apr 14 12:07:14 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -72,8 +72,11 @@ floodguard enable - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip 192.168.1.0 255.255.255.0 any diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 9e688df32..2a1d66d5f 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:13 2011 PDT by vadim +! Generated Thu Apr 14 12:07:15 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -68,8 +68,11 @@ floodguard enable - !################ + + + + ! ! Rule 0 (global) access-list inside_acl_in permit ip 10.1.2.0 255.255.255.0 any diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 661979a82..5f8f2c1d4 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:13 2011 PDT by vadim +! Generated Thu Apr 14 12:07:15 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -63,6 +63,7 @@ floodguard disable +!################ clear xlate clear static clear global @@ -83,7 +84,6 @@ object-group network id3D8FCCDE.src.net.0 network-object host 192.168.1.20 exit -!################ ! ! Rule 0 (eth1) ! Anti-spoofing rule diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index c9e87eaa7..1518c3c4b 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:13 2011 PDT by vadim +! Generated Thu Apr 14 12:07:15 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -79,10 +79,11 @@ floodguard enable fixup protocol ftp 21 - - - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 2714ab1f2..492897fd7 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:14 2011 PDT by vadim +! Generated Thu Apr 14 12:07:16 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -84,10 +84,11 @@ floodguard enable fixup protocol ftp 21 - - - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 6d7dbe2c5..abaf0809c 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:13 2011 PDT by vadim +! Generated Thu Apr 14 12:07:15 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -100,9 +100,11 @@ policy-map global_policy service-policy global_policy global - - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index f03c25d3a..c0dd64aca 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:14 2011 PDT by vadim +! Generated Thu Apr 14 12:07:16 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -93,9 +93,11 @@ policy-map global_policy service-policy global_policy global - - !################ + + + + ! ! Rule 0 (global) access-list outside_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall23.fw.orig b/test/pix/firewall23.fw.orig index 3b1c88590..1ce6bcea2 100755 --- a/test/pix/firewall23.fw.orig +++ b/test/pix/firewall23.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:14 2011 PDT by vadim +! Generated Thu Apr 14 12:07:16 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -72,7 +72,7 @@ clear nat -!################ + ! ! Rule 0 (NAT) diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index a67e4572a..5185a2e1e 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:15 2011 PDT by vadim +! Generated Thu Apr 14 12:07:17 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -73,6 +73,7 @@ floodguard disable +!################ clear access-list clear icmp clear telnet @@ -80,7 +81,6 @@ clear telnet -!################ ! ! Rule 0 (eth0) ssh 0.0.0.0 0.0.0.0 inside diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index c789d5bad..8708c1f53 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:15 2011 PDT by vadim +! Generated Thu Apr 14 12:07:18 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -72,6 +72,7 @@ floodguard disable +!################ clear object-group @@ -98,7 +99,6 @@ object-group network id438728A918346.dst.net.0 network-object host 157.166.255.19 exit -!################ ! ! Rule 0 (eth0.100) access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index dd5bbe087..41e1a5f30 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:15 2011 PDT by vadim +! Generated Thu Apr 14 12:07:18 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -61,6 +61,7 @@ floodguard disable +!################ clear object-group @@ -189,7 +190,6 @@ object-group network id21263X16880.src.net.0 network-object 10.1.4.0 255.255.255.0 exit -!################ ! ! Rule 0 (global) access-list outside_acl_in permit ip any 192.168.2.128 255.255.255.128 diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 84398d11c..3a4d032a5 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:16 2011 PDT by vadim +! Generated Thu Apr 14 12:07:18 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -75,6 +75,7 @@ floodguard disable +!################ clear xlate clear static clear global @@ -95,7 +96,6 @@ object-group network id3D79A1E4.dst.net.0 network-object host 192.168.1.20 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in permit tcp any host 192.168.1.10 eq 22 diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index c6c806903..d0bdf6828 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:16 2011 PDT by vadim +! Generated Thu Apr 14 12:07:19 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,15 @@ policy-map global_policy service-policy global_policy global +!################ + +clear config access-list tmp_acl +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear config static clear config global @@ -239,15 +248,6 @@ object-group service id4514304928543.srv.tcp.0 tcp port-object eq 7100 exit -!################ - -clear config access-list tmp_acl -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule 2 (ethernet1) icmp permit any 3 outside diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 3af1a2c2d..ef7ba26a0 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:16 2011 PDT by vadim +! Generated Thu Apr 14 12:07:19 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -76,6 +76,7 @@ floodguard disable +!################ clear xlate clear static clear global @@ -87,7 +88,6 @@ clear telnet -!################ ! ! Rule 0 (eth1) access-list outside_acl_in deny ip any host 22.22.22.22 diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index c632f29a5..0b6b62496 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:17 2011 PDT by vadim +! Generated Thu Apr 14 12:07:19 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -77,10 +77,11 @@ floodguard enable fixup protocol ftp 21 - - - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 94a9caffd..d8f3c1e2a 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:17 2011 PDT by vadim +! Generated Thu Apr 14 12:07:20 2011 PDT by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported @@ -86,6 +86,7 @@ parameters router-alert action clear +!################ clear xlate clear config static clear config global @@ -117,7 +118,6 @@ object-group icmp-type id21447X11252.srv.icmp.0 icmp-object 8 exit -!################ ! ! Rule 0 (FastEthernet1) ssh 0.0.0.0 0.0.0.0 inside diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index 62d12b366..49e99d7e1 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:18 2011 PDT by vadim +! Generated Thu Apr 14 12:07:20 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -89,6 +89,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -105,7 +106,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit -!################ ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index c0e260e83..9de8fcc4e 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:18 2011 PDT by vadim +! Generated Thu Apr 14 12:07:21 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -89,6 +89,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -105,7 +106,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit -!################ ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 0569ec59c..fc2c8d7fa 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:18 2011 PDT by vadim +! Generated Thu Apr 14 12:07:21 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -87,6 +87,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -103,7 +104,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit -!################ ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index 53afc13ab..34160bc16 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:19 2011 PDT by vadim +! Generated Thu Apr 14 12:07:21 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -96,7 +96,7 @@ fixup protocol tftp 69 -!################ + diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index c2709ff11..cf22dfac2 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:19 2011 PDT by vadim +! Generated Thu Apr 14 12:07:21 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -90,6 +90,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -234,7 +235,6 @@ object-group network id78630X30274.src.net.0 network-object 10.1.3.0 255.255.255.0 exit -!################ ! ! Rule 0 (global) access-list outside_acl_in deny ip object-group id78630X30274.src.net.0 any diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 4fdc46526..bd1b5ffa9 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:19 2011 PDT by vadim +! Generated Thu Apr 14 12:07:22 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -92,6 +92,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -132,7 +133,6 @@ object network outside_range.0 range 22.22.22.21 22.22.22.25 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in deny ip any any diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index db0688065..f6851b397 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:19 2011 PDT by vadim +! Generated Thu Apr 14 12:07:22 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -87,6 +87,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -133,7 +134,6 @@ object-group network id20655X6113.osrc.net.0 network-object object internal_subnet_2.0 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in deny ip any any diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index fd91184bd..4ff086a20 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:20 2011 PDT by vadim +! Generated Thu Apr 14 12:07:23 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -102,7 +102,7 @@ object network inside-range-1.0 range 10.0.0.1 10.0.0.5 exit -!################ + ! ! Rule 0 (NAT) diff --git a/test/pix/firewall94.fw.orig b/test/pix/firewall94.fw.orig index cdcf322b2..4372c18f5 100755 --- a/test/pix/firewall94.fw.orig +++ b/test/pix/firewall94.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:20 2011 PDT by vadim +! Generated Thu Apr 14 12:07:23 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -74,6 +74,7 @@ service-policy global_policy global +!################ clear config access-list clear config icmp clear config telnet @@ -94,7 +95,6 @@ object-group network id26782X14355.src.net.0 network-object object inside-range-2.0 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index fb0096e42..25ee1847f 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:21 2011 PDT by vadim +! Generated Thu Apr 14 12:07:23 2011 PDT by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported @@ -94,6 +94,16 @@ fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 +!################ +access-list mode auto + +clear access-list tmp_acl +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear static clear global @@ -218,16 +228,6 @@ object-group service id444A04819567.srv.tcp.0 tcp port-object eq 7100 exit -!################ -access-list mode auto - -clear access-list tmp_acl -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule 2 (ethernet1) icmp permit any 3 outside diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 113c7e91b..94120ac3b 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:21 2011 PDT by vadim +! Generated Thu Apr 14 12:07:24 2011 PDT by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported @@ -110,6 +110,16 @@ service-policy global_policy global +!################ +access-list mode auto + +clear config access-list tmp_acl +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear config static clear config global @@ -234,16 +244,6 @@ object-group service id17461X54624.srv.tcp.0 tcp port-object eq 7100 exit -!################ -access-list mode auto - -clear config access-list tmp_acl -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule 2 (ethernet1) icmp permit any 3 outside diff --git a/test/pix/fwsm3.fw.orig b/test/pix/fwsm3.fw.orig index 24b58e2a4..0f5aa0e80 100755 --- a/test/pix/fwsm3.fw.orig +++ b/test/pix/fwsm3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:46:21 2011 PDT by vadim +! Generated Thu Apr 14 12:07:24 2011 PDT by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported @@ -109,6 +109,18 @@ service-policy global_policy global +!################ +access-list mode manual + +clear config access-list tmp_acl +access-list commit +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any +access-list commit + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear config static clear config global @@ -129,18 +141,6 @@ object-group network id59803X13930.src.net.0 network-object 172.16.0.2 255.255.255.255 exit -!################ -access-list mode manual - -clear config access-list tmp_acl -access-list commit -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any -access-list commit - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule 1 (ethernet1) ! need this rule to generate at least one object group diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index afd1dd788..d0d44518d 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:22 2011 PDT by vadim +! Generated Thu Apr 14 12:07:25 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -84,6 +84,15 @@ policy-map global_policy service-policy global_policy global +!################ + +clear config access-list tmp_acl +access-list tmp_acl permit ip 10.3.14.42 255.255.255.255 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear config static clear config global @@ -96,15 +105,6 @@ clear config telnet -!################ - -clear config access-list tmp_acl -access-list tmp_acl permit ip 10.3.14.42 255.255.255.255 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule -1 backup ssh access rule (automatic) ssh 10.3.14.42 255.255.255.255 inside diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 5f83e017d..f3ca46131 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:22 2011 PDT by vadim +! Generated Thu Apr 14 12:07:25 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -86,6 +86,7 @@ fixup protocol ftp 21 fixup protocol http 80 fixup protocol icmp error +!################ clear xlate clear static clear global @@ -97,7 +98,6 @@ clear telnet -!################ ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) diff --git a/test/pix/test_net_zone_2.fw.orig b/test/pix/test_net_zone_2.fw.orig index dda96c6f9..2ea6e7676 100755 --- a/test/pix/test_net_zone_2.fw.orig +++ b/test/pix/test_net_zone_2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:25 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported @@ -63,8 +63,11 @@ floodguard disable - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in deny ip any any