From 59f40e5d71c3d6cd07148d61a6ed51a18a0d1d02 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Thu, 14 Apr 2011 12:11:15 -0700 Subject: [PATCH] * PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM move up the "access-list mode auto-commit" command". Command that configures access list commit mode should be issued before any commands that clear and configure access lists. Also in this change moving commands that set up temporary access list to the top of the script. --- doc/ChangeLog | 7 + src/cisco_lib/CompilerDriver_pix_run.cpp | 4 + src/cisco_lib/NATCompiler_pix.cpp | 9 + src/cisco_lib/NATCompiler_pix.h | 1 + src/cisco_lib/PolicyCompiler_cisco.cpp | 9 + src/cisco_lib/PolicyCompiler_cisco.h | 3 +- src/cisco_lib/PolicyCompiler_pix.cpp | 216 ++++++++++++----------- src/cisco_lib/PolicyCompiler_pix.h | 1 + test/pix/cluster1-1_pix1.fw.orig | 4 +- test/pix/cluster1-1_pix2.fw.orig | 4 +- test/pix/cluster1_pix1.fw.orig | 4 +- test/pix/cluster1_pix2.fw.orig | 4 +- test/pix/firewall.fw.orig | 20 +-- test/pix/firewall1.fw.orig | 7 +- test/pix/firewall10.fw.orig | 4 +- test/pix/firewall11.fw.orig | 7 +- test/pix/firewall12.fw.orig | 4 +- test/pix/firewall13.fw.orig | 7 +- test/pix/firewall14.fw.orig | 7 +- test/pix/firewall2.fw.orig | 4 +- test/pix/firewall20.fw.orig | 9 +- test/pix/firewall21-1.fw.orig | 9 +- test/pix/firewall21.fw.orig | 8 +- test/pix/firewall22.fw.orig | 8 +- test/pix/firewall23.fw.orig | 4 +- test/pix/firewall3.fw.orig | 4 +- test/pix/firewall33.fw.orig | 4 +- test/pix/firewall34.fw.orig | 4 +- test/pix/firewall4.fw.orig | 4 +- test/pix/firewall50.fw.orig | 20 +-- test/pix/firewall6.fw.orig | 4 +- test/pix/firewall8.fw.orig | 9 +- test/pix/firewall80.fw.orig | 4 +- test/pix/firewall81.fw.orig | 4 +- test/pix/firewall82.fw.orig | 4 +- test/pix/firewall83.fw.orig | 4 +- test/pix/firewall9.fw.orig | 4 +- test/pix/firewall90.fw.orig | 4 +- test/pix/firewall91.fw.orig | 4 +- test/pix/firewall92.fw.orig | 4 +- test/pix/firewall93.fw.orig | 4 +- test/pix/firewall94.fw.orig | 4 +- test/pix/fwsm1.fw.orig | 22 +-- test/pix/fwsm2.fw.orig | 22 +-- test/pix/fwsm3.fw.orig | 26 +-- test/pix/pix515.fw.orig | 20 +-- test/pix/real.fw.orig | 4 +- test/pix/test_net_zone_2.fw.orig | 7 +- 48 files changed, 308 insertions(+), 246 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index b540960cb..b95b24a6b 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,12 @@ 2011-04-14 vadim + * PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM + move up the "access-list mode auto-commit" command". Command that + configures access list commit mode should be issued before any + commands that clear and configure access lists. Also in this + change moving commands that set up temporary access list to the + top of the script. + * PolicyCompiler_pix.cpp (printClearCommands): see #2322 If this is FWSM and if manual commit mode is used, need to commit after clearing ACLs before we clear object groups. diff --git a/src/cisco_lib/CompilerDriver_pix_run.cpp b/src/cisco_lib/CompilerDriver_pix_run.cpp index d93ee73dc..15f8731cd 100644 --- a/src/cisco_lib/CompilerDriver_pix_run.cpp +++ b/src/cisco_lib/CompilerDriver_pix_run.cpp @@ -397,6 +397,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, oscnf->processFirewallOptions(); string clear_commands; + string preamble_commands; bool have_named_objects = false; bool have_object_groups = false; @@ -432,6 +433,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, n->compile(); n->epilog(); + preamble_commands += n->printPreambleCommands(); clear_commands += n->printClearCommands(); have_named_objects = (have_named_objects || named_objects_manager.haveNamedObjects()); @@ -467,6 +469,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, c->compile(); c->epilog(); + preamble_commands += c->printPreambleCommands(); clear_commands += c->printClearCommands(); have_named_objects = (have_named_objects || named_objects_manager.haveNamedObjects()); @@ -542,6 +545,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, clear_commands += named_objects_manager.getClearCommands() + "\n"; + system_configuration_script += preamble_commands; system_configuration_script += clear_commands; system_configuration_script += "\n"; diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index 499cfc2f6..306bf3fe3 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -1405,6 +1405,15 @@ string NATCompiler_pix::printClearCommands() return output.str(); } +/* + * This includes commands that should be added first, such as commit mode + * for FWSM, setting up temporary access list etc. + */ +string NATCompiler_pix::printPreambleCommands() +{ + return ""; +} + class MergeConflictRes : public FWObjectDatabase::ConflictResolutionPredicate { public: diff --git a/src/cisco_lib/NATCompiler_pix.h b/src/cisco_lib/NATCompiler_pix.h index 41d38ce7c..09cacb102 100644 --- a/src/cisco_lib/NATCompiler_pix.h +++ b/src/cisco_lib/NATCompiler_pix.h @@ -505,6 +505,7 @@ namespace fwcompiler void regroup(); virtual std::string printClearCommands(); + virtual std::string printPreambleCommands(); /** * scans all rules in source_ruleset and finds rules (if diff --git a/src/cisco_lib/PolicyCompiler_cisco.cpp b/src/cisco_lib/PolicyCompiler_cisco.cpp index 55539f63d..efb32ff95 100644 --- a/src/cisco_lib/PolicyCompiler_cisco.cpp +++ b/src/cisco_lib/PolicyCompiler_cisco.cpp @@ -800,6 +800,15 @@ string PolicyCompiler_cisco::printClearCommands() return ""; } +/* + * This includes commands that should be added first, such as commit mode + * for FWSM, setting up temporary access list etc. + */ +string PolicyCompiler_cisco::printPreambleCommands() +{ + return ""; +} + void PolicyCompiler_cisco::setNamedObjectsManager(NamedObjectsManager *mgr) { named_objects_manager = mgr; diff --git a/src/cisco_lib/PolicyCompiler_cisco.h b/src/cisco_lib/PolicyCompiler_cisco.h index 6d8af8b2b..c4bf81845 100644 --- a/src/cisco_lib/PolicyCompiler_cisco.h +++ b/src/cisco_lib/PolicyCompiler_cisco.h @@ -519,7 +519,8 @@ public: virtual void epilog(); virtual std::string printClearCommands(); - + virtual std::string printPreambleCommands(); + /** * sort commands ('icmp', 'telnet', 'ssh') and access lists * in some kind of 'natural' order. Useful for both IOS and PIX diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index 7f0a5d93f..8adec2c11 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -78,115 +78,11 @@ PolicyCompiler_pix::PolicyCompiler_pix(FWObjectDatabase *_db, int PolicyCompiler_pix::prolog() { - string version = fw->getStr("version"); string platform = fw->getStr("platform"); - string host_os = fw->getStr("host_OS"); if (platform!="pix" && platform!="fwsm") abort("Unsupported platform " + platform ); - if (!inSingleRuleCompileMode()) - { - output << "!################" << endl; - - if (platform=="fwsm") - { - if (fw->getOptionsObject()->getBool("pix_use_manual_commit") ) - output << "access-list mode manual" << endl; - else - output << "access-list mode auto" << endl; - } - - if ( fw->getOptionsObject()->getBool("pix_acl_substitution") ) - { - /* Generate short temporary ACL and assign it to all - * interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500) - as well as ssh from given subnet to any. - */ - - string temp_acl = "tmp_acl"; - string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr"); - if (temp_acl_addr.empty()) - { - abort( - "Missing address for management host or subnet for " - "temporary ACL. Enter it in the tab 'Script " - "options' in 'Firewall Settings' dialog"); - } - - string::size_type slash_idx = temp_acl_addr.find('/'); - string addr = temp_acl_addr; - string netmask = "255.255.255.255"; - - if (slash_idx!=string::npos) - { - addr = temp_acl_addr.substr(0,slash_idx); - netmask = temp_acl_addr.substr(slash_idx+1); - try - { - if (netmask.find(".")!=string::npos) - { - InetAddr nm(netmask); - nm.isAny(); // to avoid warning abt unused var - } else - { - int nm_length; - istringstream str(netmask); - str >> nm_length; - InetAddr nm(nm_length); - netmask = nm.toString(); - } - } catch(FWException &ex) - { - abort("Invalid netmask for management subnet: '"+netmask+"'"); - } - } - - try - { - InetAddr(addr); - } catch(FWException &ex) - { - abort("Invalid address for management subnet: '"+addr+"'"); - } - - string clearACLcmd = Resources::platform_res[platform]->getResourceStr( - string("/FWBuilderResources/Target/options/")+ - "version_"+version+"/pix_commands/clear_acl"); - - output << endl; - - output << clearACLcmd << " " << temp_acl << endl; - - if (fw->getStr("platform")=="fwsm" && - fw->getOptionsObject()->getBool("pix_use_manual_commit") ) - { - output << "access-list commit" << endl; - } - - output << "access-list " << temp_acl - << " permit ip " - << addr << " " << netmask - << " any " - << endl; - output << "access-list " << temp_acl - << " deny ip any any " - << endl; - if (platform=="fwsm" && - fw->getOptionsObject()->getBool("pix_use_manual_commit") ) - output << "access-list commit" << endl; - - output << endl; - - output << "access-group " << temp_acl - << " in interface outside" << endl; - output << "access-group " << temp_acl - << " in interface inside" << endl; - - output << endl; - } - } - return PolicyCompiler::prolog(); } @@ -793,4 +689,116 @@ string PolicyCompiler_pix::printClearCommands() return output.str(); } +/* + * This includes commands that should be added first, such as commit mode + * for FWSM, setting up temporary access list etc. + */ +string PolicyCompiler_pix::printPreambleCommands() +{ + string version = fw->getStr("version"); + string platform = fw->getStr("platform"); + + ostringstream output; + + output << "!################" << endl; + + if (platform=="fwsm") + { + if (fw->getOptionsObject()->getBool("pix_use_manual_commit") ) + output << "access-list mode manual" << endl; + else + output << "access-list mode auto" << endl; + } + + if ( fw->getOptionsObject()->getBool("pix_acl_substitution") ) + { + /* Generate short temporary ACL and assign it to all + * interfaces. This ACL permits IPSEC (IP proto 50 and UDP port 500) + as well as ssh from given subnet to any. + */ + + string temp_acl = "tmp_acl"; + string temp_acl_addr = fw->getOptionsObject()->getStr("pix_acl_temp_addr"); + if (temp_acl_addr.empty()) + { + abort( + "Missing address for management host or subnet for " + "temporary ACL. Enter it in the tab 'Script " + "options' in 'Firewall Settings' dialog"); + } + + string::size_type slash_idx = temp_acl_addr.find('/'); + string addr = temp_acl_addr; + string netmask = "255.255.255.255"; + + if (slash_idx!=string::npos) + { + addr = temp_acl_addr.substr(0,slash_idx); + netmask = temp_acl_addr.substr(slash_idx+1); + try + { + if (netmask.find(".")!=string::npos) + { + InetAddr nm(netmask); + nm.isAny(); // to avoid warning abt unused var + } else + { + int nm_length; + istringstream str(netmask); + str >> nm_length; + InetAddr nm(nm_length); + netmask = nm.toString(); + } + } catch(FWException &ex) + { + abort("Invalid netmask for management subnet: '"+netmask+"'"); + } + } + + try + { + InetAddr(addr); + } catch(FWException &ex) + { + abort("Invalid address for management subnet: '"+addr+"'"); + } + + string clearACLcmd = Resources::platform_res[platform]->getResourceStr( + string("/FWBuilderResources/Target/options/")+ + "version_"+version+"/pix_commands/clear_acl"); + + output << endl; + + output << clearACLcmd << " " << temp_acl << endl; + + if (fw->getStr("platform")=="fwsm" && + fw->getOptionsObject()->getBool("pix_use_manual_commit") ) + { + output << "access-list commit" << endl; + } + + output << "access-list " << temp_acl + << " permit ip " + << addr << " " << netmask + << " any " + << endl; + output << "access-list " << temp_acl + << " deny ip any any " + << endl; + if (platform=="fwsm" && + fw->getOptionsObject()->getBool("pix_use_manual_commit") ) + output << "access-list commit" << endl; + + output << endl; + + output << "access-group " << temp_acl + << " in interface outside" << endl; + output << "access-group " << temp_acl + << " in interface inside" << endl; + + output << endl; + } + + return output.str(); +} diff --git a/src/cisco_lib/PolicyCompiler_pix.h b/src/cisco_lib/PolicyCompiler_pix.h index 0da77df90..589a6f1e6 100644 --- a/src/cisco_lib/PolicyCompiler_pix.h +++ b/src/cisco_lib/PolicyCompiler_pix.h @@ -322,6 +322,7 @@ namespace fwcompiler { virtual void epilog(); virtual std::string printClearCommands(); + virtual std::string printPreambleCommands(); }; diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 04c6085c6..442227af8 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:26 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,7 @@ policy-map global_policy service-policy global_policy global +!################ clear xlate clear config static clear config global @@ -147,7 +148,6 @@ object-group network id56627X61097.src.net.0 network-object host 192.0.2.253 exit -!################ ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index a38073d57..a078c38fa 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:26 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,7 @@ policy-map global_policy service-policy global_policy global +!################ clear xlate clear config static clear config global @@ -147,7 +148,6 @@ object-group network id56627X61097.src.net.0 network-object host 192.0.2.253 exit -!################ ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 2c4c21614..17200d422 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:26 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,7 @@ policy-map global_policy service-policy global_policy global +!################ clear xlate clear config static clear config global @@ -147,7 +148,6 @@ object-group network id55439X897.src.net.0 network-object host 192.0.2.253 exit -!################ ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 3e57e55f4..f551a10d1 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:26 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,7 @@ policy-map global_policy service-policy global_policy global +!################ clear xlate clear config static clear config global @@ -152,7 +153,6 @@ object-group network id3401X82678.dst.net.0 network-object host 192.0.2.254 exit -!################ ! ! Rule 0 (Ethernet0.101) ! anti spoofing rule diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index bc6b2a917..5590b7325 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:11 2011 PDT by vadim +! Generated Thu Apr 14 12:07:13 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -262,6 +262,15 @@ fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 +!################ + +clear access-list tmp_acl +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear static clear global @@ -386,15 +395,6 @@ object-group service pol-firewall2-4.srv.tcp.0 tcp port-object eq 7100 exit -!################ - -clear access-list tmp_acl -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule -1 backup ssh access rule (automatic) ssh 192.168.1.100 255.255.255.255 inside diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 6865453cd..ddf71520f 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:10 2011 PDT by vadim +! Generated Thu Apr 14 12:07:13 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported @@ -70,8 +70,11 @@ floodguard disable - !################ + + + + ! ! Rule 2 (eth1) ! Anti-spoofing rule diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index afa5c178c..b2cce4f89 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:11 2011 PDT by vadim +! Generated Thu Apr 14 12:07:13 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -91,6 +91,7 @@ fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 +!################ clear object-group @@ -222,7 +223,6 @@ object-group service id3DB0FA12.srv.tcp.0 tcp port-object eq 7100 exit -!################ ! ! Rule 3 (ethernet1) ! anti-spoofing rule diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index ebf629591..0cf30c07d 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:11 2011 PDT by vadim +! Generated Thu Apr 14 12:07:13 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -76,8 +76,11 @@ floodguard enable - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit tcp any host 10.5.80.20 eq 80 diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 66138fd8b..84a648785 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:12 2011 PDT by vadim +! Generated Thu Apr 14 12:07:14 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -87,6 +87,7 @@ fixup protocol ftp 21 fixup protocol http 80 fixup protocol icmp error +!################ clear object-group @@ -96,7 +97,6 @@ object-group network id3F8F95CD.dst.net.0 network-object host 192.0.2.23 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 85755a794..67a1ed471 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:12 2011 PDT by vadim +! Generated Thu Apr 14 12:07:14 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -72,8 +72,11 @@ floodguard enable - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip 192.168.1.0 255.255.255.0 any diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 9e688df32..2a1d66d5f 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:13 2011 PDT by vadim +! Generated Thu Apr 14 12:07:15 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -68,8 +68,11 @@ floodguard enable - !################ + + + + ! ! Rule 0 (global) access-list inside_acl_in permit ip 10.1.2.0 255.255.255.0 any diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 661979a82..5f8f2c1d4 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:13 2011 PDT by vadim +! Generated Thu Apr 14 12:07:15 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -63,6 +63,7 @@ floodguard disable +!################ clear xlate clear static clear global @@ -83,7 +84,6 @@ object-group network id3D8FCCDE.src.net.0 network-object host 192.168.1.20 exit -!################ ! ! Rule 0 (eth1) ! Anti-spoofing rule diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index c9e87eaa7..1518c3c4b 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:13 2011 PDT by vadim +! Generated Thu Apr 14 12:07:15 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -79,10 +79,11 @@ floodguard enable fixup protocol ftp 21 - - - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 2714ab1f2..492897fd7 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:14 2011 PDT by vadim +! Generated Thu Apr 14 12:07:16 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -84,10 +84,11 @@ floodguard enable fixup protocol ftp 21 - - - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 6d7dbe2c5..abaf0809c 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:13 2011 PDT by vadim +! Generated Thu Apr 14 12:07:15 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -100,9 +100,11 @@ policy-map global_policy service-policy global_policy global - - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index f03c25d3a..c0dd64aca 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:14 2011 PDT by vadim +! Generated Thu Apr 14 12:07:16 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -93,9 +93,11 @@ policy-map global_policy service-policy global_policy global - - !################ + + + + ! ! Rule 0 (global) access-list outside_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall23.fw.orig b/test/pix/firewall23.fw.orig index 3b1c88590..1ce6bcea2 100755 --- a/test/pix/firewall23.fw.orig +++ b/test/pix/firewall23.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:14 2011 PDT by vadim +! Generated Thu Apr 14 12:07:16 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -72,7 +72,7 @@ clear nat -!################ + ! ! Rule 0 (NAT) diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index a67e4572a..5185a2e1e 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:15 2011 PDT by vadim +! Generated Thu Apr 14 12:07:17 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -73,6 +73,7 @@ floodguard disable +!################ clear access-list clear icmp clear telnet @@ -80,7 +81,6 @@ clear telnet -!################ ! ! Rule 0 (eth0) ssh 0.0.0.0 0.0.0.0 inside diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index c789d5bad..8708c1f53 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:15 2011 PDT by vadim +! Generated Thu Apr 14 12:07:18 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -72,6 +72,7 @@ floodguard disable +!################ clear object-group @@ -98,7 +99,6 @@ object-group network id438728A918346.dst.net.0 network-object host 157.166.255.19 exit -!################ ! ! Rule 0 (eth0.100) access-list outside_acl_in deny ip 192.168.1.0 255.255.255.0 any diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index dd5bbe087..41e1a5f30 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:15 2011 PDT by vadim +! Generated Thu Apr 14 12:07:18 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -61,6 +61,7 @@ floodguard disable +!################ clear object-group @@ -189,7 +190,6 @@ object-group network id21263X16880.src.net.0 network-object 10.1.4.0 255.255.255.0 exit -!################ ! ! Rule 0 (global) access-list outside_acl_in permit ip any 192.168.2.128 255.255.255.128 diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 84398d11c..3a4d032a5 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:16 2011 PDT by vadim +! Generated Thu Apr 14 12:07:18 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -75,6 +75,7 @@ floodguard disable +!################ clear xlate clear static clear global @@ -95,7 +96,6 @@ object-group network id3D79A1E4.dst.net.0 network-object host 192.168.1.20 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in permit tcp any host 192.168.1.10 eq 22 diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index c6c806903..d0bdf6828 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:16 2011 PDT by vadim +! Generated Thu Apr 14 12:07:19 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -114,6 +114,15 @@ policy-map global_policy service-policy global_policy global +!################ + +clear config access-list tmp_acl +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear config static clear config global @@ -239,15 +248,6 @@ object-group service id4514304928543.srv.tcp.0 tcp port-object eq 7100 exit -!################ - -clear config access-list tmp_acl -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule 2 (ethernet1) icmp permit any 3 outside diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 3af1a2c2d..ef7ba26a0 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:16 2011 PDT by vadim +! Generated Thu Apr 14 12:07:19 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -76,6 +76,7 @@ floodguard disable +!################ clear xlate clear static clear global @@ -87,7 +88,6 @@ clear telnet -!################ ! ! Rule 0 (eth1) access-list outside_acl_in deny ip any host 22.22.22.22 diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index c632f29a5..0b6b62496 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:17 2011 PDT by vadim +! Generated Thu Apr 14 12:07:19 2011 PDT by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported @@ -77,10 +77,11 @@ floodguard enable fixup protocol ftp 21 - - - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in permit ip any host 192.168.1.10 diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 94a9caffd..d8f3c1e2a 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:17 2011 PDT by vadim +! Generated Thu Apr 14 12:07:20 2011 PDT by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported @@ -86,6 +86,7 @@ parameters router-alert action clear +!################ clear xlate clear config static clear config global @@ -117,7 +118,6 @@ object-group icmp-type id21447X11252.srv.icmp.0 icmp-object 8 exit -!################ ! ! Rule 0 (FastEthernet1) ssh 0.0.0.0 0.0.0.0 inside diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index 62d12b366..49e99d7e1 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:18 2011 PDT by vadim +! Generated Thu Apr 14 12:07:20 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -89,6 +89,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -105,7 +106,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit -!################ ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index c0e260e83..9de8fcc4e 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:18 2011 PDT by vadim +! Generated Thu Apr 14 12:07:21 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -89,6 +89,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -105,7 +106,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit -!################ ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 0569ec59c..fc2c8d7fa 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:18 2011 PDT by vadim +! Generated Thu Apr 14 12:07:21 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -87,6 +87,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -103,7 +104,6 @@ object network hostA:eth0.0 host 192.168.1.10 exit -!################ ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index 53afc13ab..34160bc16 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:19 2011 PDT by vadim +! Generated Thu Apr 14 12:07:21 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -96,7 +96,7 @@ fixup protocol tftp 69 -!################ + diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index c2709ff11..cf22dfac2 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:19 2011 PDT by vadim +! Generated Thu Apr 14 12:07:21 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -90,6 +90,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -234,7 +235,6 @@ object-group network id78630X30274.src.net.0 network-object 10.1.3.0 255.255.255.0 exit -!################ ! ! Rule 0 (global) access-list outside_acl_in deny ip object-group id78630X30274.src.net.0 any diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 4fdc46526..bd1b5ffa9 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:19 2011 PDT by vadim +! Generated Thu Apr 14 12:07:22 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -92,6 +92,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -132,7 +133,6 @@ object network outside_range.0 range 22.22.22.21 22.22.22.25 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in deny ip any any diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index db0688065..f6851b397 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:19 2011 PDT by vadim +! Generated Thu Apr 14 12:07:22 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -87,6 +87,7 @@ parameters router-alert action clear +!################ clear xlate clear config nat clear config access-list @@ -133,7 +134,6 @@ object-group network id20655X6113.osrc.net.0 network-object object internal_subnet_2.0 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in deny ip any any diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index fd91184bd..4ff086a20 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:20 2011 PDT by vadim +! Generated Thu Apr 14 12:07:23 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -102,7 +102,7 @@ object network inside-range-1.0 range 10.0.0.1 10.0.0.5 exit -!################ + ! ! Rule 0 (NAT) diff --git a/test/pix/firewall94.fw.orig b/test/pix/firewall94.fw.orig index cdcf322b2..4372c18f5 100755 --- a/test/pix/firewall94.fw.orig +++ b/test/pix/firewall94.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:20 2011 PDT by vadim +! Generated Thu Apr 14 12:07:23 2011 PDT by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -74,6 +74,7 @@ service-policy global_policy global +!################ clear config access-list clear config icmp clear config telnet @@ -94,7 +95,6 @@ object-group network id26782X14355.src.net.0 network-object object inside-range-2.0 exit -!################ ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index fb0096e42..25ee1847f 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:21 2011 PDT by vadim +! Generated Thu Apr 14 12:07:23 2011 PDT by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported @@ -94,6 +94,16 @@ fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 +!################ +access-list mode auto + +clear access-list tmp_acl +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear static clear global @@ -218,16 +228,6 @@ object-group service id444A04819567.srv.tcp.0 tcp port-object eq 7100 exit -!################ -access-list mode auto - -clear access-list tmp_acl -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule 2 (ethernet1) icmp permit any 3 outside diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 113c7e91b..94120ac3b 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:21 2011 PDT by vadim +! Generated Thu Apr 14 12:07:24 2011 PDT by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported @@ -110,6 +110,16 @@ service-policy global_policy global +!################ +access-list mode auto + +clear config access-list tmp_acl +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear config static clear config global @@ -234,16 +244,6 @@ object-group service id17461X54624.srv.tcp.0 tcp port-object eq 7100 exit -!################ -access-list mode auto - -clear config access-list tmp_acl -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule 2 (ethernet1) icmp permit any 3 outside diff --git a/test/pix/fwsm3.fw.orig b/test/pix/fwsm3.fw.orig index 24b58e2a4..0f5aa0e80 100755 --- a/test/pix/fwsm3.fw.orig +++ b/test/pix/fwsm3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:46:21 2011 PDT by vadim +! Generated Thu Apr 14 12:07:24 2011 PDT by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported @@ -109,6 +109,18 @@ service-policy global_policy global +!################ +access-list mode manual + +clear config access-list tmp_acl +access-list commit +access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any +access-list tmp_acl deny ip any any +access-list commit + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear config static clear config global @@ -129,18 +141,6 @@ object-group network id59803X13930.src.net.0 network-object 172.16.0.2 255.255.255.255 exit -!################ -access-list mode manual - -clear config access-list tmp_acl -access-list commit -access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any -access-list tmp_acl deny ip any any -access-list commit - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule 1 (ethernet1) ! need this rule to generate at least one object group diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index afd1dd788..d0d44518d 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:22 2011 PDT by vadim +! Generated Thu Apr 14 12:07:25 2011 PDT by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported @@ -84,6 +84,15 @@ policy-map global_policy service-policy global_policy global +!################ + +clear config access-list tmp_acl +access-list tmp_acl permit ip 10.3.14.42 255.255.255.255 any +access-list tmp_acl deny ip any any + +access-group tmp_acl in interface outside +access-group tmp_acl in interface inside + clear xlate clear config static clear config global @@ -96,15 +105,6 @@ clear config telnet -!################ - -clear config access-list tmp_acl -access-list tmp_acl permit ip 10.3.14.42 255.255.255.255 any -access-list tmp_acl deny ip any any - -access-group tmp_acl in interface outside -access-group tmp_acl in interface inside - ! ! Rule -1 backup ssh access rule (automatic) ssh 10.3.14.42 255.255.255.255 inside diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 5f83e017d..f3ca46131 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:22 2011 PDT by vadim +! Generated Thu Apr 14 12:07:25 2011 PDT by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -86,6 +86,7 @@ fixup protocol ftp 21 fixup protocol http 80 fixup protocol icmp error +!################ clear xlate clear static clear global @@ -97,7 +98,6 @@ clear telnet -!################ ! ! Rule 0 (global) access-list inside_acl_in remark 0 (global) diff --git a/test/pix/test_net_zone_2.fw.orig b/test/pix/test_net_zone_2.fw.orig index dda96c6f9..2ea6e7676 100755 --- a/test/pix/test_net_zone_2.fw.orig +++ b/test/pix/test_net_zone_2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3526 ! -! Generated Thu Apr 14 11:41:23 2011 PDT by vadim +! Generated Thu Apr 14 12:07:25 2011 PDT by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported @@ -63,8 +63,11 @@ floodguard disable - !################ + + + + ! ! Rule 0 (global) access-list outside_acl_in deny ip any any