onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-02 07:07:32 +02:00
Code Issues Releases Wiki Activity

* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::addDefaultPolicyRule):

Browse Source 
compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes #993
This commit is contained in:
Vadim Kurland 2009-12-28 02:02:33 +00:00
parent 53a7c31567
commit 5acc923883
9 changed files with 646 additions and 481 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2282
#define BUILD_NUM 2283

5
doc/ChangeLog
View File

@ -1,5 +1,10 @@
2009-12-27 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::addDefaultPolicyRule):
compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes #993
* CompilerDriver_iosacl_run.cpp (CompilerDriver_iosacl::run):
fixed bug (no #): compiler for iosacl failed to open output file
because of the wrong path.

57
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -110,11 +110,15 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
if ( getCachedFwOpt()->getBool("mgmt_ssh") &&
!getCachedFwOpt()->getStr("mgmt_addr").empty() )
{
PolicyRule *r;
TCPService *ssh = dbcopy->createTCPService();
ssh->setDstRangeStart(22);
ssh->setDstRangeEnd(22);
dbcopy->add(ssh,false);
dbcopy->add(ssh, false);
TCPService *ssh_rev = dbcopy->createTCPService();
ssh_rev->setSrcRangeStart(22);
ssh_rev->setSrcRangeEnd(22);
dbcopy->add(ssh_rev, false);
Network *mgmt_workstation = dbcopy->createNetwork();
mgmt_workstation->setAddressNetmask(
@ -122,52 +126,11 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
dbcopy->add(mgmt_workstation, false);
r= dbcopy->createPolicyRule();
temp_ruleset->add(r);
r->setAction(PolicyRule::Accept);
r->setLogging(false);
r->setDirection(PolicyRule::Inbound);
r->setPosition(-1);
// r->setComment(" backup ssh access rule ");
r->setHidden(true);
r->setFallback(false);
r->setLabel("backup ssh access rule");
RuleElement *src=RuleElement::cast(
r->getFirstByType(RuleElementSrc::TYPENAME) );
src->addRef(mgmt_workstation);
RuleElement *dst=RuleElement::cast(
r->getFirstByType(RuleElementDst::TYPENAME) );
dst->addRef(fw);
RuleElement *srv=RuleElement::cast(
r->getFirstByType(RuleElementSrv::TYPENAME) );
srv->addRef(ssh);
combined_ruleset->push_front(r);
PolicyCompiler::addMgmtRule(
mgmt_workstation, fw, ssh,
NULL, PolicyRule::Inbound, PolicyRule::Accept,
"backup ssh access rule");
}
// Ciscos provide built-in fallback rule so we do not need
// this. Besides, desired behavior is that if the user did not
// create any rules for a given interface (at all), then generated
// config file should have none. Adding fallback rule here creates
// 'deny any any' rule for such interfaces and screws things big
// time.
#if 0
PolicyRule *r= dbcopy->createPolicyRule();
temp_ruleset->add(r);
r->setAction(PolicyRule::Deny);
r->setLogging(false);
// r->setDirection(PolicyRule::Both);
r->setPosition(10000);
r->setComment(" fallback rule ");
r->setLabel("fallback rule");
r->setFallback(true);
r->setHidden(true);
combined_ruleset->push_back(r);
#endif
}
bool PolicyCompiler_cisco::splitIfSrcAny::processNext()

2
src/cisco_lib/PolicyCompiler_cisco.h
View File

@ -58,7 +58,7 @@ protected:
* this unconditional blocking rule in the end. See also comment
* in the code regarding "pass_all_out" option
*/
void addDefaultPolicyRule();
virtual void addDefaultPolicyRule();
/**
* prints rule in some universal format (close to that visible

30
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -87,6 +87,36 @@ int PolicyCompiler_iosacl::prolog()
return PolicyCompiler::prolog();
}
void PolicyCompiler_iosacl::addDefaultPolicyRule()
{
PolicyCompiler_cisco::addDefaultPolicyRule();
/*
* PolicyCompiler_cisco::addDefaultPolicyRule() adds a rule to permit
* backup ssh access to the firewall. Since IOS ACL are stateless, we
* need to add another rule to permit reply packets.
*/
if ( getCachedFwOpt()->getBool("mgmt_ssh") &&
!getCachedFwOpt()->getStr("mgmt_addr").empty() )
{
TCPService *ssh_rev = dbcopy->createTCPService();
ssh_rev->setSrcRangeStart(22);
ssh_rev->setSrcRangeEnd(22);
dbcopy->add(ssh_rev, false);
Network *mgmt_workstation = dbcopy->createNetwork();
mgmt_workstation->setAddressNetmask(
getCachedFwOpt()->getStr("mgmt_addr"));
dbcopy->add(mgmt_workstation, false);
PolicyCompiler::addMgmtRule(
fw, mgmt_workstation, ssh_rev,
NULL, PolicyRule::Outbound, PolicyRule::Accept,
"backup ssh access rule (out)");
}
}
bool PolicyCompiler_iosacl::checkForDynamicInterface::findDynamicInterface(
PolicyRule *rule, RuleElement *rel)
{

2
src/cisco_lib/PolicyCompiler_iosacl.h
View File

@ -55,6 +55,8 @@ namespace fwcompiler {
protected:
virtual void addDefaultPolicyRule();
/**
* dynamic interfaces can not be used in policy rules in IOS ACLs
*/

1008
test/iosacl/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

2
test/iosacl/quick-cmp.sh
View File

@ -7,7 +7,7 @@ for f in $(ls *.fw.orig)
do
V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
echo "echo \"$V\" | cut -c1-72"
new_f=$(echo $f | sed 's/.org//')
new_f=$(echo $f | sed 's/.orig//')
echo "$DIFFCMD $f $new_f"
done
exit 0

19
test/pix/objects-for-regression-tests.fwb
View File

@ -892,7 +892,7 @@
<ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
<Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1231214031" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
<Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1261965298" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
<NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="nat-firewall2-0" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -1808,6 +1808,7 @@
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="dyn_addr">False</Option>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="filesystem"></Option>
<Option name="firewall_dir"></Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
@ -1828,6 +1829,7 @@
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="install_script"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
@ -1844,8 +1846,8 @@
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="mgmt_addr">192.168.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
@ -1880,6 +1882,7 @@
<Option name="pix_epilog_script"></Option>
<Option name="pix_floodguard">False</Option>
<Option name="pix_fragguard">True</Option>
<Option name="pix_generate_out_acl">False</Option>
<Option name="pix_h323_abs">True</Option>
<Option name="pix_h323_hh">0</Option>
<Option name="pix_h323_inact">False</Option>
@ -1888,11 +1891,11 @@
<Option name="pix_include_comments">True</Option>
<Option name="pix_ip_address">False</Option>
<Option name="pix_logging_buffered">False</Option>
<Option name="pix_logging_buffered_level">0</Option>
<Option name="pix_logging_buffered_level">1</Option>
<Option name="pix_logging_console">False</Option>
<Option name="pix_logging_console_level">0</Option>
<Option name="pix_logging_console_level">1</Option>
<Option name="pix_logging_timestamp">False</Option>
<Option name="pix_logging_trap_level">0</Option>
<Option name="pix_logging_trap_level">1</Option>
<Option name="pix_max_conns">0</Option>
<Option name="pix_nodnsalias_inbound">True</Option>
<Option name="pix_nodnsalias_outbound">True</Option>
@ -1956,6 +1959,7 @@
<Option name="pix_unauth_mm">0</Option>
<Option name="pix_unauth_ss">0</Option>
<Option name="pix_use_acl_remarks">False</Option>
<Option name="pix_use_manual_commit">False</Option>
<Option name="pix_xlate_abs">True</Option>
<Option name="pix_xlate_hh">3</Option>
<Option name="pix_xlate_inact">False</Option>
@ -1968,7 +1972,9 @@
<Option name="rpc_ss">0</Option>
<Option name="rsh_fixup">0 514 0 nil 0</Option>
<Option name="rtsp_fixup">0 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="script_env_path"></Option>
<Option name="short_script">False</Option>
<Option name="sip_fixup">0 5060 5060 nil 0</Option>
<Option name="sip_hh">0</Option>
<Option name="sip_media_hh">0</Option>
@ -1996,6 +2002,7 @@
<Option name="udp_mm">2</Option>
<Option name="udp_ss">0</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_scp">False</Option>
<Option name="xlate_hh">3</Option>
<Option name="xlate_mm">0</Option>
<Option name="xlate_ss">0</Option>