* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::addDefaultPolicyRule):

compiler for IOS ACL added only inbound automatic rule to permit
ssh access from the management workstation but did not add a rule
to permit reply packets. This fixes #993

build_num

@@ -1 +1 @@
-#define BUILD_NUM 2282
+#define BUILD_NUM 2283

doc/ChangeLog

@@ -1,5 +1,10 @@
 2009-12-27  vadim  <vadim@vk.crocodile.org>
 
+	* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::addDefaultPolicyRule):
+	compiler for IOS ACL added only inbound automatic rule to permit
+	ssh access from the management workstation but did not add a rule
+	to permit reply packets. This fixes #993
+
 	* CompilerDriver_iosacl_run.cpp (CompilerDriver_iosacl::run):
 	fixed bug (no #): compiler for iosacl failed to open output file
 	because of the wrong path.

src/cisco_lib/PolicyCompiler_cisco.cpp

@@ -110,11 +110,15 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
     if ( getCachedFwOpt()->getBool("mgmt_ssh") &&
          !getCachedFwOpt()->getStr("mgmt_addr").empty() )
     {
-        PolicyRule *r;
         TCPService *ssh = dbcopy->createTCPService();
         ssh->setDstRangeStart(22);
         ssh->setDstRangeEnd(22);
-        dbcopy->add(ssh,false);
+        dbcopy->add(ssh, false);
+
+        TCPService *ssh_rev = dbcopy->createTCPService();
+        ssh_rev->setSrcRangeStart(22);
+        ssh_rev->setSrcRangeEnd(22);
+        dbcopy->add(ssh_rev, false);
 
         Network *mgmt_workstation = dbcopy->createNetwork();
         mgmt_workstation->setAddressNetmask(
@@ -122,52 +126,11 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
 
         dbcopy->add(mgmt_workstation, false);
 
-        r= dbcopy->createPolicyRule();
+        PolicyCompiler::addMgmtRule(
-        temp_ruleset->add(r);
+            mgmt_workstation, fw, ssh,
-        r->setAction(PolicyRule::Accept);
+            NULL, PolicyRule::Inbound, PolicyRule::Accept,
-        r->setLogging(false);
+            "backup ssh access rule");
-        r->setDirection(PolicyRule::Inbound);
-        r->setPosition(-1);
-//        r->setComment("   backup ssh access rule ");
-        r->setHidden(true);
-        r->setFallback(false);
-        r->setLabel("backup ssh access rule");
-
-        RuleElement *src=RuleElement::cast(
-            r->getFirstByType(RuleElementSrc::TYPENAME) );
-        src->addRef(mgmt_workstation);
-
-        RuleElement *dst=RuleElement::cast(
-            r->getFirstByType(RuleElementDst::TYPENAME) );
-        dst->addRef(fw);
-
-        RuleElement *srv=RuleElement::cast(
-            r->getFirstByType(RuleElementSrv::TYPENAME) );
-        srv->addRef(ssh);
-
-        combined_ruleset->push_front(r);
     }
-
-    // Ciscos provide built-in fallback rule so we do not need
-    // this. Besides, desired behavior is that if the user did not
-    // create any rules for a given interface (at all), then generated
-    // config file should have none. Adding fallback rule here creates
-    // 'deny any any' rule for such interfaces and screws things big
-    // time.
-#if 0
-    PolicyRule *r= dbcopy->createPolicyRule();
-
-    temp_ruleset->add(r);
-    r->setAction(PolicyRule::Deny);
-    r->setLogging(false);
-//    r->setDirection(PolicyRule::Both);
-    r->setPosition(10000);
-    r->setComment("   fallback rule ");
-    r->setLabel("fallback rule");
-    r->setFallback(true);
-    r->setHidden(true);
-    combined_ruleset->push_back(r);
-#endif
 }
 
 bool PolicyCompiler_cisco::splitIfSrcAny::processNext()

src/cisco_lib/PolicyCompiler_cisco.h

@@ -58,7 +58,7 @@ protected:
 	 * this unconditional blocking rule in the end. See also comment
 	 * in the code regarding "pass_all_out" option
 	 */
-	void addDefaultPolicyRule();
+	virtual void addDefaultPolicyRule();
 
         /**
          * prints rule in some universal format (close to that visible

src/cisco_lib/PolicyCompiler_iosacl.cpp

@@ -87,6 +87,36 @@ int PolicyCompiler_iosacl::prolog()
     return PolicyCompiler::prolog();
 }
 
+void PolicyCompiler_iosacl::addDefaultPolicyRule()
+{
+    PolicyCompiler_cisco::addDefaultPolicyRule();
+
+/*
+ * PolicyCompiler_cisco::addDefaultPolicyRule() adds a rule to permit
+ * backup ssh access to the firewall. Since IOS ACL are stateless, we
+ * need to add another rule to permit reply packets.
+ */
+    if ( getCachedFwOpt()->getBool("mgmt_ssh") &&
+         !getCachedFwOpt()->getStr("mgmt_addr").empty() )
+    {
+        TCPService *ssh_rev = dbcopy->createTCPService();
+        ssh_rev->setSrcRangeStart(22);
+        ssh_rev->setSrcRangeEnd(22);
+        dbcopy->add(ssh_rev, false);
+
+        Network *mgmt_workstation = dbcopy->createNetwork();
+        mgmt_workstation->setAddressNetmask(
+            getCachedFwOpt()->getStr("mgmt_addr"));
+
+        dbcopy->add(mgmt_workstation, false);
+
+        PolicyCompiler::addMgmtRule(
+            fw, mgmt_workstation, ssh_rev,
+            NULL, PolicyRule::Outbound, PolicyRule::Accept,
+            "backup ssh access rule (out)");
+    }
+}
+
 bool PolicyCompiler_iosacl::checkForDynamicInterface::findDynamicInterface(
     PolicyRule *rule, RuleElement *rel)
 {

src/cisco_lib/PolicyCompiler_iosacl.h

@@ -55,6 +55,8 @@ namespace fwcompiler {
 
         protected:
 
+	virtual void addDefaultPolicyRule();
+
         /**
          * dynamic interfaces can not be used in policy rules in IOS ACLs
          */

test/iosacl/quick-cmp.sh

@@ -7,7 +7,7 @@ for f in $(ls *.fw.orig)
 do
     V="$f   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
     echo "echo \"$V\" | cut -c1-72"
-    new_f=$(echo $f | sed 's/.org//')
+    new_f=$(echo $f | sed 's/.orig//')
     echo "$DIFFCMD $f $new_f"
 done
 exit 0

test/pix/objects-for-regression-tests.fwb

@@ -892,7 +892,7 @@
       <ServiceGroup id="stdid05_1_userservices" name="Users" comment="" ro="False"/>
     </ServiceGroup>
     <ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
-      <Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1231214031" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
+      <Firewall id="fw-firewall2" host_OS="pix_os" inactive="False" lastCompiled="1163922727" lastInstalled="0" lastModified="1261965298" platform="pix" version="6.2" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
         <NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="nat-firewall2-0" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -1808,6 +1808,7 @@
           <Option name="dns_fixup">2 65535 0 nil 0</Option>
           <Option name="dyn_addr">False</Option>
           <Option name="espike_fixup">2 0 0 nil 0</Option>
+          <Option name="filesystem"></Option>
           <Option name="firewall_dir"></Option>
           <Option name="firewall_is_part_of_any">True</Option>
           <Option name="firewall_is_part_of_any_and_networks">True</Option>
@@ -1828,6 +1829,7 @@
           <Option name="inst_cmdline"></Option>
           <Option name="inst_script"></Option>
           <Option name="install_script"></Option>
+          <Option name="ipv4_6_order">ipv4_first</Option>
           <Option name="limit_suffix">/second</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>
@@ -1844,8 +1846,8 @@
           <Option name="log_tcp_seq">False</Option>
           <Option name="manage_virtual_addr">True</Option>
           <Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
-          <Option name="mgmt_addr"></Option>
+          <Option name="mgmt_addr">192.168.1.100</Option>
-          <Option name="mgmt_ssh">False</Option>
+          <Option name="mgmt_ssh">True</Option>
           <Option name="modulate_state">False</Option>
           <Option name="no_iochains_for_any">False</Option>
           <Option name="no_optimisation">False</Option>
@@ -1880,6 +1882,7 @@
           <Option name="pix_epilog_script"></Option>
           <Option name="pix_floodguard">False</Option>
           <Option name="pix_fragguard">True</Option>
+          <Option name="pix_generate_out_acl">False</Option>
           <Option name="pix_h323_abs">True</Option>
           <Option name="pix_h323_hh">0</Option>
           <Option name="pix_h323_inact">False</Option>
@@ -1888,11 +1891,11 @@
           <Option name="pix_include_comments">True</Option>
           <Option name="pix_ip_address">False</Option>
           <Option name="pix_logging_buffered">False</Option>
-          <Option name="pix_logging_buffered_level">0</Option>
+          <Option name="pix_logging_buffered_level">1</Option>
           <Option name="pix_logging_console">False</Option>
-          <Option name="pix_logging_console_level">0</Option>
+          <Option name="pix_logging_console_level">1</Option>
           <Option name="pix_logging_timestamp">False</Option>
-          <Option name="pix_logging_trap_level">0</Option>
+          <Option name="pix_logging_trap_level">1</Option>
           <Option name="pix_max_conns">0</Option>
           <Option name="pix_nodnsalias_inbound">True</Option>
           <Option name="pix_nodnsalias_outbound">True</Option>
@@ -1956,6 +1959,7 @@
           <Option name="pix_unauth_mm">0</Option>
           <Option name="pix_unauth_ss">0</Option>
           <Option name="pix_use_acl_remarks">False</Option>
+          <Option name="pix_use_manual_commit">False</Option>
           <Option name="pix_xlate_abs">True</Option>
           <Option name="pix_xlate_hh">3</Option>
           <Option name="pix_xlate_inact">False</Option>
@@ -1968,7 +1972,9 @@
           <Option name="rpc_ss">0</Option>
           <Option name="rsh_fixup">0 514 0 nil 0</Option>
           <Option name="rtsp_fixup">0 554 0 nil 0</Option>
+          <Option name="scpArgs"></Option>
           <Option name="script_env_path"></Option>
+          <Option name="short_script">False</Option>
           <Option name="sip_fixup">0 5060 5060 nil 0</Option>
           <Option name="sip_hh">0</Option>
           <Option name="sip_media_hh">0</Option>
@@ -1996,6 +2002,7 @@
           <Option name="udp_mm">2</Option>
           <Option name="udp_ss">0</Option>
           <Option name="use_numeric_log_levels">False</Option>
+          <Option name="use_scp">False</Option>
           <Option name="xlate_hh">3</Option>
           <Option name="xlate_mm">0</Option>
           <Option name="xlate_ss">0</Option>