onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-24 20:27:22 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_pix_writers.cpp (PrintRule::_printDstService): PIX

Browse Source 
does not support IP options matching, compiler issues warning.
        Fixes #567

        * res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
        12.3

        * PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
        Added support for IP options matching, requires IOS v12.3 or
        later. Fixes #566, #568
This commit is contained in:
Vadim Kurland 2009-11-07 02:32:50 +00:00
parent 2e6c6d9de6
commit 9750dea494
10 changed files with 1550 additions and 1003 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1688
#define BUILD_NUM 1689

11
doc/ChangeLog
View File

@ -1,5 +1,16 @@
2009-11-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pix_writers.cpp (PrintRule::_printDstService): PIX
does not support IP options matching, compiler issues warning.
Fixes #567
* res/platform/iosacl.xml: Recognized IOS versions: 12.1, 12.2,
12.3
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
Added support for IP options matching, requires IOS v12.3 or
later. Fixes #566, #568
* configlets/sveasoft/script_skeleton: Fixes #571 /bin/sh on
Sveasoft (busybox) does not like empty shell functions and fails
with an error "36: Syntax error: "}" unexpected". Will call

5
src/cisco_lib/CompilerDriver_iosacl_run.cpp
View File

@ -148,7 +148,8 @@ string CompilerDriver_iosacl::run(const std::string &cluster_id,
FWOptions* options = fw->getOptionsObject();
string fwvers = fw->getStr("version");
if (fwvers == "") fw->setStr("version", "12.x");
if (fwvers == "") fw->setStr("version", "12.1");
if (fwvers == "12.x") fw->setStr("version", "12.1");
string platform = fw->getStr("platform");
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
@ -158,7 +159,7 @@ string CompilerDriver_iosacl::run(const std::string &cluster_id,
{
// incorrect version. This could have happened if user converted
// firewall platform. See bug #2662290
fw->setStr("version", "12.x");
fw->setStr("version", "12.1");
}
bool ios_acl_basic = options->getBool("ios_acl_basic");

15
src/cisco_lib/PolicyCompiler_iosacl_writers.cpp
View File

@ -43,6 +43,7 @@
#include "fwbuilder/Network.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/XMLTools.h"
#include <iostream>
#if __GNUC__ > 3 || \
@ -359,14 +360,20 @@ string PolicyCompiler_iosacl::PrintRule::_printIPServiceOptions(PolicyRule *r)
const IPService *ip;
if ((ip=IPService::constcast(srv))!=NULL)
{
if (ip->getBool("lsrr") || ip->getBool("ssrr") || ip->getBool("rr"))
compiler->abort(
r,
"Source routing options match is not supported.");
string version = compiler->fw->getStr("version");
if (srv->getBool("fragm") || srv->getBool("short_fragm"))
return "fragments ";
if (ip->hasIpOptions() && XMLTools::version_compare(version, "12.3")<0)
compiler->abort(r, "IP options match requires IOS v12.3 or later.");
if (ip->getBool("lsrr")) return "option lsr";
if (ip->getBool("ssrr")) return "option ssr";
if (ip->getBool("rr")) return "option record-route";
if (ip->getBool("rtralt")) return "option router-alert";
if (ip->getBool("any_opt")) return "option any-options ";
string tos = ip->getTOSCode();
string dscp = ip->getDSCPCode();
if (!dscp.empty()) return string("dscp ") + dscp;

18
src/cisco_lib/PolicyCompiler_pix_writers.cpp
View File

@ -304,7 +304,7 @@ string PolicyCompiler_pix::PrintRule::_printLog(PolicyRule *rule)
return str.str();
}
string PolicyCompiler_pix::PrintRule::_printSrcService(libfwbuilder::Service *srv)
string PolicyCompiler_pix::PrintRule::_printSrcService(Service *srv)
{
ostringstream str;
@ -316,7 +316,8 @@ string PolicyCompiler_pix::PrintRule::_printSrcService(libfwbuilder::Service *sr
if (rs<0) rs=0;
if (re<0) re=0;
if (rs>0 || re>0) {
if (rs>0 || re>0)
{
if (rs==re) str << "eq " << rs << " ";
else
if (rs==0 && re!=0) str << "lt " << re << " ";
@ -329,18 +330,20 @@ string PolicyCompiler_pix::PrintRule::_printSrcService(libfwbuilder::Service *sr
return str.str();
}
string PolicyCompiler_pix::PrintRule::_printDstService(libfwbuilder::Service *srv)
string PolicyCompiler_pix::PrintRule::_printDstService(Service *srv)
{
ostringstream str;
if (TCPService::isA(srv) || UDPService::isA(srv)) {
if (TCPService::isA(srv) || UDPService::isA(srv))
{
int rs=TCPUDPService::cast(srv)->getDstRangeStart();
int re=TCPUDPService::cast(srv)->getDstRangeEnd();
if (rs<0) rs=0;
if (re<0) re=0;
if (rs>0 || re>0) {
if (rs>0 || re>0)
{
if (rs==re) str << "eq " << rs << " ";
else
if (rs==0 && re!=0) str << "lt " << re << " ";
@ -352,6 +355,11 @@ string PolicyCompiler_pix::PrintRule::_printDstService(libfwbuilder::Service *sr
}
if (ICMPService::isA(srv) && srv->getInt("type")!=-1)
str << srv->getStr("type") << " ";
const IPService *ip_srv = IPService::constcast(srv);
if (ip_srv && ip_srv->hasIpOptions())
compiler->warning("PIX can not match IP options");
return str.str();
}

6
src/pflib/PolicyCompiler_ipfw_writers.cpp
View File

@ -455,15 +455,17 @@ void PolicyCompiler_ipfw::PrintRule::_printDstService(RuleElementSrv *rel)
if (!str.empty()) compiler->output << str << " ";
}
IPService *ip_srv = IPService::cast(s1);
const IPService *ip_srv = IPService::constcast(s1);
if (ip_srv)
{
Rule *rule = Rule::cast(rel->getParent());
if ((ip_srv->getBool("fragm") || ip_srv->getBool("short_fragm")) )
compiler->output << " frag ";
if (ip_srv->hasIpOptions())
{
if (ip_srv->getBool("any_opt"))
compiler->warning("ipfw can not match \"any IP option\" ");
compiler->warning(rule, "ipfw can not match \"any IP option\" ");
else
{
if (ip_srv->getBool("lsrr")) compiler->output << " ipoptions lsrr ";

2
src/pflib/PolicyCompiler_pf.cpp
View File

@ -517,7 +517,7 @@ bool PolicyCompiler_pf::SpecialServices::processNext()
if (IPService::cast(s)!=NULL && rule->getAction()==PolicyRule::Accept)
{
rule->setBool("allow_opts", IPService::cast(s)->hasIpOptions());
rule->setBool("allow_opts", IPService::constcast(s)->hasIpOptions());
}
}
return true;

47
src/res/platform/iosacl.xml
View File

@ -10,7 +10,7 @@
<diff>fwb_iosacl_diff</diff>
<supported_os>ios</supported_os>
<versions>12.x</versions>
<versions>12.1,12.2,12.3</versions>
<options>
<default>
@ -19,11 +19,10 @@
<iosacl_assume_fw_part_of_any>true</iosacl_assume_fw_part_of_any>
</default>
<version_12.x>
<version_12.1>
<iosacl_include_comments>true</iosacl_include_comments>
<iosacl_add_clear_statements>true</iosacl_add_clear_statements>
<iosacl_assume_fw_part_of_any>true</iosacl_assume_fw_part_of_any>
<iosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
@ -37,8 +36,46 @@ interface %in
ip address dhcp
</ip_addr_dyn>
</iosacl_commands>
</version_12.x>
</version_12.1>
<version_12.2>
<iosacl_include_comments>true</iosacl_include_comments>
<iosacl_add_clear_statements>true</iosacl_add_clear_statements>
<iosacl_assume_fw_part_of_any>true</iosacl_assume_fw_part_of_any>
<iosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</iosacl_commands>
</version_12.2>
<version_12.3>
<iosacl_include_comments>true</iosacl_include_comments>
<iosacl_add_clear_statements>true</iosacl_add_clear_statements>
<iosacl_assume_fw_part_of_any>true</iosacl_assume_fw_part_of_any>
<iosacl_commands>
<clear_acl>no access-list</clear_acl>
<clear_ip_acl>no ip access-list extended</clear_ip_acl>
<clear_ipv6_acl>no ipv6 access-list</clear_ipv6_acl>
<ip_addr_static>
interface %in
ip address %a %n
</ip_addr_static>
<ip_addr_dyn>
interface %in
ip address dhcp
</ip_addr_dyn>
</iosacl_commands>
</version_12.3>
</options>
<capabilities>

826
test/iosacl/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1252365164" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1257560726" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ServiceRef ref="id151F20845"/>
<ServiceRef ref="id464147DA29061"/>
@ -21,6 +21,12 @@
<ServiceRef ref="id5470X38343"/>
<ObjectRef ref="id19068X65694"/>
<ObjectRef ref="id19240X65694"/>
<ServiceRef ref="sysid1"/>
<ServiceRef ref="sysid1"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id4641321126611"/>
</Library>
<Library id="id4511636323682" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id4511636423682_clusters" name="Clusters" comment="" ro="False"/>
@ -134,6 +140,11 @@
<IPService id="id151F20845" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="16" ts="False" name="tos 16" comment="" ro="False"/>
<IPService id="id152020845" dscp="16" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="dscp 16" comment="" ro="False"/>
<IPService id="id152120845" dscp="af11" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="dscp af11" comment="" ro="False"/>
<IPService id="id5611X44763" any_opt="True" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" short_fragm="False" ssrr="False" tos="" ts="False" name="any_opt" comment="" ro="False"/>
<IPService id="id5612X44763" any_opt="False" dscp="" fragm="False" lsrr="True" protocol_num="0" rr="False" rtralt="False" short_fragm="False" ssrr="False" tos="" ts="False" name="lsrr" comment="" ro="False"/>
<IPService id="id5613X44763" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" short_fragm="False" ssrr="True" tos="" ts="False" name="ssrr" comment="" ro="False"/>
<IPService id="id5614X44763" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="True" rtralt="False" short_fragm="False" ssrr="False" tos="" ts="False" name="rr" comment="" ro="False"/>
<IPService id="id5615X44763" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" rtralt="False" short_fragm="False" ssrr="False" tos="" ts="True" name="ts" comment="" ro="False"/>
</ServiceGroup>
<ServiceGroup id="id4511637023682" name="TCP" comment="" ro="False">
<TCPService id="id4641521729061" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http established" comment="" ro="False" src_range_start="80" src_range_end="80" dst_range_start="0" dst_range_end="0"/>
@ -142,34 +153,34 @@
<ServiceGroup id="id4511637123682" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id4511637223682" name="Custom" comment="" ro="False">
<CustomService id="id4226X64279" name="dscp af11" comment="" ro="False" protocol="tcp" address_family="ipv4">
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id8888X64279" name="esp dscp af12" comment="" ro="False" protocol="50" address_family="ipv4">
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">dscp af12</CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id26068X65694" name="esp dscp af11 ipv6" comment="" ro="False" protocol="50" address_family="ipv6">
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
<ServiceGroup id="id4511637323682" name="TagServices" comment="" ro="False"/>
@ -662,10 +673,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
@ -693,8 +704,8 @@
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script">! This is prolog</Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
@ -705,10 +716,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -729,14 +740,14 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id464131E426611" host_OS="ios" inactive="False" lastCompiled="1251228630" lastInstalled="0" lastModified="1215311652" platform="iosacl" version="12.x" name="testios20" comment="" ro="False">
<Firewall id="id464131E426611" host_OS="ios" inactive="False" lastCompiled="1251228630" lastInstalled="0" lastModified="1257560694" platform="iosacl" version="12.x" name="testios20" comment="" ro="False">
<NAT id="id4641320F26611" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id464131EA26611" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id464131EB26611" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -946,7 +957,70 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641320326611" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="">
<PolicyRule id="id7427X44763" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id5612X44763"/>
<ServiceRef ref="id5614X44763"/>
<ServiceRef ref="id5613X44763"/>
<ServiceRef ref="id5615X44763"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4641321126611"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7456X44763" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id5611X44763"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4641321126611"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7439X44763" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4641320326611" disabled="False" log="True" position="13" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -985,10 +1059,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
@ -1001,21 +1075,21 @@
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"/>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level"/>
<Option name="iosacl_logging_buffered_level"></Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level"/>
<Option name="iosacl_logging_console_level"></Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level"/>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_logging_trap_level"></Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
@ -1025,10 +1099,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -1050,7 +1124,7 @@
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -1495,8 +1569,8 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
@ -1513,7 +1587,7 @@
<Option name="iosacl_acl_temp_addr">10.10.10.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -1522,10 +1596,10 @@
<Option name="iosacl_logging_console_level">0</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">0</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
@ -1536,10 +1610,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -1560,9 +1634,9 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -1880,8 +1954,8 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
@ -1893,10 +1967,10 @@
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"/>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">True</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">True</Option>
@ -1905,10 +1979,10 @@
<Option name="iosacl_logging_console_level">5</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">True</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -1923,7 +1997,7 @@
<Option name="mgmt_addr">10.3.14.40</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -1944,9 +2018,9 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -2297,34 +2371,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -2333,7 +2407,7 @@
<Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -2342,13 +2416,13 @@
<Option name="iosacl_logging_console_level">0</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">0</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -2363,18 +2437,18 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2393,7 +2467,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2445,12 +2519,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -2806,34 +2880,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -2842,7 +2916,7 @@
<Option name="iosacl_acl_temp_addr">1.1.1.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -2851,13 +2925,13 @@
<Option name="iosacl_logging_console_level">2</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -2876,14 +2950,14 @@
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2902,7 +2976,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2954,12 +3028,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -3342,34 +3416,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -3378,7 +3452,7 @@
<Option name="iosacl_acl_temp_addr">10.1.1.0</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -3387,13 +3461,13 @@
<Option name="iosacl_logging_console_level">2</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -3412,14 +3486,14 @@
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3438,7 +3512,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3490,12 +3564,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -3629,34 +3703,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -3665,7 +3739,7 @@
<Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb/64</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -3674,13 +3748,13 @@
<Option name="iosacl_logging_console_level">1</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">1</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -3695,18 +3769,18 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3725,7 +3799,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3777,12 +3851,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -3792,6 +3866,388 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id66523X44763" host_OS="ios" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1257560747" platform="iosacl" version="12.3" name="testios20-v12.3" comment="" ro="False">
<NAT id="id66712X44763" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id66539X44763" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id66540X44763" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id46412C4226611"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66552X44763" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id46412C4226611"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id66534X44763"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66564X44763" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id46412C4226611"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id66529X44763"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66576X44763" disabled="False" log="False" position="3" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id46412C4226611"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66588X44763" disabled="False" log="False" position="4" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id46412C4226611"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id66534X44763"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66600X44763" disabled="False" log="False" position="5" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id46412C4226611"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id66529X44763"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66612X44763" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id151F20845"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66624X44763" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id152020845"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66636X44763" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id152120845"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66648X44763" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id152020845"/>
<ServiceRef ref="id152120845"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66661X44763" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id5612X44763"/>
<ServiceRef ref="id5614X44763"/>
<ServiceRef ref="id5613X44763"/>
<ServiceRef ref="id5615X44763"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id66529X44763"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66676X44763" disabled="False" group="" log="False" position="11" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id5611X44763"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id66529X44763"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66688X44763" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id66700X44763" disabled="False" log="True" position="13" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id66713X44763" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id66529X44763" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<IPv4 id="id66532X44763" name="testios20-v12.3:ethernet0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id66534X44763" dyn="False" label="" mgmt="False" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id66537X44763" name="testios20-v12.3:ethernet1:ip" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="10.10.10.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ios_ip_address">True</Option>
<Option name="ios_set_host_name">True</Option>
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level"></Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level"></Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level"></Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id4511637523682" name="Time" comment="" ro="False"/>
</Library>
@ -3800,9 +4256,9 @@
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
</CustomService>
@ -3839,9 +4295,9 @@
<IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
</ServiceGroup>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
</CustomService>

1621
test/pix/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff