onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 02:37:16 +01:00
Code Issues Releases Wiki Activity

refs #1928 Support for object-group in OSrc

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-13 19:05:58 -08:00
parent 0f99325869
commit 99d0aba102
44 changed files with 242 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/ChangeLog
View File

@ -1,5 +1,9 @@
2011-01-13 vadim <vadim@netcitadel.com>
* NATCompiler_asa8.cpp (compile): refs #1928 "Support for
object-group in OSrc". Implemented support for object-group
and named objects for Osrc and ODst in ASA 8.3 NAT rules.
* PolicyCompiler_cisco.cpp (removeRedundantAddresses): fixed #1917
"Duplicate objects are not detected". Compiler should detect
duplicate objects that may be created in a rule element when user

20
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -326,12 +326,7 @@ void NATCompiler_asa8::compile()
add( new checkForUnnumbered("check for unnumbered interfaces"));
add( new ConvertToAtomicForOriginal(
"convert to atomic for OSrc, ODst, OSrv"));
// remove ConvertToAtomicForTSrc if we figure out a way to support multiple
// translated soruces per #1907
// add( new ConvertToAtomicForTSrc("convert to atomic for TSrc"));
add( new ConvertToAtomicForOSrv("convert to atomic for OSrv"));
add( new ConvertToAtomicForTDst("convert to atomic for TDst"));
add( new ConvertToAtomicForTSrv("convert to atomic for TSrv"));
@ -345,7 +340,14 @@ void NATCompiler_asa8::compile()
add( new VerifyValidityOfDNSOption(
"Check validity of 'translate dns' option"));
add( new CreateObjectGroupsForOSrc("create object groups for OSrc"));
add( new CreateObjectGroupsForODst("create object groups for ODst"));
add( new CreateObjectGroupsForOSrv("create object groups for OSrv"));
// need special rule processor to create object groups in TSrc
// because of a special tratment that an Interface object gets in TSrc
add( new CreateObjectGroupsForTSrc("create object groups for TSrc"));
add( new VerifyValidityOfTSrc("verify objects in TSrc"));
/* REMOVE_OLD_OPTIMIZATIONS
@ -368,10 +370,8 @@ void NATCompiler_asa8::compile()
*/
add( new PrintClearCommands("Clear ACLs" ));
add( new PrintObjectsForNat("generate objects for nat commands"));
add( new PrintObjectsForTSrc(
"generate object groups and objects for TSrc"));
add( new printObjectGroups("generate code for object groups"));
add( new printNamedObjects("definitions of named objects"));
add( new printObjectGroups("definitions of object groups"));
add( new PrintRule("generate PIX code" ));
add( new storeProcessedRules ("store processed rules" ));
add( new simplePrintProgress ());

12
src/cisco_lib/NATCompiler_asa8.h
View File

@ -40,9 +40,6 @@ namespace fwcompiler {
{
public:
void addNamedObject(const libfwbuilder::FWObject *obj);
NamedObject* getNamedObject(const libfwbuilder::FWObject *obj);
QString sanitizeObjectName(const QString &name);
std::string createNetworkObjectCommand(libfwbuilder::Address *addr);
std::string createServiceObjectCommand(libfwbuilder::Service *addr);
@ -56,21 +53,12 @@ namespace fwcompiler {
*/
DECLARE_NAT_RULE_PROCESSOR(VerifyRules);
DECLARE_NAT_RULE_PROCESSOR(PrintObjectsForNat);
/*
* Check that TSrc has right combination of objects after
* object group has been created. Call after CreateObjectGroupsForTSrc
*/
DECLARE_NAT_RULE_PROCESSOR(VerifyValidityOfTSrc);
/**
* TSrc may contain multiple objects, so we should group them
* in order to put all addresses, address ranges and subnets
* into an object-group and keep interfaces separate.
*/
DECLARE_NAT_RULE_PROCESSOR(PrintObjectsForTSrc);
/*
* Check if "translate dns" option can be used with the rule
*/

97
src/cisco_lib/NATCompiler_asa8_writers.cpp
View File

@ -50,98 +50,6 @@ using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
void NATCompiler_asa8::addNamedObject(const FWObject *obj)
{
if (BaseObjectGroup::constcast(obj)!=NULL)
{
for (FWObject::const_iterator i=obj->begin(); i!=obj->end(); ++i)
{
addNamedObject(FWReference::getObject(*i));
}
}
if (CreateObjectGroups::named_objects[obj->getId()] == NULL)
{
NamedObject *asa8obj = new NamedObject(obj);
output << asa8obj->getCommand().toStdString();
CreateObjectGroups::named_objects[obj->getId()] = asa8obj;
}
}
NamedObject* NATCompiler_asa8::getNamedObject(const FWObject *obj)
{
return CreateObjectGroups::named_objects[obj->getId()];
}
bool NATCompiler_asa8::PrintObjectsForNat::processNext()
{
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
compiler->output << endl;
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *rule = NATRule::cast( *k );
// OSrc, ODst, OSrv and TSrc may be either a single
// address/service object or a group. We print group
// definitions in rule processor printObjectGroups
Address *osrc = compiler->getFirstOSrc(rule);
if (osrc) pix_comp->addNamedObject(osrc);
Address *odst = compiler->getFirstODst(rule);
if (odst) pix_comp->addNamedObject(odst);
Service *osrv = compiler->getFirstOSrv(rule);
if (osrv) pix_comp->addNamedObject(osrv);
// Address *tsrc = compiler->getFirstTSrc(rule);
// if (tsrc) pix_comp->addNamedObject(tsrc);
Address *tdst = compiler->getFirstTDst(rule); assert(tdst);
pix_comp->addNamedObject(tdst);
Service *tsrv = compiler->getFirstTSrv(rule); assert(tsrv);
pix_comp->addNamedObject(tsrv);
}
return true;
}
bool NATCompiler_asa8::PrintObjectsForTSrc::processNext()
{
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
compiler->output << endl;
/*
* Print definitions of all objects that are not interface
*/
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *rule = NATRule::cast( *k );
RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re);
if (tsrc_re->isAny()) continue;
for (FWObject::iterator it=tsrc_re->begin(); it!=tsrc_re->end(); ++it)
{
FWObject *obj = FWReference::getObject(*it);
if (Interface::isA(obj)) continue;
pix_comp->addNamedObject(obj);
}
}
return true;
}
bool NATCompiler_asa8::PrintClearCommands::processNext()
{
@ -194,7 +102,10 @@ void NATCompiler_asa8::PrintRule::printDNAT(libfwbuilder::NATRule *rule)
QString NATCompiler_asa8::PrintRule::printSingleObject(FWObject *obj)
{
NATCompiler_asa8 *pix_comp = dynamic_cast<NATCompiler_asa8*>(compiler);
NamedObject* asa8_object = pix_comp->getNamedObject(obj);
if (Address::cast(obj) && Address::cast(obj)->isAny()) return "any";
NamedObject* asa8_object = NamedObjectManager::getNamedObject(obj);
if (asa8_object) return asa8_object->getCommandWord();
for (FWObject::iterator i=CreateObjectGroups::object_groups->begin();

1
src/cisco_lib/NATCompiler_pix.h
View File

@ -107,7 +107,6 @@ namespace fwcompiler {
libfwbuilder::RuleSet *final_ruleset;
std::string debugPrintRule(libfwbuilder::Rule *r);
void _expand_addr_recursive_pix(libfwbuilder::Rule *rule,

76
src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
View File

@ -62,6 +62,33 @@ Group* CreateObjectGroups::object_groups = NULL;
map<int, NamedObject*> CreateObjectGroups::named_objects;
string NamedObjectManager::addNamedObject(const FWObject *obj)
{
string res;
if (BaseObjectGroup::constcast(obj)!=NULL)
{
for (FWObject::const_iterator i=obj->begin(); i!=obj->end(); ++i)
{
res += addNamedObject(FWReference::getObject(*i));
}
return res;
}
if (CreateObjectGroups::named_objects[obj->getId()] == NULL)
{
NamedObject *asa8obj = new NamedObject(obj);
res = asa8obj->getCommand().toStdString();
CreateObjectGroups::named_objects[obj->getId()] = asa8obj;
}
return res;
}
NamedObject* NamedObjectManager::getNamedObject(const FWObject *obj)
{
return CreateObjectGroups::named_objects[obj->getId()];
}
void CreateObjectGroups::init(FWObjectDatabase *db)
{
object_groups = new Group();
@ -201,8 +228,7 @@ void CreateObjectGroupsForTSrc::packObjects(RuleElement *re,
BaseObjectGroup *obj_group)
{
if (libfwbuilder::XMLTools::version_compare(
compiler->fw->getStr("version"), "8.3")>=0 &&
re_type == RuleElementTSrc::TYPENAME)
compiler->fw->getStr("version"), "8.3")>=0)
{
// put all objects inside of the group, except for the interface
// if it belongs to the firewall
@ -257,3 +283,49 @@ bool printObjectGroups::processNext()
return true;
}
void printNamedObjects::printObjectsForRE(RuleElement *re)
{
if (re->isAny()) return;
for (FWObject::iterator it=re->begin(); it!=re->end(); ++it)
{
FWObject *obj = FWReference::getObject(*it);
if (Interface::isA(obj)) continue;
compiler->output << NamedObjectManager::addNamedObject(obj);
}
}
bool printNamedObjects::processNext()
{
slurp();
if (tmp_queue.size()==0) return false;
compiler->output << endl;
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *rule = NATRule::cast( *k );
RuleElementOSrc *osrc_re = rule->getOSrc(); assert(osrc_re);
printObjectsForRE(osrc_re);
RuleElementODst *odst_re = rule->getODst(); assert(odst_re);
printObjectsForRE(odst_re);
RuleElementOSrv *osrv_re = rule->getOSrv(); assert(osrv_re);
printObjectsForRE(osrv_re);
RuleElementTSrc *tsrc_re = rule->getTSrc(); assert(tsrc_re);
printObjectsForRE(tsrc_re);
RuleElementTDst *tdst_re = rule->getTDst(); assert(tdst_re);
printObjectsForRE(tdst_re);
RuleElementTSrv *tsrv_re = rule->getTSrv(); assert(tsrv_re);
printObjectsForRE(tsrv_re);
}
return true;
}

46
src/cisco_lib/NamedObjectsAndGroupsSupport.h
View File

@ -39,6 +39,13 @@
namespace fwcompiler
{
class NamedObjectManager
{
public:
static std::string addNamedObject(const libfwbuilder::FWObject *obj);
static NamedObject* getNamedObject(const libfwbuilder::FWObject *obj);
};
class CreateObjectGroups : public BasicRuleProcessor
{
static void clearNamedObjectsRegistry();
@ -92,6 +99,31 @@ public:
CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {}
};
// ################################################################
// OSrc, ODst, OSrv, TSrc
class CreateObjectGroupsForOSrc : public CreateObjectGroups
{
public:
CreateObjectGroupsForOSrc(const std::string &n) :
CreateObjectGroups(n,"osrc",libfwbuilder::RuleElementOSrc::TYPENAME) {}
};
class CreateObjectGroupsForODst : public CreateObjectGroups
{
public:
CreateObjectGroupsForODst(const std::string &n) :
CreateObjectGroups(n,"odst",libfwbuilder::RuleElementODst::TYPENAME) {}
};
class CreateObjectGroupsForOSrv : public CreateObjectGroups
{
public:
CreateObjectGroupsForOSrv(const std::string &n) :
CreateObjectGroups(n,"osrv",libfwbuilder::RuleElementOSrv::TYPENAME) {}
};
class CreateObjectGroupsForTSrc : public CreateObjectGroups
{
protected:
@ -104,6 +136,9 @@ public:
CreateObjectGroups(n,"tsrc",libfwbuilder::RuleElementTSrc::TYPENAME) {}
};
/**
* this processor accumulates all rules fed to it by previous
* processors, then prints all object groups and feeds all
@ -118,6 +153,17 @@ public:
virtual bool processNext();
};
class printNamedObjects : public BasicRuleProcessor
{
void printObjectsForRE(libfwbuilder::RuleElement *re);
public:
printNamedObjects(const std::string &n) : BasicRuleProcessor(n) {}
virtual bool processNext();
};
}
#endif

23
src/libfwbuilder/src/fwcompiler/NATCompiler.cpp
View File

@ -546,6 +546,29 @@ bool NATCompiler::ConvertToAtomicForAddresses::processNext()
return true;
}
bool NATCompiler::ConvertToAtomicForOSrv::processNext()
{
NATRule *rule=getNext(); if (rule==NULL) return false;
RuleElementOSrv *osrv=rule->getOSrv(); assert(osrv);
for (FWObject::iterator i1=osrv->begin(); i1!=osrv->end(); ++i1)
{
NATRule *r = compiler->dbcopy->createNATRule();
r->duplicate(rule);
compiler->temp_ruleset->add(r);
FWObject *s;
s=r->getOSrv(); assert(s);
s->clearChildren();
s->addCopyOf( *i1 );
tmp_queue.push_back(r);
}
return true;
}
bool NATCompiler::ConvertToAtomicForTSrc::processNext()
{

5
src/libfwbuilder/src/fwcompiler/NATCompiler.h
View File

@ -150,6 +150,11 @@ namespace fwcompiler {
*/
DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForOriginal);
/**
* this processor converts to atomic rules only for OSrcv
*/
DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForOSrv);
/**
* this processor converts to atomic rules only for TSrc
*/

2
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:32 2011 PST by vadim
! Generated Thu Jan 13 19:02:58 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:32 2011 PST by vadim
! Generated Thu Jan 13 19:02:58 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:32 2011 PST by vadim
! Generated Thu Jan 13 19:02:57 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:32 2011 PST by vadim
! Generated Thu Jan 13 19:02:57 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:07 2011 PST by vadim
! Generated Thu Jan 13 19:02:33 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:08 2011 PST by vadim
! Generated Thu Jan 13 19:02:34 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

2
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:09 2011 PST by vadim
! Generated Thu Jan 13 19:02:34 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:10 2011 PST by vadim
! Generated Thu Jan 13 19:02:35 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:10 2011 PST by vadim
! Generated Thu Jan 13 19:02:36 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:11 2011 PST by vadim
! Generated Thu Jan 13 19:02:36 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:12 2011 PST by vadim
! Generated Thu Jan 13 19:02:37 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:12 2011 PST by vadim
! Generated Thu Jan 13 19:02:38 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:13 2011 PST by vadim
! Generated Thu Jan 13 19:02:39 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:14 2011 PST by vadim
! Generated Thu Jan 13 19:02:40 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:14 2011 PST by vadim
! Generated Thu Jan 13 19:02:39 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:15 2011 PST by vadim
! Generated Thu Jan 13 19:02:41 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:16 2011 PST by vadim
! Generated Thu Jan 13 19:02:41 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:17 2011 PST by vadim
! Generated Thu Jan 13 19:02:42 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:18 2011 PST by vadim
! Generated Thu Jan 13 19:02:43 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:18 2011 PST by vadim
! Generated Thu Jan 13 19:02:44 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:19 2011 PST by vadim
! Generated Thu Jan 13 19:02:45 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:20 2011 PST by vadim
! Generated Thu Jan 13 19:02:45 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:21 2011 PST by vadim
! Generated Thu Jan 13 19:02:46 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:21 2011 PST by vadim
! Generated Thu Jan 13 19:02:47 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported

3
test/pix/firewall81.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:22 2011 PST by vadim
! Generated Thu Jan 13 19:02:48 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -142,7 +142,6 @@ quit
object network hostA:eth0
host 192.168.1.10
quit
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0 service http http

3
test/pix/firewall82.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:23 2011 PST by vadim
! Generated Thu Jan 13 19:02:48 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -142,7 +142,6 @@ quit
object network hostA:eth0
host 192.168.1.10
quit
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0 service http http

3
test/pix/firewall83.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:23 2011 PST by vadim
! Generated Thu Jan 13 19:02:49 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -137,7 +137,6 @@ quit
object service http
service tcp destination eq 80
quit
!
! Rule 0 (NAT)
nat (inside,outside) source static hostA:eth0 interface service http http

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:24 2011 PST by vadim
! Generated Thu Jan 13 19:02:50 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

99
test/pix/firewall90.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:25 2011 PST by vadim
! Generated Thu Jan 13 19:02:51 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -130,6 +130,9 @@ quit
object service smtp
service tcp destination eq 25
quit
object network firewall90:FastEthernet1:ip-1
host 22.22.22.23
quit
object network internal_subnet_1
subnet 192.168.1.0 255.255.255.192
quit
@ -145,19 +148,6 @@ quit
object network outside_range
range 22.22.22.21 22.22.22.25
quit
object service squid
service tcp destination eq 3128
quit
object service smtps
service tcp destination eq 465
quit
object network spamhost2
host 61.150.47.113
quit
object network firewall90:FastEthernet1:ip-1
host 22.22.22.23
quit
object network firewall90:FastEthernet1:ip
host 22.22.22.22
quit
@ -170,6 +160,28 @@ quit
object network outside_range-1
range 22.22.22.30 22.22.22.40
quit
object service squid
service tcp destination eq 3128
quit
object network spamhost2
host 61.150.47.113
quit
object service smtps
service tcp destination eq 465
quit
object-group network outside.id178211X29963.osrc.net.0
network-object object internal_subnet_1
network-object object internal_subnet_2
exit
object-group network outside.id21353X4994.osrc.net.0
network-object object internal_subnet_1
network-object object Internal_net
network-object object internal_subnet_2
exit
object-group network outside.id130599X29063.tsrc.net.0
network-object object outside_range
@ -205,6 +217,12 @@ object-group network outside.id21177X3720.tsrc.net.0
exit
object-group network outside.id77971X5929.odst.net.0
network-object object spamhost1
network-object object spamhost2
exit
object-group network outside.id77971X5929.tsrc.net.0
network-object object outside_range-1
network-object object external_gw2
@ -216,42 +234,6 @@ object-group network outside.id77971X5929.tsrc.net.1
network-object object external_gw2
exit
object-group network outside.id77971X5929.tsrc.net.2
network-object object outside_range-1
network-object object external_gw2
exit
object-group network outside.id77971X5929.tsrc.net.3
network-object object outside_range-1
network-object object external_gw2
exit
object-group network outside.id77971X5929.tsrc.net.4
network-object object outside_range-1
network-object object external_gw2
exit
object-group network outside.id77971X5929.tsrc.net.5
network-object object outside_range-1
network-object object external_gw2
exit
object-group network outside.id77971X5929.tsrc.net.6
network-object object outside_range-1
network-object object external_gw2
exit
object-group network outside.id77971X5929.tsrc.net.7
network-object object outside_range-1
network-object object external_gw2
exit
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic Internal_net interface service http http
@ -263,15 +245,12 @@ nat (inside,outside) source static hostA:eth0 firewall90:FastEthernet1:ip-1 dest
nat (inside,outside) source static hostA:eth0 interface service smtp smtp
!
! Rule 3 (NAT)
nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service smtp smtp
nat (inside,outside) source dynamic internal_subnet_2 firewall90:FastEthernet1:ip-1 service smtp smtp
nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp
!
! Rule 4 (NAT)
! for #1928
! note that group in OSrc includes another group
nat (inside,outside) source dynamic internal_subnet_1 firewall90:FastEthernet1:ip-1 service smtp smtp
nat (inside,outside) source dynamic Internal_net firewall90:FastEthernet1:ip-1 service smtp smtp
nat (inside,outside) source dynamic internal_subnet_2 firewall90:FastEthernet1:ip-1 service smtp smtp
nat (inside,outside) source dynamic outside.id21353X4994.osrc.net.0 firewall90:FastEthernet1:ip-1 service smtp smtp
!
! Rule 5 (NAT)
nat (inside,outside) source dynamic test_range_1 firewall90:FastEthernet1:ip-1 destination static spamhost1 spamhost1 service smtp smtp
@ -357,14 +336,8 @@ nat (outside,inside) source static any any destination static interface hostA:et
!
! Rule 23 (NAT)
! multiple objects in OSrc, ODst, OSrv and TSrc in various combinations
nat (inside,outside) source dynamic internal_subnet_1 outside.id77971X5929.tsrc.net.0 interface destination static spamhost1 spamhost1 service smtp smtp
nat (inside,outside) source dynamic internal_subnet_1 outside.id77971X5929.tsrc.net.1 interface destination static spamhost1 spamhost1 service smtps smtps
nat (inside,outside) source dynamic internal_subnet_1 outside.id77971X5929.tsrc.net.2 interface destination static spamhost2 spamhost2 service smtp smtp
nat (inside,outside) source dynamic internal_subnet_1 outside.id77971X5929.tsrc.net.3 interface destination static spamhost2 spamhost2 service smtps smtps
nat (inside,outside) source dynamic internal_subnet_2 outside.id77971X5929.tsrc.net.4 interface destination static spamhost1 spamhost1 service smtp smtp
nat (inside,outside) source dynamic internal_subnet_2 outside.id77971X5929.tsrc.net.5 interface destination static spamhost1 spamhost1 service smtps smtps
nat (inside,outside) source dynamic internal_subnet_2 outside.id77971X5929.tsrc.net.6 interface destination static spamhost2 spamhost2 service smtp smtp
nat (inside,outside) source dynamic internal_subnet_2 outside.id77971X5929.tsrc.net.7 interface destination static spamhost2 spamhost2 service smtps smtps
nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.0 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtp smtp
nat (inside,outside) source dynamic outside.id178211X29963.osrc.net.0 outside.id77971X5929.tsrc.net.1 interface destination static outside.id77971X5929.odst.net.0 outside.id77971X5929.odst.net.0 service smtps smtps

3
test/pix/firewall91.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:25 2011 PST by vadim
! Generated Thu Jan 13 19:02:51 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -121,7 +121,6 @@ quit
object service https
service tcp destination eq 443
quit
!
! Rule 0 (NAT)
nat (outside,inside) source static any any destination static interface hostA:eth0

10
test/pix/firewall92.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:26 2011 PST by vadim
! Generated Thu Jan 13 19:02:52 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
@ -130,6 +130,11 @@ object network test_range_1
range 192.168.1.11 192.168.1.15
quit
object-group network outside.id20655X6113.osrc.net.0
network-object object internal_subnet_1
network-object object internal_subnet_2
exit
!
! Rule 0 (NAT)
nat (inside,outside) source static Internal_net Internal_net service http http
@ -141,8 +146,7 @@ nat (inside,outside) source static hostA:eth0 hostA:eth0 service smtp smtp
nat (inside,outside) source static hostA:eth0 hostA:eth0 destination static spamhost1 spamhost1 service smtp smtp
!
! Rule 3 (NAT)
nat (inside,outside) source static internal_subnet_1 internal_subnet_1 service smtp smtp
nat (inside,outside) source static internal_subnet_2 internal_subnet_2 service smtp smtp
nat (inside,outside) source static outside.id20655X6113.osrc.net.0 outside.id20655X6113.osrc.net.0 service smtp smtp
!
! Rule 4 (NAT)
nat (inside,outside) source static test_range_1 test_range_1 destination static spamhost1 spamhost1 service smtp smtp

2
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:27 2011 PST by vadim
! Generated Thu Jan 13 19:02:53 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

2
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:28 2011 PST by vadim
! Generated Thu Jan 13 19:02:54 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

2
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:29 2011 PST by vadim
! Generated Thu Jan 13 19:02:55 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3431
!
! Generated Thu Jan 13 18:02:30 2011 PST by vadim
! Generated Thu Jan 13 19:02:55 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported