onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 09:47:20 +01:00
Code Issues Releases Wiki Activity

see #2103 added checkbox to disable interface name validation checks and autoconfiguration of vlan interface IDs

Browse Source
This commit is contained in:
Vadim Kurland 2011-02-16 13:27:38 -08:00
parent 4d9abebb64
commit 9ae36f6632
85 changed files with 1310 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
doc/ChangeLog
View File

@ -1,3 +1,26 @@
2011-02-16 vadim <vadim@netcitadel.com>
* compiler_lib/CompilerDriver.cpp (commonChecks2): see #2103
removed interface name validation check in compilers, this
check will only be done in the GUI. Comiler still verifies
bridge inetrface configuration and makes sure vlan interfaces
that should also be bridge ports are created as copies.
* InterfaceDialog.cpp (applyChanges): see #2103 "complex
vlan/bridge configurations are not supported by the interface
validation code". Added checkbox to let the user turn off
interface name validation functions in the GUI. Checkbox is
located in the global Preferences dialog, tab Objects, subtab
Interface. For backwards compatibility, the checkbox is turned on
by default. When it is off, the GUI does not validate the name of
inetrfaces and subinterfaces and turns off checks that enforced
interface name patterns for VLAN, bridge and bodning interfaces.
It also turns off check for the validity of vlan ID derived from
vlan interface name and turns off automatic configuration of
interface type and vlan ID. These checks sometimes were in the way
of building complex configurations that involved multiple vlan
interfaces with names not matching their IDs.
2011-02-15 vadim <vadim@netcitadel.com>
* ActionsDialog.cpp (setRule): see #1871 "PF Actions Tag and

5
src/compiler_lib/CompilerDriver.cpp
View File

@ -543,12 +543,17 @@ void CompilerDriver::commonChecks2(Cluster *cluster, Firewall *fw)
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
os_family));
#if 0
// See #2103. All interface name validation checks should
// be done in the GUI.
QString err;
if (!int_prop->validateInterface(parent, iface, true, err))
{
abort(fw, NULL, NULL, err.toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
#endif
string interface_type = iface->getOptionsObject()->getStr("type");
if (interface_type.empty()) interface_type = "ethernet";

15
src/compiler_lib/interfaceProperties.cpp
View File

@ -91,7 +91,8 @@ bool interfaceProperties::isValidVlanInterfaceName(const QString &subint_name,
{
if (!looksLikeVlanInterface(subint_name))
{
err = QObject::tr("'%1' is not a valid vlan interface name").arg(subint_name);
err = QObject::tr("'%1' is not a valid vlan interface name")
.arg(subint_name);
return false;
}
@ -112,8 +113,8 @@ bool interfaceProperties::isValidVlanInterfaceName(const QString &subint_name,
if (vlan_id > 4095)
{
err = QObject::tr("'%1' looks like a name of a vlan interface "
"but vlan ID it defines is outside of the valid range."
"").arg(subint_name);
"but vlan ID it defines is outside of the valid "
"range.").arg(subint_name);
return false;
}
}
@ -334,7 +335,7 @@ bool interfaceProperties::validateInterface(FWObject *target,
{
if (Firewall::cast(target) || Host::cast(target))
{
if (looksLikeVlanInterface(interface_name))
if (vlan_checks && looksLikeVlanInterface(interface_name))
{
QString target_name = target->getName().c_str();
if (Cluster::isA(target))
@ -346,8 +347,10 @@ bool interfaceProperties::validateInterface(FWObject *target,
// empty string as target_interface
target_name = "";
}
return isValidVlanInterfaceName(interface_name, target_name, err);
}
return true;
}
@ -356,7 +359,7 @@ bool interfaceProperties::validateInterface(FWObject *target,
string target_interface_type =
Interface::cast(target)->getOptionsObject()->getStr("type");
// check vlan conditions as well
if (looksLikeVlanInterface(interface_name))
if (vlan_checks && looksLikeVlanInterface(interface_name))
{
// vlan interface can be a child of a bridge, in which
// case its base name does not match the
@ -451,7 +454,7 @@ void interfaceProperties::guessSubInterfaceTypeAndAttributes(Interface *intf)
Interface *parent_intf = Interface::cast(intf->getParent());
if (parent_intf == NULL)
return;
return;
FWObject *f = intf->getParentHost();

7
src/compiler_lib/interfaceProperties.h
View File

@ -42,7 +42,8 @@ protected:
VLAN_INTERFACE,
BRIDGE_INTERFACE,
UNKNOWN} interface_type;
bool vlan_checks;
/*
* collects all ip addresses of the interface (only direct
* addresses, not addresses of subinterfaces) and fills the list
@ -52,9 +53,11 @@ protected:
QStringList &addr_list);
public:
interfaceProperties() {}
interfaceProperties() { vlan_checks = true; }
virtual ~interfaceProperties() {}
void setPerformVlanChecks(bool f) { vlan_checks = f; }
// simple name validation: does not allow space and "-"
// However some platform permit space (procurve).
virtual bool basicValidateInterfaceName(libfwbuilder::Interface *intf,

4
src/libgui/FWBSettings.cpp
View File

@ -385,6 +385,10 @@ void FWBSettings::init(bool force_first_time_run)
if (!hasKey("Objects/PolicyRule/defaultLoggingState"))
setBool("Objects/PolicyRule/defaultLoggingState", true);
if (!hasKey("Objects/Interface/autoconfigureInterfaces"))
setBool("Objects/Interface/autoconfigureInterfaces", true);
}
bool FWBSettings::isReminderAboutStandardLibSuppressed()

67
src/libgui/InterfaceDialog.cpp
View File

@ -104,27 +104,30 @@ void InterfaceDialog::loadFWObject(FWObject *o)
init = true;
/*
* guessSubInterfaceTypeAndAttributes() changes some attributes of
* the object (mostly compensating for missing functions in
* auto-upgrade scripts but also makes some guesses based on the
* interface name, such as sets its vlan ID if its name looks like
* it might be a vlan interface). Since we make changes in the
* object here, do it before loading it into the dialog so that it
* does not look like it has changed in applyChanges() even if the
* user hasn't touched it, which causes new undo command to be
* created out of nowhere.
*
* TODO: better way of course is to call
* guessSubInterfaceTypeAndAttributes in places where user changes
* something relevant in the interface to complement their changes
* and right after the interface has been created.
*/
interfaceProperties *int_prop =
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
s->getParentHost());
int_prop->guessSubInterfaceTypeAndAttributes(s);
delete int_prop;
if (st->getBool("Objects/Interface/autoconfigureInterfaces"))
{
/*
* guessSubInterfaceTypeAndAttributes() changes some attributes of
* the object (mostly compensating for missing functions in
* auto-upgrade scripts but also makes some guesses based on the
* interface name, such as sets its vlan ID if its name looks like
* it might be a vlan interface). Since we make changes in the
* object here, do it before loading it into the dialog so that it
* does not look like it has changed in applyChanges() even if the
* user hasn't touched it, which causes new undo command to be
* created out of nowhere.
*
* TODO: better way of course is to call
* guessSubInterfaceTypeAndAttributes in places where user changes
* something relevant in the interface to complement their changes
* and right after the interface has been created.
*/
interfaceProperties *int_prop =
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
s->getParentHost());
int_prop->guessSubInterfaceTypeAndAttributes(s);
delete int_prop;
}
m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) );
m_dialog->label->setText( QString::fromUtf8(s->getLabel().c_str()) );
@ -353,7 +356,9 @@ void InterfaceDialog::validate(bool *res)
return;
}
if ( ! int_prop->validateInterface(obj->getParent(), obj_name, err))
// validateInterface() checks validity of vlan inetrface name
if (st->getBool("Objects/Interface/autoconfigureInterfaces") &&
! int_prop->validateInterface(obj->getParent(), obj_name, err))
{
/*
* Here is the annoying part: if user entered interface name
@ -494,13 +499,17 @@ void InterfaceDialog::applyChanges()
// Complement changes made by the user with our guesses, but
// do this only if user changed something.
// ticket #328: automatically assign vlan id to interface based on
// interface name
interfaceProperties *int_prop =
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
Interface::cast(obj)->getParentHost());
int_prop->guessSubInterfaceTypeAndAttributes(intf);
delete int_prop;
if (st->getBool("Objects/Interface/autoconfigureInterfaces"))
{
// ticket #328: automatically assign vlan id to interface based on
// interface name
interfaceProperties *int_prop =
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
Interface::cast(obj)->getParentHost());
int_prop->setPerformVlanChecks(true);
int_prop->guessSubInterfaceTypeAndAttributes(intf);
delete int_prop;
}
if (obj->isReadOnly()) return;
m_project->undoStack->push(cmd.release());

19
src/libgui/PrefsDialog.cpp
View File

@ -122,7 +122,8 @@ PrefsDialog::PrefsDialog(QWidget *parent) : QDialog(parent)
m_dialog->enableCustomTemplates->setChecked( st->customTemplatesEnabled() );
m_dialog->deletedObj->setChecked( st->getBool("UI/ShowDeletedObjects") );
m_dialog->attributesInTree->setChecked( st->getBool("UI/ShowObjectsAttributesInTree") );
m_dialog->attributesInTree->setChecked(
st->getBool("UI/ShowObjectsAttributesInTree") );
m_dialog->new_dns_name_compile_tm->setChecked(
st->getBool("Objects/DNSName/useCompileTimeForNewObjects"));
@ -141,7 +142,8 @@ PrefsDialog::PrefsDialog(QWidget *parent) : QDialog(parent)
m_dialog->emptyRCSLog->setChecked( st->getRCSLogState() );
m_dialog->autosaveFile->setChecked(st->getBool("Environment/autoSaveFile"));
m_dialog->autosaveInterval->setValue(st->getInt("Environment/autoSaveFilePeriod"));
m_dialog->autosaveInterval->setValue(
st->getInt("Environment/autoSaveFilePeriod"));
m_dialog->dataFileCompression->setChecked( st->getCompression() );
@ -151,11 +153,16 @@ PrefsDialog::PrefsDialog(QWidget *parent) : QDialog(parent)
m_dialog->scpPath->setText( st->getSCPPath() );
m_dialog->sshTimeout->setValue( st->getSSHTimeout() );
m_dialog->rememberSshPass->setChecked( st->getBool("Environment/RememberSshPassEnabled") );
m_dialog->rememberSshPass->setChecked(
st->getBool("Environment/RememberSshPassEnabled") );
m_dialog->showTips->setChecked( st->getBool("UI/NoStartTip") );
m_dialog->rulesLoggingOn->setChecked( st->getBool("Objects/PolicyRule/defaultLoggingState") );
m_dialog->rulesLoggingOn->setChecked(
st->getBool("Objects/PolicyRule/defaultLoggingState") );
m_dialog->autoconfigure_interfaces->setChecked(
st->getBool("Objects/Interface/autoconfigureInterfaces") );
// set label icons colors and text strings using user's settings
@ -447,6 +454,10 @@ void PrefsDialog::accept()
st->setBool("Objects/PolicyRule/defaultLoggingState",
m_dialog->rulesLoggingOn->isChecked());
st->setBool("Objects/Interface/autoconfigureInterfaces",
m_dialog->autoconfigure_interfaces->isChecked());
st->setRCSLogState( m_dialog->emptyRCSLog->isChecked() );
st->setBool("Environment/autoSaveFile", m_dialog->autosaveFile->isChecked());

73
src/libgui/prefsdialog_q.ui
View File

@ -338,7 +338,7 @@ own library of templates and use it in addition to the one we provide</string>
<item row="7" column="0" colspan="2">
<widget class="QTabWidget" name="tabWidget_2">
<property name="currentIndex">
<number>0</number>
<number>3</number>
</property>
<widget class="QWidget" name="DNSName">
<attribute name="title">
@ -550,6 +550,65 @@ own library of templates and use it in addition to the one we provide</string>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab_2">
<attribute name="title">
<string>Interface</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_17">
<item row="0" column="0">
<widget class="QLabel" name="label_17">
<property name="sizePolicy">
<sizepolicy hsizetype="Minimum" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string/>
</property>
<property name="pixmap">
<pixmap resource="MainRes.qrc">:/Icons/Interface/icon-big</pixmap>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLabel" name="label_18">
<property name="text">
<string>When an interface object is created as a child object of another interface, fwbuilder can verify that the name and type of the child and the parent objects match and form valid configuration. FWbuilder can also automatically guess some inetrface types and their parameters using their names. For example, it can automatically set interface type to &quot;vlan&quot; and assign vlan ID if object name looks like a valid vlan interface for the given OS. However in some situations desired configuration might be more complex than our checks allow so this may need to be turned off.</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QCheckBox" name="autoconfigure_interfaces">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Verify interface names and autoconfigure their parmeters using known name patterns</string>
</property>
</widget>
</item>
<item row="2" column="1">
<spacer name="verticalSpacer_8">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>134</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
</item>
</layout>
@ -559,10 +618,10 @@ own library of templates and use it in addition to the one we provide</string>
<string>Data File</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_5">
<property name="verticalSpacing">
<property name="topMargin">
<number>20</number>
</property>
<property name="topMargin">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="0" column="0">
@ -820,8 +879,8 @@ own library of templates and use it in addition to the one we provide</string>
<string>&lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.0//EN&quot; &quot;http://www.w3.org/TR/REC-html40/strict.dtd&quot;&gt;
&lt;html&gt;&lt;head&gt;&lt;meta name=&quot;qrichtext&quot; content=&quot;1&quot; /&gt;&lt;style type=&quot;text/css&quot;&gt;
p, li { white-space: pre-wrap; }
&lt;/style&gt;&lt;/head&gt;&lt;body style=&quot; font-family:'Lucida Grande'; font-size:13pt; font-weight:400; font-style:normal;&quot;&gt;
&lt;p style=&quot; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;&quot;&gt;&lt;a href=&quot;http://www.chiark.greenend.org.uk/~sgtatham/putty/&quot;&gt;&lt;span style=&quot; font-size:8pt; text-decoration: underline; color:#0000ff;&quot;&gt;http://www.chiark.greenend.org.uk/~sgtatham/putty/&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;</string>
&lt;/style&gt;&lt;/head&gt;&lt;body style=&quot; font-family:'Sans Serif'; font-size:9pt; font-weight:400; font-style:normal;&quot;&gt;
&lt;p style=&quot; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;&quot;&gt;&lt;a href=&quot;http://www.chiark.greenend.org.uk/~sgtatham/putty/&quot;&gt;&lt;span style=&quot; font-family:'Lucida Grande'; font-size:8pt; text-decoration: underline; color:#0000ff;&quot;&gt;http://www.chiark.greenend.org.uk/~sgtatham/putty/&lt;/span&gt;&lt;/a&gt;&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;</string>
</property>
<property name="acceptRichText">
<bool>true</bool>
@ -907,10 +966,10 @@ are never stored permanently)</string>
<string>Labels</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_6">
<property name="verticalSpacing">
<property name="topMargin">
<number>20</number>
</property>
<property name="topMargin">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="0" column="0" colspan="3">

3
src/pflib/OSConfigurator_bsd.h
View File

@ -74,7 +74,8 @@ protected:
virtual void summaryConfigLineVlan(QStringList vlan_names);
virtual void interfaceConfigLineVlan(
libfwbuilder::Interface *iface, QStringList vlan_names);
libfwbuilder::Interface *iface,
const std::list<libfwbuilder::Interface*> &vlan_subinterfaces);
// functions that generate bridge configuration
virtual void summaryConfigLineBridge(QStringList vlan_names);

16
src/pflib/OSConfigurator_bsd_interfaces.cpp
View File

@ -79,7 +79,7 @@ string OSConfigurator_bsd::configureInterfaces()
QStringList all_physical_interfaces;
QMap<QString, Interface*> parent_interfaces;
QMap<QString, QStringList> vlans;
QMap<QString, list<Interface*> > vlans;
QStringList all_vlan_interfaces; // all vlan interfaces
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
@ -98,7 +98,7 @@ string OSConfigurator_bsd::configureInterfaces()
assert(subinterface);
if (subinterface->getOptionsObject()->getStr("type") == "8021q")
{
vlans[iface_name] << subinterface->getName().c_str();
vlans[iface_name].push_back(subinterface);
all_vlan_interfaces << subinterface->getName().c_str();
}
}
@ -115,7 +115,7 @@ string OSConfigurator_bsd::configureInterfaces()
foreach (QString iface_name, all_physical_interfaces)
{
Interface *iface = parent_interfaces[iface_name];
QStringList vlan_subinterfaces = vlans[iface_name];
list<Interface*> vlan_subinterfaces = vlans[iface_name];
if (vlan_subinterfaces.size() > 0)
interfaceConfigLineVlan(iface, vlan_subinterfaces);
}
@ -471,9 +471,15 @@ void OSConfigurator_bsd::summaryConfigLineVlan(QStringList vlan_names)
}
void OSConfigurator_bsd::interfaceConfigLineVlan(Interface *iface,
QStringList vlan_names)
void OSConfigurator_bsd::interfaceConfigLineVlan(
Interface *iface,
const list<Interface*> &vlan_subinterfaces)
{
QStringList vlan_names;
list<Interface*>::const_iterator it;
for (it=vlan_subinterfaces.begin(); it!=vlan_subinterfaces.end(); ++it)
vlan_names << (*it)->getName().c_str();
interface_configuration_lines[iface->getName().c_str()] <<
QString("update_vlans_of_interface \"%1 %2\"")
.arg(iface->getName().c_str())

32
src/pflib/OSConfigurator_freebsd.cpp
View File

@ -251,8 +251,9 @@ void OSConfigurator_freebsd::summaryConfigLineVlan(QStringList vlan_names)
create_args_myvlan="vlan 102"
*/
void OSConfigurator_freebsd::interfaceConfigLineVlan(Interface *iface,
QStringList vlan_names)
void OSConfigurator_freebsd::interfaceConfigLineVlan(
Interface *iface,
const list<Interface*> &vlan_subinterfaces)
{
FWOptions* options = fw->getOptionsObject();
if (options->getBool("generate_rc_conf_file"))
@ -260,28 +261,27 @@ void OSConfigurator_freebsd::interfaceConfigLineVlan(Interface *iface,
QString iface_name = iface->getName().c_str();
// the "vlans_em2="vlan101 vlan102" will appear next to other lines
// intended for interface em2
QStringList vlan_names;
list<Interface*>::const_iterator it;
for (it=vlan_subinterfaces.begin(); it!=vlan_subinterfaces.end(); ++it)
vlan_names << (*it)->getName().c_str();
interface_configuration_lines[iface_name] <<
QString("vlans_%1=\"%2\"").arg(iface->getName().c_str())
.arg(vlan_names.join(" "));
foreach(QString vlan_intf_name, vlan_names)
for (it=vlan_subinterfaces.begin(); it!=vlan_subinterfaces.end(); ++it)
{
std::auto_ptr<interfaceProperties> int_prop(
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
fw->getStr("host_OS")));
QString parent_name_from_regex;
int vlan_id;
if (int_prop->parseVlan(vlan_intf_name,
&parent_name_from_regex, &vlan_id))
{
interface_configuration_lines[iface_name] <<
QString("create_args_%1=\"vlan %2 vlandev %3\"")
.arg(vlan_intf_name).arg(vlan_id).arg(iface->getName().c_str());
}
QString vlan_intf_name = (*it)->getName().c_str();
int vlan_id = (*it)->getOptionsObject()->getInt("vlan_id");
interface_configuration_lines[iface_name] <<
QString("create_args_%1=\"vlan %2 vlandev %3\"")
.arg(vlan_intf_name).arg(vlan_id).arg(iface->getName().c_str());
}
} else
OSConfigurator_bsd::interfaceConfigLineVlan(iface, vlan_names);
OSConfigurator_bsd::interfaceConfigLineVlan(iface, vlan_subinterfaces);
}
void OSConfigurator_freebsd::summaryConfigLineBridge(QStringList bridge_names)

3
src/pflib/OSConfigurator_freebsd.h
View File

@ -67,7 +67,8 @@ namespace fwcompiler
virtual void summaryConfigLineVlan(QStringList vlan_names);
virtual void interfaceConfigLineVlan(
libfwbuilder::Interface *iface, QStringList vlan_names);
libfwbuilder::Interface *iface,
const std::list<libfwbuilder::Interface*> &vlan_subinterfaces);
// functions that generate bridge configuration
virtual void summaryConfigLineBridge(QStringList vlan_names);

6
test/pf/firewall-base-rulesets.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:54 2011 PST by vadim
# Generated Wed Feb 16 13:25:07 2011 PST by vadim
#
# files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw
# files: firewall-base-rulesets.conf /etc/fw/firewall-base-rulesets.conf
@ -163,7 +163,7 @@ configure_interfaces() {
update_addresses_of_interface "en2 192.168.100.1/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:54 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:07 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall-ipv6-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:55 2011 PST by vadim
# Generated Wed Feb 16 13:25:07 2011 PST by vadim
#
# files: * firewall-ipv6-1.fw pf-ipv6.fw
# files: firewall-ipv6-1.conf /etc/fw/pf-ipv6.conf
@ -175,7 +175,7 @@ configure_interfaces() {
update_addresses_of_interface "lo ::1/128 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:55 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:07 2011 by vadim"
set_kernel_vars
configure_interfaces

2
test/pf/firewall-ipv6-2.conf.orig
View File

@ -5,7 +5,7 @@
# Tables: (5)
table <tbl.r4.s> { 222.222.222.22 , 222.222.222.23 }
table <tbl.r4.sx> { 2001:5c0:0:2::24 , 3ffe:1200:2000::/36 , 3ffe:1200:2001:1:8000::1 }
table <tbl.r5.s> { 61.150.47.112 , 74.125.224.48 , 74.125.224.49 , 74.125.224.50 , 74.125.224.51 , 74.125.224.52 , 192.168.1.0 }
table <tbl.r5.s> { 61.150.47.112 , 74.125.224.80 , 74.125.224.81 , 74.125.224.82 , 74.125.224.83 , 74.125.224.84 , 192.168.1.0 }
table <tbl.r5.sx> { 2001:5c0:0:2::24 , 3ffe:1200:2001:1:8000::1 }
table <tbl.r7.s> { 61.150.47.112 , 192.168.1.0 }

6
test/pf/firewall-ipv6-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:56 2011 PST by vadim
# Generated Wed Feb 16 13:25:09 2011 PST by vadim
#
# files: * firewall-ipv6-2.fw pf.fw
# files: firewall-ipv6-2.conf pf.conf
@ -179,7 +179,7 @@ configure_interfaces() {
update_addresses_of_interface "lo ::1/128 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:56 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:09 2011 by vadim"
set_kernel_vars
configure_interfaces

4
test/pf/firewall-ipv6-3.fw.orig
View File

@ -1,9 +1,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:56 2011 PST by vadim
# Generated Wed Feb 16 13:25:09 2011 PST by vadim
#
# files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw
# files: firewall-ipv6-3.conf /etc/firewall-ipv6-3.conf

6
test/pf/firewall.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:22 2011 PST by vadim
# Generated Wed Feb 16 13:24:33 2011 PST by vadim
#
# files: * firewall.fw /etc/pf.fw
# files: firewall.conf /etc/pf.conf
@ -167,7 +167,7 @@ configure_interfaces() {
update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:22 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:33 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:23 2011 PST by vadim
# Generated Wed Feb 16 13:24:33 2011 PST by vadim
#
# files: * firewall1.fw /etc/fw/firewall1.fw
# files: firewall1.conf /etc/fw/firewall1.conf
@ -76,7 +76,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:23 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:33 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall10-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:25 2011 PST by vadim
# Generated Wed Feb 16 13:24:35 2011 PST by vadim
#
# files: * firewall10-1.fw /etc/fw/firewall10-1.fw
# files: firewall10-1.conf /etc/fw/firewall10-1.conf
@ -74,7 +74,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:25 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:35 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall10-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:26 2011 PST by vadim
# Generated Wed Feb 16 13:24:36 2011 PST by vadim
#
# files: * firewall10-2.fw /etc/fw/firewall10-2.fw
# files: firewall10-2.conf /etc/fw/firewall10-2.conf
@ -74,7 +74,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:26 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:36 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall10-3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:27 2011 PST by vadim
# Generated Wed Feb 16 13:24:37 2011 PST by vadim
#
# files: * firewall10-3.fw /etc/fw/firewall10-3.fw
# files: firewall10-3.conf /etc/fw/firewall10-3.conf
@ -76,7 +76,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:27 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:37 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall10-4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:29 2011 PST by vadim
# Generated Wed Feb 16 13:24:40 2011 PST by vadim
#
# files: * firewall10-4.fw /etc/fw/firewall10-4.fw
# files: firewall10-4.conf /etc/fw/firewall10-4.conf
@ -76,7 +76,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:29 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:40 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall10-5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:31 2011 PST by vadim
# Generated Wed Feb 16 13:24:41 2011 PST by vadim
#
# files: * firewall10-5.fw /etc/fw/firewall10-5.fw
# files: firewall10-5.conf /etc/fw/firewall10-5.conf
@ -77,7 +77,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:31 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:41 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall10-6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:32 2011 PST by vadim
# Generated Wed Feb 16 13:24:42 2011 PST by vadim
#
# files: * firewall10-6.fw /etc/fw/firewall10-6.fw
# files: firewall10-6.conf /etc/fw/firewall10-6.conf
@ -77,7 +77,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:32 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:42 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall100.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:23 2011 PST by vadim
# Generated Wed Feb 16 13:24:34 2011 PST by vadim
#
# files: * firewall100.fw /etc/fw/pf.fw
# files: firewall100.conf /etc/fw/path\ with\ space/pf.conf
@ -161,7 +161,7 @@ configure_interfaces() {
update_addresses_of_interface "em1 10.1.1.81/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:23 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:34 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall101.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:24 2011 PST by vadim
# Generated Wed Feb 16 13:24:35 2011 PST by vadim
#
# files: * firewall101.fw /etc/fw/pf.fw
# files: firewall101.conf /etc/fw/path\ with\ space/pf.conf
@ -164,7 +164,7 @@ configure_interfaces() {
update_addresses_of_interface "em1 10.1.1.81/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:24 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:35 2011 by vadim"
set_kernel_vars
configure_interfaces

4
test/pf/firewall102.fw.orig
View File

@ -1,9 +1,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:25 2011 PST by vadim
# Generated Wed Feb 16 13:24:36 2011 PST by vadim
#
# files: * firewall102.fw /etc/fw/pf.fw
# files: firewall102.conf /etc/fw/path\ with\ space/pf.conf

6
test/pf/firewall103-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:28 2011 PST by vadim
# Generated Wed Feb 16 13:24:38 2011 PST by vadim
#
# files: * firewall103-1.fw /etc/fw/pf.fw
# files: firewall103-1.conf /etc/fw/path\ with\ space/pf.conf
@ -387,7 +387,7 @@ configure_interfaces() {
update_addresses_of_interface "em3" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:28 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:38 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall103-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:28 2011 PST by vadim
# Generated Wed Feb 16 13:24:38 2011 PST by vadim
#
# files: * firewall103-2.fw /etc/fw/pf.fw
# files: firewall103-2.conf /etc/fw/path\ with\ space/pf.conf
@ -387,7 +387,7 @@ configure_interfaces() {
update_addresses_of_interface "em3" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:28 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:38 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall103.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:26 2011 PST by vadim
# Generated Wed Feb 16 13:24:37 2011 PST by vadim
#
# files: * firewall103.fw /etc/fw/pf.fw
# files: firewall103.conf /etc/fw/path\ with\ space/pf.conf
@ -390,7 +390,7 @@ configure_interfaces() {
update_addresses_of_interface "em3" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:26 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:37 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall104-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:30 2011 PST by vadim
# Generated Wed Feb 16 13:24:40 2011 PST by vadim
#
# files: * firewall104-1.fw /etc/fw/pf.fw
# files: firewall104-1.conf /etc/fw/path\ with\ space/pf.conf
@ -386,7 +386,7 @@ configure_interfaces() {
update_addresses_of_interface "em3" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:30 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:40 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall104.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:29 2011 PST by vadim
# Generated Wed Feb 16 13:24:39 2011 PST by vadim
#
# files: * firewall104.fw /etc/fw/pf.fw
# files: firewall104.conf /etc/fw/path\ with\ space/pf.conf
@ -389,7 +389,7 @@ configure_interfaces() {
update_addresses_of_interface "em3" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:29 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:39 2011 by vadim"
set_kernel_vars
configure_interfaces

4
test/pf/firewall105.fw.orig
View File

@ -1,9 +1,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:30 2011 PST by vadim
# Generated Wed Feb 16 13:24:41 2011 PST by vadim
#
# files: * firewall105.fw /etc/fw/pf.fw
# files: firewall105.conf /etc/fw/path\ with\ space/pf.conf

4
test/pf/firewall106.fw.orig
View File

@ -1,9 +1,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:31 2011 PST by vadim
# Generated Wed Feb 16 13:24:42 2011 PST by vadim
#
# files: * firewall106.fw /etc/fw/pf.fw
# files: firewall106.conf /etc/fw/path\ with\ space/pf.conf

6
test/pf/firewall107.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:32 2011 PST by vadim
# Generated Wed Feb 16 13:24:43 2011 PST by vadim
#
# files: * firewall107.fw /etc/fw/pf.fw
# files: firewall107.conf /etc/fw/path\ with\ space/pf.conf
@ -388,7 +388,7 @@ configure_interfaces() {
update_addresses_of_interface "vlan102 192.168.102.1/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:32 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:43 2011 by vadim"
set_kernel_vars
configure_interfaces

4
test/pf/firewall108.fw.orig
View File

@ -1,9 +1,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:33 2011 PST by vadim
# Generated Wed Feb 16 13:24:44 2011 PST by vadim
#
# files: * firewall108.fw /etc/fw/pf.fw
# files: firewall108.conf /etc/fw/path\ with\ space/pf.conf

4
test/pf/firewall109-1.fw.orig
View File

@ -1,9 +1,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:34 2011 PST by vadim
# Generated Wed Feb 16 13:24:45 2011 PST by vadim
#
# files: * firewall109-1.fw /etc/fw/pf.fw
# files: firewall109-1.conf /etc/fw/path\ with\ space/pf.conf

25
test/pf/firewall109-2.conf.orig Normal file
View File

@ -0,0 +1,25 @@
set timeout udp.single 5
#
# Scrub rules
#
match all scrub (reassemble tcp no-df )
match out all scrub (random-id min-ttl 1 max-mss 1460)
# Tables: (1)
table <tbl.r9998.d> { 10.3.14.81 , 192.168.1.1 }
#
# Rule backup ssh access rule
# backup ssh access rule
pass in quick inet proto tcp from 10.3.14.30 to <tbl.r9998.d> port 22 label "RULE 9998 -- ACCEPT "
#
# Rule 0 (global)
block log quick inet from any to any no state label "RULE 0 -- DROP "
#
# Rule fallback rule
# fallback rule
block quick inet from any to any no state label "RULE 10000 -- DROP "

410
test/pf/firewall109-2.fw.orig Executable file
View File

@ -0,0 +1,410 @@
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Wed Feb 16 13:24:45 2011 PST by vadim
#
# files: * firewall109-2.fw /etc/fw/pf.fw
# files: firewall109-2.conf /etc/fw/path\ with\ space/pf.conf
#
# Compiled for pf 4.7
#
# complex configuration with bridge and vlan, uses vlan interfaces with names not matching vlan IDs
FWDIR=`dirname $0`
IFCONFIG="/sbin/ifconfig"
PFCTL="/sbin/pfctl"
IPFW="/sbin/ipfw"
IPF="/sbin/ipf"
IPNAT="/sbin/ipnat"
SYSCTL="/sbin/sysctl"
LOGGER="/usr/bin/logger"
log() {
echo "$1"
command -v "$LOGGER" &>/dev/null && $LOGGER -p info "$1"
}
diff_intf() {
func=$1
list1=$2
list2=$3
cmd=$4
for intf in $list1
do
echo $list2 | grep -q $intf || {
# $vlan is absent in list 2
$func $intf $cmd
}
done
}
missing_address() {
address=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $address
addr=$1
interface=$2
IFS=$oldIFS
if echo "$addr" | grep -q ':'
then
inet="inet6"
addr=$(echo "$addr" | sed 's!/! prefixlen !')
else
inet="inet"
addr=$(echo "$addr" | sed 's!/! netmask !')
fi
parameter=""
test "$cmd" = "add" && {
echo "# Adding ip address: $interface $addr"
parameter="alias"
}
test "$cmd" = "del" && {
echo "# Removing ip address: $interface $addr"
parameter="delete"
}
$FWBDEBUG $IFCONFIG $interface $inet $addr $parameter
$FWBDEBUG $IFCONFIG $interface up
}
list_addresses_by_scope() {
interface=$1
scope=$2
ignore_list=$3
scope_regex="1"
if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi
$IFCONFIG $interface | sed "s/%$interface//" | \
awk -v IGNORED="$ignore_list" \
"BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \
while read addr; do
echo "${addr}@$interface"
done | sort
}
update_addresses_of_interface() {
ignore_list=$2
set $1
interface=$1
shift
FWB_ADDRS=$(
for addr in $*; do
echo "${addr}@$interface"
done | sort
)
CURRENT_ADDRS_ALL_SCOPES=""
CURRENT_ADDRS_GLOBAL_SCOPE=""
$IFCONFIG $interface >/dev/null 2>&1 && {
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list")
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list")
} || {
echo "# Interface $interface does not exist"
# Stop the script if we are not in test mode
test -z "$FWBDEBUG" && exit 1
}
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}
missing_vlan() {
vlan=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $vlan
subint=$1
parent=$2
IFS=$oldIFS
vlan_id=$(echo $subint | sed 's/vlan//')
test "$cmd" = "add" && {
echo "# Adding VLAN interface $subint (parent: $parent)"
$FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent || exit 1
$FWBDEBUG $IFCONFIG $subint up || exit 1
}
test "$cmd" = "rem" && {
echo "# Removing VLAN interface $subint (parent: $parent)"
$FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev || exit 1
$FWBDEBUG $IFCONFIG $subint destroy || exit 1
}
}
parse_fwb_vlans() {
set $1
vlan_parent_interface=$1
shift
FWB_VLANS=$(
for subint in $*; do
echo "${subint}@$vlan_parent_interface"
done | sort
)
echo $FWB_VLANS
}
parse_current_vlans() {
vlan_parent_interface=$1
$IFCONFIG | grep 'vlan: ' | sed 's/parent interface://' | \
while read x vlan_id parent
do
test "$parent" = "$vlan_parent_interface" && echo "vlan$vlan_id@$parent"
done | sort
}
update_vlans_of_interface() {
args="$1"
set $1
vlan_parent_interface=$1
FWB_VLANS=$(parse_fwb_vlans "$args")
CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface)
$IFCONFIG $vlan_parent_interface up || exit 1
diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add
diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem
}
sync_vlan_interfaces() {
$IFCONFIG | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
}
($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
while read intf; do
echo "# Deleting vlan interface $intf"
$FWBDEBUG $IFCONFIG $intf destroy || exit 1
done
for intf in $*; do
$IFCONFIG $intf >/dev/null 2>&1 || {
echo "# Creating vlan interface $intf"
$FWBDEBUG $IFCONFIG $intf create || exit 1
}
done
}
BRCONFIG="$IFCONFIG"
missing_port() {
intf=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $intf
port=$1
bridge_interface=$2
IFS=$oldIFS
echo "# Updating bridge configuration: $bridge_interface $cmd $port"
$FWBDEBUG $BRCONFIG $bridge_interface $cmd $port
test "$cmd" = "addm" && $FWBDEBUG $IFCONFIG $port up
}
update_bridge_interface() {
bridge_interface=$1
shift
FWB_PORTS=""
CURRENT_PORTS=""
FWB_PORTS=$(
for subint in $*; do
echo "${subint}@$bridge_interface"
done | sort
)
# this is really redundant because we create missing bridge
# interfaces in sync_bridge_interfaces. However will leave this
# here so that function update_bridge can be used without prior
# call to sync_bridge_interfaces The difference is that
# sync_bridge_interfaces also deletes bridge interfaces that exist
# on the machine but are missing in fwbuilder confgiuration. The
# update_bridge function can only add bridge interfaces.
$BRCONFIG $bridge_interface >/dev/null 2>&1 || {
echo "# Creating bridge interface $bridge_interface"
$FWBDEBUG $IFCONFIG $bridge_interface create
$FWBDEBUG $IFCONFIG $bridge_interface up
}
PORTS=$(
$BRCONFIG $bridge_interface | awk '($1~/member:/) { print $2; }'
)
test -n "$PORTS" && {
CURRENT_PORTS=$(
for subint in $PORTS; do
echo "${subint}@$bridge_interface"
done | sort
)
}
# first delete bridge ports, then add. This way, if an interface
# moves from one bridge to another, we remove it first and then
# add. It would not work if we tried to add it first, brctl issues
# an error:
# device eth2 is already a member of a bridge; can't enslave it to bridge br1.
#
diff_intf missing_port "$CURRENT_PORTS" "$FWB_PORTS" deletem
diff_intf missing_port "$FWB_PORTS" "$CURRENT_PORTS" addm
}
sync_bridge_interfaces() {
$BRCONFIG -a | awk -F: -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
($1 ~ /^bridge[0-9]/ && !($1 in ignored_dict)) {print $1;}' | \
while read brintf; do
echo "# Deleting bridge interface $brintf"
$FWBDEBUG $IFCONFIG $brintf down
$FWBDEBUG $IFCONFIG $brintf destroy
done
for brint in $*; do
$BRCONFIG $brint >/dev/null 2>&1 || {
echo "# Creating bridge interface $brintf"
$FWBDEBUG $IFCONFIG $brint create
$FWBDEBUG $IFCONFIG $brint up
}
done
}
sync_carp_interfaces() {
$IFCONFIG | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
}
($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
while read intf; do
echo "# Deleting carp interface $intf"
$FWBDEBUG $IFCONFIG $intf destroy
done
for intf in $*; do
$IFCONFIG $intf >/dev/null 2>&1 || {
echo "# Creating carp interface $intf"
$SYSCTL -w net.inet.carp.allow=1
$FWBDEBUG $IFCONFIG $intf create || {
echo "Error: CARP interface $intf could not be created. Does the kernel have CARP enabled?"
exit 1
}
}
done
}
sync_pfsync_interfaces() {
$IFCONFIG | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
}
($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
while read intf; do
echo "# Deleting pfsync interface $intf"
$FWBDEBUG $IFCONFIG $intf destroy
done
for intf in $*; do
$IFCONFIG $intf >/dev/null 2>&1 || {
echo "# Creating pfsync interface $intf"
$FWBDEBUG $IFCONFIG $intf create
}
done
}
verify_interfaces() {
:
}
set_kernel_vars() {
:
$SYSCTL -w net.inet.ip.forwarding=1
}
prolog_commands() {
:
}
epilog_commands() {
:
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
:
sync_vlan_interfaces vlan8210 vlan9210
sync_bridge_interfaces bridge0
sync_carp_interfaces
sync_pfsync_interfaces
update_bridge_interface bridge0 "vlan8210 vlan9210"
$IFCONFIG bridge0 -stp vlan8210
$IFCONFIG bridge0 -stp vlan9210
update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" ""
update_addresses_of_interface "em0 10.3.14.81/0xffffff00" ""
update_vlans_of_interface "em1 vlan9210"
update_addresses_of_interface "em1" ""
update_vlans_of_interface "em2 vlan8210"
update_addresses_of_interface "em2" ""
update_addresses_of_interface "vlan8210" ""
update_addresses_of_interface "vlan9210" ""
}
log "Activating firewall script generated Wed Feb 16 13:24:45 2011 by vadim"
set_kernel_vars
configure_interfaces
prolog_commands
$PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1
epilog_commands

25
test/pf/firewall109-3.conf.orig Normal file
View File

@ -0,0 +1,25 @@
set timeout udp.single 5
#
# Scrub rules
#
match all scrub (reassemble tcp no-df )
match out all scrub (random-id min-ttl 1 max-mss 1460)
# Tables: (1)
table <tbl.r9998.d> { 10.3.14.81 , 192.168.1.1 }
#
# Rule backup ssh access rule
# backup ssh access rule
pass in quick inet proto tcp from 10.3.14.30 to <tbl.r9998.d> port 22 label "RULE 9998 -- ACCEPT "
#
# Rule 0 (global)
block log quick inet from any to any no state label "RULE 0 -- DROP "
#
# Rule fallback rule
# fallback rule
block quick inet from any to any no state label "RULE 10000 -- DROP "

38
test/pf/firewall109-3.fw.orig Executable file
View File

@ -0,0 +1,38 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Wed Feb 16 13:24:46 2011 PST by vadim
#
# files: * firewall109-3.fw /etc/fw/pf.fw
# files: firewall109-3.conf /etc/fw/path\ with\ space/pf.conf
#
# Compiled for pf 4.7
#
# complex configuration with bridge and vlan, uses vlan interfaces with names not matching vlan IDs. rc.conf format
gateway_enable="YES"
cloned_interfaces="vlan8210 vlan9210 bridge0"
network_interfaces="bridge0 em0"
ifconfig_bridge0="addm vlan8210 -stp vlan8210 addm vlan9210 -stp vlan9210 up 192.168.1.1 netmask 0xffffff00"
ifconfig_em0="10.3.14.81 netmask 0xffffff00"
vlans_em1="vlan9210"
create_args_vlan9210="vlan 210 vlandev em1"
vlans_em2="vlan8210"
create_args_vlan8210="vlan 210 vlandev em2"
pfsync_enable="YES"
ifconfig_vlan8210="up"
ifconfig_vlan9210="up"
pf_enable="YES"
pf_rules="/etc/fw/path\ with\ space/pf.conf"

6
test/pf/firewall109.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:34 2011 PST by vadim
# Generated Wed Feb 16 13:24:44 2011 PST by vadim
#
# files: * firewall109.fw /etc/fw/pf.fw
# files: firewall109.conf /etc/fw/path\ with\ space/pf.conf
@ -394,7 +394,7 @@ configure_interfaces() {
update_addresses_of_interface "vlan102 192.168.102.1/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:34 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:44 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall11.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:35 2011 PST by vadim
# Generated Wed Feb 16 13:24:46 2011 PST by vadim
#
# files: * firewall11.fw /etc/firewall11.fw
# files: firewall11.conf /etc/firewall11.conf
@ -77,7 +77,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:35 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:46 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall110.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:35 2011 PST by vadim
# Generated Wed Feb 16 13:24:47 2011 PST by vadim
#
# files: * firewall110.fw /etc/fw/firewall110.fw
# files: firewall110.conf /etc/fw/firewall110.conf
@ -76,7 +76,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:35 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:47 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall12.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:36 2011 PST by vadim
# Generated Wed Feb 16 13:24:47 2011 PST by vadim
#
# files: * firewall12.fw /etc/fw/firewall12.fw
# files: firewall12.conf /etc/fw/firewall12.conf
@ -159,7 +159,7 @@ configure_interfaces() {
update_addresses_of_interface "lo0 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:36 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:47 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall13.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:36 2011 PST by vadim
# Generated Wed Feb 16 13:24:48 2011 PST by vadim
#
# files: * firewall13.fw /etc/fw/firewall13.fw
# files: firewall13.conf /etc/fw/firewall13.conf
@ -88,7 +88,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:36 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:48 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall14-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:38 2011 PST by vadim
# Generated Wed Feb 16 13:24:49 2011 PST by vadim
#
# files: * firewall14-1.fw /etc/firewall14-1.fw
# files: firewall14-1.conf /etc/firewall14-1.conf
@ -241,7 +241,7 @@ configure_interfaces() {
update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:38 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:49 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall14.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:37 2011 PST by vadim
# Generated Wed Feb 16 13:24:49 2011 PST by vadim
#
# files: * firewall14.fw /etc/firewall14.fw
# files: firewall14.conf /etc/firewall14.conf
@ -241,7 +241,7 @@ configure_interfaces() {
update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:37 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:49 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall2-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:40 2011 PST by vadim
# Generated Wed Feb 16 13:24:51 2011 PST by vadim
#
# files: * firewall2-1.fw /etc/fw/firewall2-1.fw
# files: firewall2-1.conf /etc/fw/firewall2-1.conf
@ -88,7 +88,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:40 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:51 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:38 2011 PST by vadim
# Generated Wed Feb 16 13:24:50 2011 PST by vadim
#
# files: * firewall2.fw /etc/fw/firewall2.fw
# files: firewall2.conf /etc/fw/firewall2.conf
@ -73,7 +73,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:38 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:50 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall20.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:39 2011 PST by vadim
# Generated Wed Feb 16 13:24:50 2011 PST by vadim
#
# files: * firewall20.fw /etc/fw/firewall20.fw
# files: firewall20.conf /etc/fw/firewall20.conf
@ -73,7 +73,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:39 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:50 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall21.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:39 2011 PST by vadim
# Generated Wed Feb 16 13:24:51 2011 PST by vadim
#
# files: * firewall21.fw /etc/fw/firewall21.fw
# files: firewall21.conf /etc/fw/firewall21.conf
@ -81,7 +81,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:39 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:51 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall22.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:40 2011 PST by vadim
# Generated Wed Feb 16 13:24:52 2011 PST by vadim
#
# files: * firewall22.fw /etc/fw/firewall22.fw
# files: firewall22.conf /etc/fw/firewall22.conf
@ -80,7 +80,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:40 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:52 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:41 2011 PST by vadim
# Generated Wed Feb 16 13:24:53 2011 PST by vadim
#
# files: * firewall3.fw /etc/firewall3.fw
# files: firewall3.conf /etc/firewall3.conf
@ -159,7 +159,7 @@ configure_interfaces() {
update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:41 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:53 2011 by vadim"
set_kernel_vars
configure_interfaces

2
test/pf/firewall33.conf.orig
View File

@ -6,7 +6,7 @@
table <tbl.r0> { 157.166.224.25 , 157.166.224.26 , 157.166.226.25 , 157.166.226.26 , 157.166.255.18 , 157.166.255.19 }
table <tbl.r10.d> { www.google.com , 157.166.224.25 , 157.166.224.26 , 157.166.226.25 , 157.166.226.26 , 157.166.255.18 , 157.166.255.19 }
table <tbl.r2> { www.google.com , www.cnn.com }
table <tbl.r8.d> { 74.125.224.48 , 74.125.224.49 , 74.125.224.50 , 74.125.224.51 , 74.125.224.52 , 157.166.224.25 , 157.166.224.26 , 157.166.226.25 , 157.166.226.26 , 157.166.255.18 , 157.166.255.19 }
table <tbl.r8.d> { 74.125.224.80 , 74.125.224.81 , 74.125.224.82 , 74.125.224.83 , 74.125.224.84 , 157.166.224.25 , 157.166.224.26 , 157.166.226.25 , 157.166.226.26 , 157.166.255.18 , 157.166.255.19 }
#
# Rule 0 (NAT)

6
test/pf/firewall33.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:42 2011 PST by vadim
# Generated Wed Feb 16 13:24:55 2011 PST by vadim
#
# files: * firewall33.fw /etc/fw/firewall33.fw
# files: firewall33.conf /etc/fw/firewall33.conf
@ -162,7 +162,7 @@ configure_interfaces() {
update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:42 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:55 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall34.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:42 2011 PST by vadim
# Generated Wed Feb 16 13:24:54 2011 PST by vadim
#
# files: * firewall34.fw /etc/fw/firewall34.fw
# files: firewall34.conf /etc/fw/firewall34.conf
@ -158,7 +158,7 @@ configure_interfaces() {
update_addresses_of_interface "lo 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:42 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:54 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall38.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:43 2011 PST by vadim
# Generated Wed Feb 16 13:24:55 2011 PST by vadim
#
# files: * firewall38.fw /etc/fw/firewall38.fw
# files: firewall38.conf /etc/fw/firewall38.conf
@ -76,7 +76,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:43 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:55 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall39.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:43 2011 PST by vadim
# Generated Wed Feb 16 13:24:56 2011 PST by vadim
#
# files: * firewall39.fw pf.fw
# files: firewall39.conf pf.conf
@ -79,7 +79,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:43 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:56 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:44 2011 PST by vadim
# Generated Wed Feb 16 13:24:56 2011 PST by vadim
#
# files: * firewall4.fw pf.fw
# files: firewall4.conf /etc/fw/pf.conf
@ -77,7 +77,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:44 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:56 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall40-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:45 2011 PST by vadim
# Generated Wed Feb 16 13:24:58 2011 PST by vadim
#
# files: * firewall40-1.fw /etc/firewall40-1.fw
# files: firewall40-1.conf /etc/firewall40-1.conf
@ -176,7 +176,7 @@ configure_interfaces() {
update_addresses_of_interface "lo0 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:45 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:58 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall40.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:44 2011 PST by vadim
# Generated Wed Feb 16 13:24:57 2011 PST by vadim
#
# files: * firewall40.fw /etc/firewall40.fw
# files: firewall40.conf /etc/firewall40.conf
@ -160,7 +160,7 @@ configure_interfaces() {
update_addresses_of_interface "lo0 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:44 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:57 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall41.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:46 2011 PST by vadim
# Generated Wed Feb 16 13:24:58 2011 PST by vadim
#
# files: * firewall41.fw /etc/firewall41.fw
# files: firewall41.conf /etc/firewall41.conf
@ -163,7 +163,7 @@ configure_interfaces() {
update_addresses_of_interface "eth1 2.2.2.2/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:46 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:58 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:46 2011 PST by vadim
# Generated Wed Feb 16 13:24:59 2011 PST by vadim
#
# files: * firewall5.fw /etc/fw/firewall5.fw
# files: firewall5.conf /etc/fw/firewall5.conf
@ -77,7 +77,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:46 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:24:59 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall51.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:47 2011 PST by vadim
# Generated Wed Feb 16 13:25:00 2011 PST by vadim
#
# files: * firewall51.fw /etc/fw/firewall51.fw
# files: firewall51.conf /etc/fw/firewall51.conf
@ -80,7 +80,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:47 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:00 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:47 2011 PST by vadim
# Generated Wed Feb 16 13:25:00 2011 PST by vadim
#
# files: * firewall6.fw /etc/fw/firewall6.fw
# files: firewall6.conf /etc/fw/firewall6.conf
@ -73,7 +73,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:47 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:00 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall62.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:48 2011 PST by vadim
# Generated Wed Feb 16 13:25:01 2011 PST by vadim
#
# files: * firewall62.fw /etc/firewall62.fw
# files: firewall62.conf /etc/firewall62.conf
@ -185,7 +185,7 @@ configure_interfaces() {
update_addresses_of_interface "en1 222.222.222.222/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:48 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:01 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall63.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:48 2011 PST by vadim
# Generated Wed Feb 16 13:25:01 2011 PST by vadim
#
# files: * firewall63.fw /etc/fw/firewall63.fw
# files: firewall63.conf /etc/fw/firewall63.conf
@ -77,7 +77,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:48 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:01 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall7.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:49 2011 PST by vadim
# Generated Wed Feb 16 13:25:02 2011 PST by vadim
#
# files: * firewall7.fw /etc/fw/firewall7.fw
# files: firewall7.conf /etc/fw/firewall7.conf
@ -73,7 +73,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:49 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:02 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall70.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:50 2011 PST by vadim
# Generated Wed Feb 16 13:25:02 2011 PST by vadim
#
# files: * firewall70.fw /etc/fw/firewall70.fw
# files: firewall70.conf /etc/fw/firewall70.conf
@ -82,7 +82,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:50 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:02 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall8.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:51 2011 PST by vadim
# Generated Wed Feb 16 13:25:03 2011 PST by vadim
#
# files: * firewall8.fw /etc/firewall8.fw
# files: firewall8.conf /etc/firewall8.conf
@ -72,7 +72,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:51 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:03 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall80-4.5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:52 2011 PST by vadim
# Generated Wed Feb 16 13:25:05 2011 PST by vadim
#
# files: * firewall80-4.5.fw /etc/firewall80-4.5.fw
# files: firewall80-4.5.conf /etc/firewall80-4.5.conf
@ -73,7 +73,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:52 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:05 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall80.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:51 2011 PST by vadim
# Generated Wed Feb 16 13:25:03 2011 PST by vadim
#
# files: * firewall80.fw /etc/firewall80.fw
# files: firewall80.conf /etc/firewall80.conf
@ -73,7 +73,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:51 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:03 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall9.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:52 2011 PST by vadim
# Generated Wed Feb 16 13:25:05 2011 PST by vadim
#
# files: * firewall9.fw /etc/fw/firewall9.fw
# files: firewall9.conf /etc/fw/firewall9.conf
@ -76,7 +76,7 @@ configure_interfaces() {
}
log "Activating firewall script generated Mon Feb 14 16:07:52 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:05 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall91.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:53 2011 PST by vadim
# Generated Wed Feb 16 13:25:06 2011 PST by vadim
#
# files: * firewall91.fw /etc/fw/pf.fw
# files: firewall91.conf /etc/fw/pf.conf
@ -240,7 +240,7 @@ configure_interfaces() {
update_addresses_of_interface "vlan103 10.100.103.1/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:53 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:06 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/firewall92.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:53 2011 PST by vadim
# Generated Wed Feb 16 13:25:06 2011 PST by vadim
#
# files: * firewall92.fw /etc/fw/pf.fw
# files: firewall92.conf /etc/fw/path\ with\ space/pf.conf
@ -160,7 +160,7 @@ configure_interfaces() {
update_addresses_of_interface "em1 10.1.1.81/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:53 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:06 2011 by vadim"
set_kernel_vars
configure_interfaces

424
test/pf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1297727981" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1297891427" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -1537,6 +1537,38 @@
</Interface>
</Interface>
<IPv4 id="id35220X5121" name="firewall109:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
<Interface id="id35557X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="em1" comment="" ro="False">
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options">media 100baseTX mediaopt full-duplex up</Option>
<Option name="type">ethernet</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
</Interface>
<Interface id="id35560X5911" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="em2" comment="" ro="False">
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options">media 100baseTX mediaopt full-duplex up</Option>
<Option name="type">ethernet</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
</Interface>
<Interface id="id35543X5911" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan102" comment="" ro="False">
<IPv4 id="id35546X5911" name="firewall109:em2:vlan102:ip" comment="" ro="False" address="192.168.102.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">102</Option>
</InterfaceOptions>
</Interface>
<IPv4 id="id35541X5911" name="firewall109-2:em2:vlan8210:ip" comment="" ro="False" address="192.168.101.1" netmask="255.255.255.0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -22959,6 +22991,396 @@
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id35513X5911" host_OS="freebsd" inactive="False" lastCompiled="1297728239" lastInstalled="1271995582" lastModified="1297891411" platform="pf" version="4.7" name="firewall109-2" comment="complex configuration with bridge and vlan, uses vlan interfaces with names not matching vlan IDs&#10;" ro="False">
<NAT id="id35594X5911" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id35563X5911" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id35565X5911" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id35597X5911" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id35521X5911" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
<IPv4 id="id35524X5911" name="firewall109:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id35526X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="em1" comment="" ro="False">
<InterfaceOptions/>
<Interface id="id35658X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="vlan9210" comment="" ro="False">
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">210</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id35529X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="em2" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<Interface id="id35538X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="vlan8210" comment="" ro="False">
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">210</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id35548X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
<IPv4 id="id35555X5911" name="firewall109:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">bridge</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
<Interface id="id35644X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan8210" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Interface id="id35672X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan9210" comment="" ro="False">
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">ethernet</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser">root</Option>
<Option name="altAddress"></Option>
<Option name="check_shading">True</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="conf1_file"></Option>
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
<Option name="configure_bridge_interfaces">True</Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="generate_rc_conf_file">False</Option>
<Option name="generate_shell_script">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">10.3.14.30</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_block_policy"></Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">True</Option>
<Option name="pf_scrub_random_id">True</Option>
<Option name="pf_scrub_reassemble">False</Option>
<Option name="pf_scrub_reassemble_tcp">True</Option>
<Option name="pf_scrub_use_maxmss">True</Option>
<Option name="pf_scrub_use_minttl">True</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_debug"></Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">True</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">5</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id35714X5911" host_OS="freebsd" inactive="False" lastCompiled="1297891451" lastInstalled="1271995582" lastModified="1297891442" platform="pf" version="4.7" name="firewall109-3" comment="complex configuration with bridge and vlan, uses vlan interfaces with names not matching vlan IDs. rc.conf format&#10;&#10;" ro="False">
<NAT id="id35789X5911" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id35758X5911" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id35760X5911" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id35792X5911" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id35722X5911" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
<IPv4 id="id35725X5911" name="firewall109-3:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id35727X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="True" unprotected="False" name="em1" comment="" ro="False">
<InterfaceOptions/>
<Interface id="id35732X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="vlan9210" comment="" ro="False">
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">210</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id35735X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="em2" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<Interface id="id35740X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="vlan8210" comment="" ro="False">
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">8021q</Option>
<Option name="vlan_id">210</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id35743X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="bridge0" comment="" ro="False">
<IPv4 id="id35750X5911" name="firewall109-3:bridge0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">bridge</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
<Interface id="id35752X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan8210" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Interface id="id35755X5911" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan9210" comment="" ro="False">
<InterfaceOptions>
<Option name="enable_stp">False</Option>
<Option name="iface_configure_mtu">False</Option>
<Option name="iface_mtu">1500</Option>
<Option name="iface_options"></Option>
<Option name="type">ethernet</Option>
<Option name="vlan_id">0</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser">root</Option>
<Option name="altAddress"></Option>
<Option name="check_shading">True</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="conf1_file"></Option>
<Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
<Option name="configure_bridge_interfaces">True</Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="generate_rc_conf_file">True</Option>
<Option name="generate_shell_script">False</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr">10.3.14.30</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_block_policy"></Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">True</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">1</Option>
<Option name="pf_scrub_no_df">True</Option>
<Option name="pf_scrub_random_id">True</Option>
<Option name="pf_scrub_reassemble">False</Option>
<Option name="pf_scrub_reassemble_tcp">True</Option>
<Option name="pf_scrub_use_maxmss">True</Option>
<Option name="pf_scrub_use_minttl">True</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_debug"></Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">True</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">5</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
</Library>

6
test/pf/pf_cluster_1_openbsd-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:56 2011 PST by vadim
# Generated Wed Feb 16 13:25:09 2011 PST by vadim
#
# files: * pf_cluster_1_openbsd-1.fw /etc/pf_cluster_1_openbsd-1.fw
# files: pf_cluster_1_openbsd-1.conf /etc/pf_cluster_1_openbsd-1.conf
@ -292,7 +292,7 @@ configure_interfaces() {
update_addresses_of_interface "lo0 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:56 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:09 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/pf_cluster_1_openbsd-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:56 2011 PST by vadim
# Generated Wed Feb 16 13:25:09 2011 PST by vadim
#
# files: * pf_cluster_1_openbsd-2.fw /etc/pf_cluster_1_openbsd-2.fw
# files: pf_cluster_1_openbsd-2.conf /etc/pf_cluster_1_openbsd-2.conf
@ -189,7 +189,7 @@ configure_interfaces() {
update_addresses_of_interface "lo0 127.0.0.1/0xff000000" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:56 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:09 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/pf_cluster_2_freebsd-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:56 2011 PST by vadim
# Generated Wed Feb 16 13:25:09 2011 PST by vadim
#
# files: * pf_cluster_2_freebsd-1.fw /etc/pf_cluster_2_freebsd-1.fw
# files: pf_cluster_2_freebsd-1.conf /etc/pf_cluster_2_freebsd-1.conf
@ -294,7 +294,7 @@ configure_interfaces() {
update_addresses_of_interface "en1 192.168.1.2/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:56 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:09 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/pf_cluster_2_freebsd-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:56 2011 PST by vadim
# Generated Wed Feb 16 13:25:09 2011 PST by vadim
#
# files: * pf_cluster_2_freebsd-2.fw /etc/pf_cluster_2_freebsd-2.fw
# files: pf_cluster_2_freebsd-2.conf /etc/pf_cluster_2_freebsd-2.conf
@ -191,7 +191,7 @@ configure_interfaces() {
update_addresses_of_interface "en1 192.168.1.3/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:56 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:09 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/pf_cluster_3_openbsd-3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:57 2011 PST by vadim
# Generated Wed Feb 16 13:25:10 2011 PST by vadim
#
# files: * pf_cluster_3_openbsd-3.fw /etc/pf_cluster_3_openbsd-3.fw
# files: pf_cluster_3_openbsd-3.conf /etc/pf_cluster_3_openbsd-3.conf
@ -295,7 +295,7 @@ configure_interfaces() {
update_addresses_of_interface "vlan100 172.20.0.2/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:57 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:10 2011 by vadim"
set_kernel_vars
configure_interfaces

6
test/pf/pf_cluster_3_openbsd-4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Mon Feb 14 16:07:57 2011 PST by vadim
# Generated Wed Feb 16 13:25:10 2011 PST by vadim
#
# files: * pf_cluster_3_openbsd-4.fw /etc/pf_cluster_3_openbsd-4.fw
# files: pf_cluster_3_openbsd-4.conf /etc/pf_cluster_3_openbsd-4.conf
@ -193,7 +193,7 @@ configure_interfaces() {
update_addresses_of_interface "vlan100 172.20.0.3/0xffffff00" ""
}
log "Activating firewall script generated Mon Feb 14 16:07:57 2011 by vadim"
log "Activating firewall script generated Wed Feb 16 13:25:10 2011 by vadim"
set_kernel_vars
configure_interfaces

4
test/pf/pf_cluster_4_rc.conf.local
View File

@ -1,9 +1,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v4.2.0.3476
# Firewall Builder fwb_pf v4.2.0.3477
#
# Generated Tue Feb 15 14:17:50 2011 PST by vadim
# Generated Wed Feb 16 13:25:10 2011 PST by vadim
#
# files: * pf_cluster_4_rc.conf.local /etc/pf_cluster_4_rc.conf.local
# files: pf_cluster_4_pf.conf /etc/pf_cluster_4_pf.conf