onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 02:07:23 +01:00
Code Issues Releases Wiki Activity

* CompilerDriver_pix_run.cpp (CompilerDriver_pix::pixNetworkZoneChecks):

Browse Source 
fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler
should check validity of the object used as network zone of an interface.
This commit is contained in:
Vadim Kurland 2010-06-08 00:56:07 +00:00
parent 6352889c72
commit 9f00e4e619
5 changed files with 1015 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2961
#define BUILD_NUM 2962

4
doc/ChangeLog
View File

@ -1,5 +1,9 @@
2010-06-07 Vadim Kurland <vadim@vk.crocodile.org>
* CompilerDriver_pix_run.cpp (CompilerDriver_pix::pixNetworkZoneChecks):
fixed #1491 fwb_pix crashes trying to compile simple rule. Compiler
should check validity of the object used as network zone of an interface.
* FWBSettings.cpp (FWBSettings::init): fixed #1501 call qsrand(seed)
to seed random generator before generating new UUID

4
src/cisco_lib/CompilerDriver_pix.h
View File

@ -54,6 +54,10 @@ protected:
std::string policy_script;
std::string routing_script;
void pixSecurityLevelChecks(libfwbuilder::Firewall *fw,
std::list<libfwbuilder::FWObject*> &all_interfaces);
void pixNetworkZoneChecks(libfwbuilder::Firewall *fw,
std::list<libfwbuilder::FWObject*> &all_interfaces);
void pixClusterGroupChecks(libfwbuilder::ClusterGroup *clgrp);
void pixClusterConfigurationChecks(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall *fw);

439
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -254,196 +254,12 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
else options->setBool("pix_acl_no_clear",true);
}
Helper helper(NULL);
multimap<string, FWObject*> netzone_objects;
std::list<FWObject*> all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
{
Interface *iface = dynamic_cast<Interface*>(*i);
assert(iface);
if (iface->getOptionsObject()->getBool("cluster_interface")) continue;
if ((iface->getOptionsObject()->getStr("type") == "" ||
iface->getOptionsObject()->getStr("type") == "ethernet") &&
iface->getByType(Interface::TYPENAME).size() > 0)
{
// Parent vlan interface (i.e. trunk)
if (!iface->isUnprotected())
{
QString err(
"Interface %1 has vlan subinterfaces, it can not "
"be used for ACL. Marking this interface \"unprotected\" "
"to exclude it."
);
warning(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.toStdString());
iface->setUnprotected(true);
}
}
// Tests for label, security level and network zone make sense
// only for interfaces that can be used in ACLs or to bind
// ACLs to. Unnumbered interfaces can't, so we do not need to
// run these checks. One example of unnumbered interface is
// parent interface for vlan subinterfaces.
if (iface->isUnnumbered()) continue;
if (iface->isUnprotected()) continue;
/*
* there shouldn't be two interfaces with the same security level and same label
*
*/
for (std::list<FWObject*>::iterator j=all_interfaces.begin(); j!=all_interfaces.end(); ++j)
{
Interface *iface2 = dynamic_cast<Interface*>(*j);
assert(iface2);
if (iface2->isUnnumbered()) continue;
if (iface2->isUnprotected()) continue;
if (iface->getId()==iface2->getId()) continue;
if (iface->getOptionsObject()->getBool("cluster_interface") ||
iface2->getOptionsObject()->getBool("cluster_interface"))
continue;
if (iface->getSecurityLevel()==iface2->getSecurityLevel())
{
QString err(
"Security level of each interface should be unique, "
"however interfaces %1 (%2) and %3 (%4)"
" have the same security level."
);
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str())
.arg(iface2->getName().c_str())
.arg(iface2->getLabel().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
if (iface->getLabel()==iface2->getLabel())
{
QString err(
"Label of each interface should be unique, "
"however interfaces %1 (%2) and %3 (%4)"
" have the same."
);
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str())
.arg(iface2->getName().c_str())
.arg(iface2->getLabel().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
}
// We only do limited checks for dedicated failover
// interfaces because they are not used in ACLs or
// anywhere else in configuration, except in "failover"
// commands.
if (iface->isDedicatedFailover()) continue;
/*
* in PIX, we need network zones to be defined for all interfaces
*/
string netzone_id = iface->getStr("network_zone");
if (netzone_id=="")
{
QString err("Network zone definition is missing for interface %1 (%2)");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
FWObject *netzone = objdb->findInIndex(
FWObjectDatabase::getIntId(netzone_id));
if (netzone==NULL)
{
QString err("Network zone points at nonexisting object for interface %1 (%2)");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
/*
* netzone may be a group, in which case we need to expand it
* (recursively).
*
* 1. We create new temporary object (type Group).
*
* 2. put it in the database somewhere
*
* 3. add all objects that belong to the network zone to this
* group. We add objects directly, not as a reference.
*
* 4. finally replace reference to the old network zone object in the
* interface with reference to this new group.
*
* 5. we store ID of the original network zone object
* using iface->setStr("orig_netzone_id")
*
* This ensures netzones do not contain other groups and do not
* require any recursive expanding anymore. Since objects were added
* to netzones directly, we do not need to bother with dereferencing,
* too.
*/
list<FWObject*> ol;
helper.expand_group_recursive(netzone,ol);
FWObject *nz = objdb->createObjectGroup();
assert(nz!=NULL);
nz->setName("netzone_"+iface->getLabel());
objdb->add(nz);
for (list<FWObject*>::iterator j=ol.begin(); j!=ol.end(); ++j)
{
netzone_objects.insert( pair<string,FWObject*>(iface->getLabel(),*j));
nz->addRef(*j);
}
iface->setStr("orig_netzone_id", netzone_id );
iface->setStr("network_zone",
FWObjectDatabase::getStringId(nz->getId()) );
}
/*
* the same object (network or host) can not belong to network zones
* of two different interfaces. Map netzone_objects holds pairs
* interface_id/object. We just make sure the same object does not
* appear in two pairs with different interfaces.
*/
multimap<string,FWObject*>::iterator k;
for (k=netzone_objects.begin(); k!=netzone_objects.end(); ++k)
{
multimap<string,FWObject*>::iterator l;
l=k;
++l;
for ( ; l!=netzone_objects.end(); ++l)
{
if ( l->second->getId() == k->second->getId() )
{
if (k->first==l->first)
{
QString err("Object %1 is used more than once in network zone of interface %2");
abort(fw, NULL, NULL,
err.arg(l->second->getName().c_str())
.arg(k->first.c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
} else
{
QString err("Object %1 is used in network zones of "
"interfaces %2 and %3");
abort(fw, NULL, NULL,
err.arg(l->second->getName().c_str())
.arg(k->first.c_str())
.arg(l->first.c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
}
}
}
pixSecurityLevelChecks(fw, all_interfaces);
pixNetworkZoneChecks(fw, all_interfaces);
/* Now that all checks are done, we can drop copies of cluster
* interfaces that were added to the firewall by
@ -464,8 +280,6 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
copies_of_cluster_interfaces.pop_front();
}
all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
{
Interface *iface = dynamic_cast<Interface*>(*i);
@ -521,12 +335,14 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
std::sort(fw->begin(), fw->end(), sort_by_net_zone() );
*/
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb , fw, false));
std::auto_ptr<Preprocessor> prep(
new Preprocessor(objdb , fw, false));
if (inTestMode()) prep->setTestMode();
if (inEmbeddedMode()) prep->setEmbeddedMode();
prep->compile();
std::auto_ptr<OSConfigurator> oscnf(new OSConfigurator_pix_os(objdb , fw, false));
std::auto_ptr<OSConfigurator> oscnf(
new OSConfigurator_pix_os(objdb , fw, false));
if (inTestMode()) oscnf->setTestMode();
if (inEmbeddedMode()) oscnf->setEmbeddedMode();
@ -536,7 +352,8 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
/* create compilers and run the whole thing */
std::auto_ptr<NATCompiler_pix> n(new NATCompiler_pix(objdb, fw, false, oscnf.get()));
std::auto_ptr<NATCompiler_pix> n(
new NATCompiler_pix(objdb, fw, false, oscnf.get()));
RuleSet *nat = RuleSet::cast(fw->getFirstByType(NAT::TYPENAME));
if (nat)
@ -583,7 +400,8 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
info(" Nothing to compile in Policy");
}
std::auto_ptr<RoutingCompiler_pix> r(new RoutingCompiler_pix(objdb, fw, false, oscnf.get()));
std::auto_ptr<RoutingCompiler_pix> r(
new RoutingCompiler_pix(objdb, fw, false, oscnf.get()));
RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME));
if (routing)
@ -673,6 +491,243 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
return "";
}
void CompilerDriver_pix::pixSecurityLevelChecks(Firewall *fw,
list<FWObject*> &all_interfaces)
{
for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
{
Interface *iface = dynamic_cast<Interface*>(*i);
assert(iface);
if (iface->getOptionsObject()->getBool("cluster_interface")) continue;
if ((iface->getOptionsObject()->getStr("type") == "" ||
iface->getOptionsObject()->getStr("type") == "ethernet") &&
iface->getByType(Interface::TYPENAME).size() > 0)
{
// Parent vlan interface (i.e. trunk)
if (!iface->isUnprotected())
{
QString err(
"Interface %1 has vlan subinterfaces, it can not "
"be used for ACL. Marking this interface \"unprotected\" "
"to exclude it."
);
warning(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.toStdString());
iface->setUnprotected(true);
}
}
// Tests for label, security level and network zone make sense
// only for interfaces that can be used in ACLs or to bind
// ACLs to. Unnumbered interfaces can't, so we do not need to
// run these checks. One example of unnumbered interface is
// parent interface for vlan subinterfaces.
if (iface->isUnnumbered()) continue;
if (iface->isUnprotected()) continue;
/*
* there shouldn't be two interfaces with the same security level and
* same label
*
*/
for (std::list<FWObject*>::iterator j=all_interfaces.begin(); j!=all_interfaces.end(); ++j)
{
Interface *iface2 = dynamic_cast<Interface*>(*j);
assert(iface2);
if (iface2->isUnnumbered()) continue;
if (iface2->isUnprotected()) continue;
if (iface->getId()==iface2->getId()) continue;
if (iface->getOptionsObject()->getBool("cluster_interface") ||
iface2->getOptionsObject()->getBool("cluster_interface"))
continue;
if (iface->getSecurityLevel()==iface2->getSecurityLevel())
{
QString err(
"Security level of each interface should be unique, "
"however interfaces %1 (%2) and %3 (%4)"
" have the same security level."
);
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str())
.arg(iface2->getName().c_str())
.arg(iface2->getLabel().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
if (iface->getLabel()==iface2->getLabel())
{
QString err(
"Label of each interface should be unique, "
"however interfaces %1 (%2) and %3 (%4)"
" have the same."
);
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str())
.arg(iface2->getName().c_str())
.arg(iface2->getLabel().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
}
// We only do limited checks for dedicated failover
// interfaces because they are not used in ACLs or
// anywhere else in configuration, except in "failover"
// commands.
if (iface->isDedicatedFailover()) continue;
}
}
void CompilerDriver_pix::pixNetworkZoneChecks(Firewall *fw,
list<FWObject*> &all_interfaces)
{
multimap<string, FWObject*> netzone_objects;
Helper helper(NULL);
for (std::list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
{
Interface *iface = dynamic_cast<Interface*>(*i);
assert(iface);
if (iface->getOptionsObject()->getBool("cluster_interface")) continue;
if (iface->isDedicatedFailover()) continue;
/*
* in PIX, we need network zones to be defined for all
* interfaces
*/
string netzone_id = iface->getStr("network_zone");
if (netzone_id=="")
{
QString err("Network zone definition is missing for interface %1 (%2)");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
FWObject *netzone = objdb->findInIndex(
FWObjectDatabase::getIntId(netzone_id));
if (netzone==NULL)
{
QString err("Network zone points at nonexisting object for interface %1 (%2)");
abort(fw, NULL, NULL,
err.arg(iface->getName().c_str())
.arg(iface->getLabel().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
/*
* netzone may be a group, in which case we need to expand it
* (recursively).
*
* 1. We create new temporary object (type Group).
*
* 2. put it in the database somewhere
*
* 3. add all objects that belong to the network zone to this
* group. We add objects directly, not as a reference.
*
* 4. finally replace reference to the old network zone object in the
* interface with reference to this new group.
*
* 5. we store ID of the original network zone object
* using iface->setStr("orig_netzone_id")
*
* This ensures netzones do not contain other groups and do not
* require any recursive expanding anymore. Since objects were added
* to netzones directly, we do not need to bother with dereferencing,
* too.
*/
list<FWObject*> ol;
helper.expand_group_recursive(netzone, ol);
FWObject *nz = objdb->createObjectGroup();
assert(nz!=NULL);
nz->setName("netzone_" + iface->getLabel());
objdb->add(nz);
for (list<FWObject*>::iterator j=ol.begin(); j!=ol.end(); ++j)
{
Address *addr = Address::cast(*j);
if (addr == NULL || addr->getAddressPtr() == NULL)
{
QString err("Network zone of interface %1 uses object '%2' "
"that is not an address");
abort(fw, NULL, NULL,
err.arg(iface->getLabel().c_str())
.arg((*j)->getName().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
if (addr->getAddressPtr()->isV6())
{
QString err("Network zone of interface %1 uses object '%2' "
"that is IPv6 address");
abort(fw, NULL, NULL,
err.arg(iface->getLabel().c_str())
.arg((*j)->getName().c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
netzone_objects.insert(
pair<string,FWObject*>(iface->getLabel(),*j));
nz->addRef(*j);
}
iface->setStr("orig_netzone_id", netzone_id );
iface->setStr("network_zone",
FWObjectDatabase::getStringId(nz->getId()) );
}
/*
* the same object (network or host) can not belong to network zones
* of two different interfaces. Map netzone_objects holds pairs
* interface_id/object. We just make sure the same object does not
* appear in two pairs with different interfaces.
*/
multimap<string,FWObject*>::iterator k;
for (k=netzone_objects.begin(); k!=netzone_objects.end(); ++k)
{
multimap<string,FWObject*>::iterator l;
l=k;
++l;
for ( ; l!=netzone_objects.end(); ++l)
{
if ( l->second->getId() == k->second->getId() )
{
if (k->first==l->first)
{
QString err("Object %1 is used more than once in network zone of interface %2");
abort(fw, NULL, NULL,
err.arg(l->second->getName().c_str())
.arg(k->first.c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
} else
{
QString err("Object %1 is used in network zones of "
"interfaces %2 and %3");
abort(fw, NULL, NULL,
err.arg(l->second->getName().c_str())
.arg(k->first.c_str())
.arg(l->first.c_str()).toStdString());
throw FatalErrorInSingleRuleCompileMode();
}
}
}
}
}
/*
* Sanity checks for the cluster configuration. Per ticket #606:
*

841
test/pix/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1269037883" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1275958417" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -101,17 +101,29 @@
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
@ -8667,7 +8679,7 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3F957BF2" host_OS="pix_os" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pix" version="6.1" name="test" comment="" ro="False">
<Firewall id="id3F957BF2" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1275958329" platform="pix" version="6.1" name="test_sec_levels_1" comment="testing security levels and labels" ro="False">
<NAT id="id3F957BF6" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3F957C35" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -8694,83 +8706,7 @@ no sysopt nodnsalias outbound
<RuleSetOptions/>
</NAT>
<Policy id="id3F957BF5" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3F957C00" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
<Src neg="False">
<ObjectRef ref="id3CD87A53"/>
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3F957BF2"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3F957BF9"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3F957C0D" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="ssh access to firewall">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3F957BF2"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3F957C1B" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="firewall uses DNS server on LAN">
<Src neg="False">
<ObjectRef ref="id3F957BF2"/>
</Src>
<Dst neg="False">
<ObjectRef ref="net-Internal_net"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-DNS"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3F957C29" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="'masquerading' rule">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3F957C46" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="'catch all' rule">
<PolicyRule id="id18638X20598" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -8795,11 +8731,11 @@ no sysopt nodnsalias outbound
<Routing id="id3F957BF2-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3F957BF9" dedicated_failover="False" dyn="True" label="" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<Interface id="id3F957BF9" dedicated_failover="False" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id3F957BFB" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id3F957BFD" name="test:ethernet1(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id3F957BFB" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id3F957BFD" name="test_sec_levels_1:ethernet1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
@ -16163,6 +16099,747 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id26666X20598" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1275958371" platform="pix" version="6.1" name="test_sec_levels_2" comment="testing security levels and labels" ro="False">
<NAT id="id26696X20598" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id26697X20598" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3CD87A53"/>
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id26674X20598"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id26682X20598" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id26683X20598" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id26713X20598" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id26674X20598" dedicated_failover="False" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id26677X20598" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id26680X20598" name="test_sec_levels_2:ethernet1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="version_6.1">
true
true
true
true
true
true
false
false
false
true
true
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup
</Option>
<Option name="version_6.2">
true
true
true
true
true
true
false
false
false
true
true
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,ils_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup
</Option>
<Option name="version_6.3">
true
true
true
true
true
true
true
true
true
false
false
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ctiqbe_fixup,dns_fixup,esp_ike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,pptp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup
</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id42990X20598" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1275958390" platform="pix" version="6.1" name="test_net_zone_1" comment="testing security levels and labels" ro="False">
<NAT id="id43020X20598" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id43021X20598" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3CD87A53"/>
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id42998X20598"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id43006X20598" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id43007X20598" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id43037X20598" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id42998X20598" dedicated_failover="False" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id43001X20598" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="sysid0" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id43004X20598" name="test_net_zone_1:ethernet1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="version_6.1">
true
true
true
true
true
true
false
false
false
true
true
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup
</Option>
<Option name="version_6.2">
true
true
true
true
true
true
false
false
false
true
true
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,ils_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup
</Option>
<Option name="version_6.3">
true
true
true
true
true
true
true
true
true
false
false
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ctiqbe_fixup,dns_fixup,esp_ike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,pptp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup
</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id59331X20598" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1275958431" platform="pix" version="6.1" name="test_net_zone_2" comment="testing security levels and labels" ro="False">
<NAT id="id59361X20598" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id59362X20598" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3CD87A53"/>
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id59339X20598"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id59347X20598" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id59348X20598" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id59378X20598" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id59339X20598" dedicated_failover="False" dyn="True" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id59342X20598" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id2986X75851" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id59345X20598" name="test_net_zone_2:ethernet1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="version_6.1">
true
true
true
true
true
true
false
false
false
true
true
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup
</Option>
<Option name="version_6.2">
true
true
true
true
true
true
false
false
false
true
true
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,ils_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup
</Option>
<Option name="version_6.3">
true
true
true
true
true
true
true
true
true
false
false
3
0
0
1
0
0
0
2
0
0
10
0
0
5
0
0
30
0
0
2
0
0
10
0
2
0
0
True
False
5
5
ctiqbe_fixup,dns_fixup,esp_ike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,pptp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup
</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
</Library>