onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 11:17:31 +01:00
Code Issues Releases Wiki Activity

refs #1883, #1893 FWSM 4.x does not have fixup command, we should use policy-map and class commands.

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-04 19:08:19 -08:00
parent 3104b38b60
commit b20a7843a6
36 changed files with 104 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/ChangeLog
View File

@ -1,5 +1,8 @@
2011-01-04 vadim <vadim@netcitadel.com>
* platform/fwsm.xml: FWSM v4.x does not have "fixup" command, instead,
we should use policy-map and class commands.
* OSConfigurator_pix_os_inspectors_pix8.cpp (_printPolicyMapTypeInspect):
refs #1893 fixes #1883 "inspect ip options in pix8". Added support for
"policy-map type inspect ip-options" command in PIX v8.2 and later.

2
src/cisco_lib/OSConfigurator_pix_os.h
View File

@ -79,7 +79,7 @@ namespace fwcompiler {
int arg2,
bool ov);
std::string _printFixups();
std::string _printPolicyMapGlobalPolicy();
std::string _printMPFPolicyMap();
std::string _printPolicyMapTypeInspect();
public:

15
src/cisco_lib/OSConfigurator_pix_os_fixups.cpp
View File

@ -173,15 +173,22 @@ string OSConfigurator_pix_os::getProtocolInspectionCommands()
string platform = fw->getStr("platform");
string version = fw->getStr("version");
ostringstream res;
if (Resources::platform_res[platform]->getResourceBool(
"/FWBuilderResources/Target/options/version_" + version +
"/fixups/use_policy_map_global_policy"))
return _printPolicyMapGlobalPolicy();
"/fixups/use_fixup_commands"))
res << _printFixups();
if (Resources::platform_res[platform]->getResourceBool(
"/FWBuilderResources/Target/options/version_" + version +
"/fixups/use_mpf_policy_map"))
res << _printMPFPolicyMap();
if (Resources::platform_res[platform]->getResourceBool(
"/FWBuilderResources/Target/options/version_" + version +
"/fixups/use_policy_map_type_inspect"))
return _printPolicyMapTypeInspect();
res << _printPolicyMapTypeInspect();
return _printFixups();
return res.str();
}

5
src/cisco_lib/OSConfigurator_pix_os_inspectors.cpp
View File

@ -55,7 +55,7 @@ using namespace std;
* ********************************************************************/
string OSConfigurator_pix_os::_printPolicyMapGlobalPolicy()
string OSConfigurator_pix_os::_printMPFPolicyMap()
{
ostringstream res;
string platform = fw->getStr("platform");
@ -167,9 +167,10 @@ string OSConfigurator_pix_os::_printPolicyMapGlobalPolicy()
}
}
}
res << endl;
res << endl;
res << "service-policy global_policy global" << endl;
res << endl;
return res.str();
}

3
src/cisco_lib/OSConfigurator_pix_os_inspectors_pix8.cpp
View File

@ -126,9 +126,6 @@ string OSConfigurator_pix_os::_printPolicyMapTypeInspect()
res << endl;
// now generate class-map and "policy-map global_policy" commands
res << _printPolicyMapGlobalPolicy();
return res.str();
}

13
src/res/platform/fwsm.xml
View File

@ -112,7 +112,11 @@ nameif %in %il security%sl
<fixups>
<list>dns_fixup,espike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_mpf>false</use_mpf>
<use_fixup_commands>true</use_fixup_commands>
<use_mpf_policy_map>false</use_mpf_policy_map>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_2.3>
@ -202,8 +206,13 @@ nameif %in %il security%sl
<fixups>
<list>dns_fixup,espike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_mpf>false</use_mpf>
<use_fixup_commands>false</use_fixup_commands>
<use_mpf_policy_map>true</use_mpf_policy_map>
<use_policy_map_type_inspect>true</use_policy_map_type_inspect>
</fixups>
</version_4.x>

26
src/res/platform/pix.xml
View File

@ -104,7 +104,9 @@
<fixups>
<list>ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup</list>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_fixup_commands>true</use_fixup_commands>
<use_mpf_policy_map>false</use_mpf_policy_map>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_6.1>
@ -185,7 +187,9 @@
<fixups>
<list>ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,ils_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup</list>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_fixup_commands>true</use_fixup_commands>
<use_mpf_policy_map>false</use_mpf_policy_map>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_6.2>
@ -266,7 +270,9 @@
<fixups>
<list>ctiqbe_fixup,dns_fixup,espike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,pptp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_fixup_commands>true</use_fixup_commands>
<use_mpf_policy_map>false</use_mpf_policy_map>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_6.3>
@ -348,7 +354,8 @@
<fixups>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_policy_map_global_policy>true</use_policy_map_global_policy>
<use_fixup_commands>false</use_fixup_commands>
<use_mpf_policy_map>true</use_mpf_policy_map>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_7.0>
@ -431,7 +438,8 @@
<fixups>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_fixup_commands>false</use_fixup_commands>
<use_mpf_policy_map>true</use_mpf_policy_map>
<use_policy_map_type_inspect>true</use_policy_map_type_inspect>
</fixups>
</version_8.0>
@ -514,7 +522,8 @@
<fixups>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup,ip_options_eool_fixup,ip_options_nop_fixup,ip_options_rtralt_fixup</list>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_fixup_commands>false</use_fixup_commands>
<use_mpf_policy_map>true</use_mpf_policy_map>
<use_policy_map_type_inspect>true</use_policy_map_type_inspect>
</fixups>
</version_8.2>
@ -597,7 +606,10 @@
<fixups>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup,ip_options_eool_fixup,ip_options_nop_fixup,ip_options_rtralt_fixup</list>
<use_policy_map_global_policy>true</use_policy_map_global_policy>
<use_fixup_commands>false</use_fixup_commands>
<use_mpf_policy_map>true</use_mpf_policy_map>
<use_policy_map_type_inspect>true</use_policy_map_type_inspect>
</fixups>
</version_8.3>

2
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:29 2011 PST by vadim
! Generated Tue Jan 4 19:05:48 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:29 2011 PST by vadim
! Generated Tue Jan 4 19:05:48 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:28 2011 PST by vadim
! Generated Tue Jan 4 19:05:48 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:29 2011 PST by vadim
! Generated Tue Jan 4 19:05:48 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:10 2011 PST by vadim
! Generated Tue Jan 4 19:05:30 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:11 2011 PST by vadim
! Generated Tue Jan 4 19:05:31 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

2
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:12 2011 PST by vadim
! Generated Tue Jan 4 19:05:31 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:12 2011 PST by vadim
! Generated Tue Jan 4 19:05:32 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:13 2011 PST by vadim
! Generated Tue Jan 4 19:05:32 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:13 2011 PST by vadim
! Generated Tue Jan 4 19:05:33 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:14 2011 PST by vadim
! Generated Tue Jan 4 19:05:34 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:15 2011 PST by vadim
! Generated Tue Jan 4 19:05:34 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:15 2011 PST by vadim
! Generated Tue Jan 4 19:05:35 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:16 2011 PST by vadim
! Generated Tue Jan 4 19:05:36 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:16 2011 PST by vadim
! Generated Tue Jan 4 19:05:36 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:17 2011 PST by vadim
! Generated Tue Jan 4 19:05:37 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:18 2011 PST by vadim
! Generated Tue Jan 4 19:05:37 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:19 2011 PST by vadim
! Generated Tue Jan 4 19:05:38 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:19 2011 PST by vadim
! Generated Tue Jan 4 19:05:39 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:20 2011 PST by vadim
! Generated Tue Jan 4 19:05:40 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:21 2011 PST by vadim
! Generated Tue Jan 4 19:05:40 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:21 2011 PST by vadim
! Generated Tue Jan 4 19:05:41 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:22 2011 PST by vadim
! Generated Tue Jan 4 19:05:42 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

12
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:23 2011 PST by vadim
! Generated Tue Jan 4 19:05:43 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported
@ -72,11 +72,6 @@ no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
router-alert action clear
class-map inspection_default
match default-inspection-traffic
@ -85,6 +80,11 @@ policy-map global_policy
service-policy global_policy global
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
router-alert action clear
!################
clear config access-list

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:23 2011 PST by vadim
! Generated Tue Jan 4 19:05:43 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:24 2011 PST by vadim
! Generated Tue Jan 4 19:05:44 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

35
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:25 2011 PST by vadim
! Generated Tue Jan 4 19:05:45 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported
@ -82,17 +82,28 @@ sysopt nodnsalias outbound
floodguard disable
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
class-map inspection_default
match default-inspection-traffic
class-map custom_espike_inspection
match port
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
service-policy global_policy global
!################

2
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:26 2011 PST by vadim
! Generated Tue Jan 4 19:05:46 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 17:00:27 2011 PST by vadim
! Generated Tue Jan 4 19:05:46 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported