onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 19:57:21 +01:00
Code Issues Releases Wiki Activity

refs #1893 fixes #1882 "inspect ip options in pix8". Added support for

Browse Source 
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
This commit is contained in:
Vadim Kurland 2011-01-04 17:05:43 -08:00
parent 8fb64f10eb
commit b9a9d7a2c9
44 changed files with 1231 additions and 401 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/ChangeLog
View File

@ -1,5 +1,11 @@
2011-01-04 vadim <vadim@netcitadel.com>
* OSConfigurator_pix_os_inspectors_pix8.cpp (_printPolicyMapTypeInspect):
refs #1893 fixes #1882 "inspect ip options in pix8". Added support for
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
* PIX8ObjectGroup.cpp (toString): refs #1882 "Mixed service groups
in PIX8". Added pix versions 8.0 and 8.3; added support for mixed
servcie groups in pix 8.0 and later.

5
src/cisco_lib/OSConfigurator_pix_os.h
View File

@ -79,8 +79,9 @@ namespace fwcompiler {
int arg2,
bool ov);
std::string _printFixups();
std::string _printMPF();
std::string _printPolicyMapGlobalPolicy();
std::string _printPolicyMapTypeInspect();
public:
virtual ~OSConfigurator_pix_os() {};

294
src/cisco_lib/OSConfigurator_pix_os_fixups.cpp
View File

@ -122,15 +122,14 @@ string OSConfigurator_pix_os::_printFixupCommand(const string &fixup_name,
string OSConfigurator_pix_os::_printFixups()
{
ostringstream res;
string platform=fw->getStr("platform");
string version=fw->getStr("version");
FWOptions *options=fw->getOptionsObject();
string platform = fw->getStr("platform");
string version = fw->getStr("version");
FWOptions *options = fw->getOptionsObject();
assert(options!=NULL);
string lst=Resources::platform_res[platform]->getResourceStr(
"/FWBuilderResources/Target/options/version_"+version+"/fixups/list");
string lst = Resources::platform_res[platform]->getResourceStr(
"/FWBuilderResources/Target/options/version_" + version +
"/fixups/list");
string::size_type i,j, k;
i=0;
@ -167,283 +166,22 @@ string OSConfigurator_pix_os::_printFixups()
}
/* ********************************************************************
*
* Generating class-map, class and match commands instead of fixups
* for PIX 7.0
*
* ********************************************************************/
class InspectionProtocol;
typedef enum { FIXUP_ENABLE=0, FIXUP_DISABLE=1, FIXUP_SKIP=2 } FixupTypes;
std::map<std::string,InspectionProtocol*> protocols;
FixupTypes fixupStatus;
/*
* par1 and par2 are parameters for the inspection protocol. These are
* port numbers most of the time, but for some protocols the meaning
* may be different. For example for dns it is "maximum-length".
*/
class InspectionProtocol {
public:
string name;
string printable_name;
string ip_proto;
int par1,par2;
InspectionProtocol(const string &fn,
const string &prn,
const string &pn,
int p1,
int p2)
{
name=fn; printable_name=prn; ip_proto=pn; par1=p1; par2=p2;
if (protocols.count(fn)==0) protocols[fn]=this;
}
};
/*
* Default ports are defined here jsut like they are filled in the
* options by the GUI. If the GUI allows for port range, we specify
* port range here, and vice versa. Some of the cases seem to differ
* from what Cisco doc specify in the table of the default ports here
* http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html
* I suppose this is ok since we always can use port range map with
* "match" command even if they did not intend it to be like that by
* default. However if the GUI returned port numbers that match those
* defined in protocolDefinitions, we do not generate 'match' commands
* at all and put everything in the "inspection_default" class-map
*
* Here is how this works: constructor of the class InspectionProtocols
* adds object to map 'protocols'. Every initialization of an object
* of this class in array protocolDefinitions calls constructor and
* therefore creates an entry in the map 'protocols'. It is done this
* way because we can statically initialize an array but cant initialize
* std::map (at least I do not know how)
*
* Note: in PIX 7.0 inspector that corresponds to fixup 'smtp' is
* called 'esmtp'
*/
InspectionProtocol protocolDefinitions[] =
{
InspectionProtocol("ctiqbe", "ctiqbe", "tcp", 2748, 0 ),
InspectionProtocol("dns", "dns", "udp", 53, 0 ),
InspectionProtocol("ftp", "ftp", "tcp", 21, 0 ),
InspectionProtocol("gtp", "gtp", "udp", 2123, 3386 ),
InspectionProtocol("h323_h225", "h323 h225", "tcp", 1720, 1720 ),
InspectionProtocol("h323_ras", "h323 ras", "udp", 1718, 1719 ),
InspectionProtocol("http", "http", "tcp", 80, 80 ),
InspectionProtocol("icmp_error","icmp", "icmp", 0, 0 ),
InspectionProtocol("ils", "ils", "tcp", 389, 389 ),
InspectionProtocol("mgcp", "mgcp", "udp", 2427, 2727 ),
InspectionProtocol("netbios", "netbios", "udp", 137, 138 ),
InspectionProtocol("rpc", "rpc", "udp", 111, 0 ),
InspectionProtocol("rsh", "rsh", "tcp", 514, 0 ),
InspectionProtocol("rtsp", "rtsp", "tcp", 554, 0 ),
InspectionProtocol("sip", "sip", "tcp", 5060, 5060 ),
InspectionProtocol("sip_udp", "sip", "udp", 5060, 0 ),
InspectionProtocol("skinny", "skinny", "tcp", 2000, 2000 ),
InspectionProtocol("smtp", "esmtp", "tcp", 25, 25 ),
InspectionProtocol("sqlnet", "sqlnet", "tcp", 1521, 1521 ),
InspectionProtocol("tftp", "tftp", "udp", 69, 0 ),
InspectionProtocol("xdmcp", "xdmcp", "udp", 177, 0 ),
};
/*
* status:
* 0: enable
* 1: disable
* 2: skip
*/
class InspectionClassMap {
public:
string class_map_name;
string fixup_name;
string inspect_name;
int status;
int port1,port2;
string arg_name;
int arg_val;
InspectionClassMap(const string &fn,int s,int p1,int p2,const string &a,int v)
{
status=s; port1=p1; port2=p2; arg_name=a; arg_val=v;
string ss = fn;
string::size_type k;
while ( (k=ss.find(" "))!=string::npos )
ss.replace(k,1,1,'_');
inspect_name = ss;
fixup_name = fn;
class_map_name = string("custom_")+ss+string("_inspection");
}
bool isDefault();
string getIPProtocol();
string getPrintableName();
string getMatchCommand();
};
std::list<InspectionClassMap> defaultClassMaps;
std::list<InspectionClassMap> customClassMaps;
std::map<std::string,int> DefaultInspectionInspectStatements;
std::map<std::string,int> CustomInspectionInspectStatements;
bool InspectionClassMap::isDefault()
{
InspectionProtocol *ip = protocols[fixup_name];
if (ip!=NULL) return (ip->par1==port1 && ip->par2==port2);
return false;
}
string InspectionClassMap::getIPProtocol()
{
InspectionProtocol *ip = protocols[fixup_name];
if (ip!=NULL) return ip->ip_proto;
return "";
}
string InspectionClassMap::getPrintableName()
{
InspectionProtocol *ip = protocols[fixup_name];
if (ip!=NULL) return ip->printable_name;
return "";
}
string InspectionClassMap::getMatchCommand()
{
ostringstream res;
res << "match port " << getIPProtocol() << " ";
if (port1!=0 && port2==0)
res << "eq " << port1;
if (port1!=0 && port1==port2)
res << "eq " << port1;
if (port1!=0 && port2!=0 && port1!=port2)
res << "range " << port1 << " " << port2;
res << endl;
return res.str();
}
string OSConfigurator_pix_os::_printMPF()
{
ostringstream res;
string platform=fw->getStr("platform");
string version=fw->getStr("version");
FWOptions *options=fw->getOptionsObject();
assert(options!=NULL);
string lst=Resources::platform_res[platform]->getResourceStr(
"/FWBuilderResources/Target/options/version_"+version+"/fixups/list");
defaultClassMaps.clear();
customClassMaps.clear();
DefaultInspectionInspectStatements.clear();
CustomInspectionInspectStatements.clear();
string::size_type i,j;
i=0;
while ( i<lst.size() )
{
j=lst.find(",",i);
string fixup_xml_element=lst.substr(i,j-i);
i=j+1;
string f=options->getStr(fixup_xml_element);
if (!f.empty())
{
string fixup_name=fixup_xml_element.substr(0, fixup_xml_element.find("_fixup") );
int status;
int p1,p2;
string an;
int av;
istringstream str(f);
str >> status >> p1 >> p2 >> an >> av;
/* We should really fix this in the GUI and pass max length parameter
* as an/av rather than as port p1
*/
if (fixup_name=="dns" && p1!=0) { an="maximum-length"; av=p1; p1=53; }
InspectionClassMap cm(fixup_name,status,p1,p2,an,av);
if (cm.isDefault()) defaultClassMaps.push_back(cm);
else customClassMaps.push_back(cm);
}
if (j==string::npos) break;
}
res << "class-map inspection_default" << endl;
res << " match default-inspection-traffic" << endl;
res << endl;
std::list<InspectionClassMap>::iterator i1;
if (customClassMaps.size()>0)
{
for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++)
{
res << "class-map " << i1->class_map_name << endl;
res << " " << i1->getMatchCommand() << endl;
}
res << endl;
}
res << "policy-map global_policy" << endl;
if (defaultClassMaps.size()>0)
{
res << " class inspection_default" << endl;
for (i1=defaultClassMaps.begin(); i1!=defaultClassMaps.end(); i1++)
{
string pn = i1->getPrintableName();
if (i1->status!=FIXUP_SKIP &&
DefaultInspectionInspectStatements[pn]!=1)
{
res << " ";
if (i1->status==FIXUP_DISABLE) res << "no ";
res << "inspect " << pn << endl;
DefaultInspectionInspectStatements[pn]=1;
}
}
}
if (customClassMaps.size()>0)
{
for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++)
{
string pn = i1->getPrintableName();
if (i1->status!=FIXUP_SKIP &&
CustomInspectionInspectStatements[pn]!=1)
{
res << " class " << i1->class_map_name << endl;
res << " ";
if (i1->status==FIXUP_DISABLE) res << "no ";
res << "inspect " << i1->getPrintableName() << endl;
CustomInspectionInspectStatements[pn]=1;
}
}
}
res << endl;
res << "service-policy global_policy global" << endl;
return res.str();
}
string OSConfigurator_pix_os::getProtocolInspectionCommands()
{
string platform=fw->getStr("platform");
string version=fw->getStr("version");
string platform = fw->getStr("platform");
string version = fw->getStr("version");
if (Resources::platform_res[platform]->getResourceBool(
"/FWBuilderResources/Target/options/version_"+version+"/fixups/use_mpf"))
return _printMPF();
"/FWBuilderResources/Target/options/version_" + version +
"/fixups/use_policy_map_global_policy"))
return _printPolicyMapGlobalPolicy();
if (Resources::platform_res[platform]->getResourceBool(
"/FWBuilderResources/Target/options/version_" + version +
"/fixups/use_policy_map_type_inspect"))
return _printPolicyMapTypeInspect();
return _printFixups();
}

177
src/cisco_lib/OSConfigurator_pix_os_inspectors.cpp Normal file
View File

@ -0,0 +1,177 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "OSConfigurator_pix_os.h"
#include "inspectionProtocol.h"
#include "inspectionClassMap.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include <QStringList>
#include <QtDebug>
#include <list>
#include <algorithm>
#include <functional>
#include <assert.h>
#include <iostream>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
/* ********************************************************************
*
* Generating class-map, class and match commands instead of fixups
* for PIX 7.0
*
* ********************************************************************/
string OSConfigurator_pix_os::_printPolicyMapGlobalPolicy()
{
ostringstream res;
string platform = fw->getStr("platform");
string version = fw->getStr("version");
string vers = "version_" + version;
FWOptions *options = fw->getOptionsObject();
assert(options!=NULL);
std::list<InspectionClassMap> defaultClassMaps;
std::list<InspectionClassMap> customClassMaps;
std::map<std::string,int> DefaultInspectionInspectStatements;
std::map<std::string,int> CustomInspectionInspectStatements;
QStringList allowed_fixups =
QString(Resources::platform_res[platform]->getResourceStr(
"/FWBuilderResources/Target/options/" + vers +
"/fixups/list").c_str()).split(",");
defaultClassMaps.clear();
customClassMaps.clear();
DefaultInspectionInspectStatements.clear();
CustomInspectionInspectStatements.clear();
foreach (QString fixup_xml_element, allowed_fixups)
{
string f = options->getStr(fixup_xml_element.toAscii().constData());
if (!f.empty())
{
QString fixup_name = fixup_xml_element.replace("_fixup", "");
int status;
int p1,p2;
string an;
int av;
istringstream str(f);
str >> status >> p1 >> p2 >> an >> av;
/* We should really fix this in the GUI and pass max length parameter
* as an/av rather than as port p1
*/
if (fixup_name == "dns" && p1 != 0)
{
an = "maximum-length";
av = p1;
p1 = 53;
}
if (fixup_name.startsWith("ip_options"))
{
continue;
}
InspectionClassMap cm(fixup_name.toAscii().constData(),
status, p1, p2, an, av);
if (cm.isDefault()) defaultClassMaps.push_back(cm);
else customClassMaps.push_back(cm);
}
}
res << "class-map inspection_default" << endl;
res << " match default-inspection-traffic" << endl;
res << endl;
std::list<InspectionClassMap>::iterator i1;
if (customClassMaps.size()>0)
{
for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++)
{
res << "class-map " << i1->class_map_name << endl;
res << " " << i1->getMatchCommand() << endl;
}
res << endl;
}
res << "policy-map global_policy" << endl;
if (defaultClassMaps.size()>0)
{
res << " class inspection_default" << endl;
for (i1=defaultClassMaps.begin(); i1!=defaultClassMaps.end(); i1++)
{
string pn = i1->getPrintableName();
if (i1->status!=FIXUP_SKIP &&
DefaultInspectionInspectStatements[pn]!=1)
{
res << " ";
if (i1->status==FIXUP_DISABLE) res << "no ";
res << "inspect " << pn << endl;
DefaultInspectionInspectStatements[pn]=1;
}
}
}
if (customClassMaps.size()>0)
{
for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++)
{
string pn = i1->getPrintableName();
if (i1->status!=FIXUP_SKIP &&
CustomInspectionInspectStatements[pn]!=1)
{
res << " class " << i1->class_map_name << endl;
res << " ";
if (i1->status==FIXUP_DISABLE) res << "no ";
res << "inspect " << i1->getPrintableName() << endl;
CustomInspectionInspectStatements[pn]=1;
}
}
}
res << endl;
res << "service-policy global_policy global" << endl;
return res.str();
}

135
src/cisco_lib/OSConfigurator_pix_os_inspectors_pix8.cpp Normal file
View File

@ -0,0 +1,135 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "OSConfigurator_pix_os.h"
#include "Helper.h"
#include "inspectionProtocol.h"
#include "inspectionClassMap.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include <QStringList>
#include <QtDebug>
#include <list>
#include <algorithm>
#include <functional>
#include <assert.h>
#include <iostream>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
/* ********************************************************************
*
* Generating policy-map type inspect commands for PIX 8.0
*
* ********************************************************************/
string OSConfigurator_pix_os::_printPolicyMapTypeInspect()
{
ostringstream res;
string platform = fw->getStr("platform");
string version = fw->getStr("version");
string vers = "version_" + version;
FWOptions *options = fw->getOptionsObject();
assert(options!=NULL);
// first, generate commands for ip-options
QStringList allowed_fixups =
QString(Resources::platform_res[platform]->getResourceStr(
"/FWBuilderResources/Target/options/" + vers +
"/fixups/list").c_str()).split(",");
list<InspectionClassMap> ip_options_matches;
foreach (QString fixup_xml_element, allowed_fixups)
{
string f = options->getStr(fixup_xml_element.toAscii().constData());
if (!f.empty())
{
QString fixup_name = fixup_xml_element.replace("_fixup", "");
int status;
int p1,p2;
string an;
int av;
istringstream str(f);
str >> status >> p1 >> p2 >> an >> av;
if (fixup_name.startsWith("ip_options") && status != FIXUP_SKIP)
{
InspectionClassMap cm(fixup_name.toAscii().constData(),
status, p1, p2, an, av);
ip_options_matches.push_back(cm);
}
}
}
if (ip_options_matches.size() > 0)
{
res << "policy-map type inspect ip-options ip-options-map" << endl;
res << "parameters" << endl;
for(list<InspectionClassMap>::iterator i=ip_options_matches.begin();
i!=ip_options_matches.end(); ++i)
{
switch (i->status)
{
case FIXUP_ENABLE:
res << " " << i->getPrintableName() << " action ";
res << "allow" << endl;
break;
case FIXUP_CLEAR:
res << " " << i->getPrintableName() << " action ";
res << "clear" << endl;
break;
default:
break;
}
}
}
res << endl;
// now generate class-map and "policy-map global_policy" commands
res << _printPolicyMapGlobalPolicy();
return res.str();
}

6
src/cisco_lib/cisco_lib.pro
View File

@ -11,6 +11,8 @@ SOURCES = PolicyCompiler_cisco.cpp \
RoutingCompiler_cisco_writers.cpp \
ACL.cpp \
Helper.cpp \
inspectionProtocol.cpp \
InspectionClassMap.cpp \
OSConfigurator_ios.cpp \
CompilerDriver_iosacl.cpp \
CompilerDriver_iosacl_run.cpp \
@ -24,6 +26,8 @@ SOURCES = PolicyCompiler_cisco.cpp \
NATCompiler_pix_writers.cpp \
OSConfigurator_pix_os.cpp \
OSConfigurator_pix_os_fixups.cpp \
OSConfigurator_pix_os_inspectors.cpp \
OSConfigurator_pix_os_inspectors_pix8.cpp \
CompilerDriver_procurve_acl.cpp \
CompilerDriver_procurve_acl_run.cpp \
OSConfigurator_procurve.cpp \
@ -44,6 +48,8 @@ SOURCES = PolicyCompiler_cisco.cpp \
HEADERS = ../../config.h \
ACL.h \
Helper.h \
inspectionProtocol.h \
InspectionClassMap.h \
PolicyCompiler_cisco.h \
RoutingCompiler_cisco.h \
CompilerDriver_iosacl.h \

65
src/cisco_lib/inspectionClassMap.cpp Normal file
View File

@ -0,0 +1,65 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "inspectionClassMap.h"
#include "inspectionProtocol.h"
#include <sstream>
using namespace std;
bool InspectionClassMap::isDefault()
{
InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name];
if (ip!=NULL) return (ip->par1==port1 && ip->par2==port2);
return false;
}
string InspectionClassMap::getIPProtocol()
{
InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name];
if (ip!=NULL) return ip->ip_proto;
return "";
}
string InspectionClassMap::getPrintableName()
{
InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name];
if (ip!=NULL) return ip->printable_name;
return "";
}
string InspectionClassMap::getMatchCommand()
{
ostringstream res;
res << "match port " << getIPProtocol() << " ";
if (port1!=0 && port2==0)
res << "eq " << port1;
if (port1!=0 && port1==port2)
res << "eq " << port1;
if (port1!=0 && port2!=0 && port1!=port2)
res << "range " << port1 << " " << port2;
res << endl;
return res.str();
}

67
src/cisco_lib/inspectionClassMap.h Normal file
View File

@ -0,0 +1,67 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef INSPECTION_CLASS_MAP_HH
#define INSPECTION_CLASS_MAP_HH
#include <string>
/*
* status:
* 0: enable
* 1: disable
* 2: skip
*/
class InspectionClassMap {
public:
std::string class_map_name;
std::string fixup_name;
std::string inspect_name;
int status;
int port1,port2;
std::string arg_name;
int arg_val;
InspectionClassMap(const std::string &fn,int s,int p1,int p2,
const std::string &a,int v)
{
status=s; port1=p1; port2=p2; arg_name=a; arg_val=v;
std::string ss = fn;
std::string::size_type k;
while ( (k=ss.find(" ")) != std::string::npos )
ss.replace(k,1,1,'_');
inspect_name = ss;
fixup_name = fn;
class_map_name = std::string("custom_") + ss + std::string("_inspection");
}
bool isDefault();
std::string getIPProtocol();
std::string getPrintableName();
std::string getMatchCommand();
};
#endif

77
src/cisco_lib/inspectionProtocol.cpp Normal file
View File

@ -0,0 +1,77 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "inspectionProtocol.h"
std::map<std::string,InspectionProtocol*> InspectionProtocol::protocols;
/*
* Default ports are defined here jsut like they are filled in the
* options by the GUI. If the GUI allows for port range, we specify
* port range here, and vice versa. Some of the cases seem to differ
* from what Cisco doc specify in the table of the default ports here
* http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html
* I suppose this is ok since we always can use port range map with
* "match" command even if they did not intend it to be like that by
* default. However if the GUI returned port numbers that match those
* defined in protocolDefinitions, we do not generate 'match' commands
* at all and put everything in the "inspection_default" class-map
*
* Here is how this works: constructor of the class InspectionProtocols
* adds object to map 'protocols'. Every initialization of an object
* of this class in array protocolDefinitions calls constructor and
* therefore creates an entry in the map 'protocols'. It is done this
* way because we can statically initialize an array but cant initialize
* std::map (at least I do not know how)
*
* Note: in PIX 7.0 inspector that corresponds to fixup 'smtp' is
* called 'esmtp'
*/
InspectionProtocol protocolDefinitions[] =
{
InspectionProtocol("ctiqbe", "ctiqbe", "tcp", 2748, 0 ),
InspectionProtocol("dns", "dns", "udp", 53, 0 ),
InspectionProtocol("ftp", "ftp", "tcp", 21, 0 ),
InspectionProtocol("gtp", "gtp", "udp", 2123, 3386 ),
InspectionProtocol("h323_h225", "h323 h225", "tcp", 1720, 1720 ),
InspectionProtocol("h323_ras", "h323 ras", "udp", 1718, 1719 ),
InspectionProtocol("http", "http", "tcp", 80, 80 ),
InspectionProtocol("icmp_error","icmp", "icmp", 0, 0 ),
InspectionProtocol("ils", "ils", "tcp", 389, 389 ),
InspectionProtocol("mgcp", "mgcp", "udp", 2427, 2727 ),
InspectionProtocol("netbios", "netbios", "udp", 137, 138 ),
InspectionProtocol("rpc", "rpc", "udp", 111, 0 ),
InspectionProtocol("rsh", "rsh", "tcp", 514, 0 ),
InspectionProtocol("rtsp", "rtsp", "tcp", 554, 0 ),
InspectionProtocol("sip", "sip", "tcp", 5060, 5060 ),
InspectionProtocol("sip_udp", "sip", "udp", 5060, 0 ),
InspectionProtocol("skinny", "skinny", "tcp", 2000, 2000 ),
InspectionProtocol("smtp", "esmtp", "tcp", 25, 25 ),
InspectionProtocol("sqlnet", "sqlnet", "tcp", 1521, 1521 ),
InspectionProtocol("tftp", "tftp", "udp", 69, 0 ),
InspectionProtocol("xdmcp", "xdmcp", "udp", 177, 0 ),
InspectionProtocol("ip_options_eool", "eool","", 0, 0 ),
InspectionProtocol("ip_options_nop", "nop", "", 0, 0 ),
InspectionProtocol("ip_options_rtralt", "router-alert", "", 0, 0 ),
};

64
src/cisco_lib/inspectionProtocol.h Normal file
View File

@ -0,0 +1,64 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef INSPECTION_PROTOCOL_HH
#define INSPECTION_PROTOCOL_HH
#include <string>
#include <map>
typedef enum { FIXUP_ENABLE=0, FIXUP_DISABLE=1, FIXUP_SKIP=2, FIXUP_CLEAR=3 } FixupTypes;
/*
* par1 and par2 are parameters for the inspection protocol. These are
* port numbers most of the time, but for some protocols the meaning
* may be different. For example for dns it is "maximum-length".
*/
class InspectionProtocol {
public:
std::string name;
std::string printable_name;
std::string ip_proto;
int par1,par2;
static std::map<std::string,InspectionProtocol*> protocols;
InspectionProtocol(const std::string &fn,
const std::string &prn,
const std::string &pn,
int p1,
int p2)
{
name = fn;
printable_name = prn;
ip_proto = pn;
par1 = p1;
par2 = p2;
if (protocols.count(fn)==0) protocols[fn] = this;
}
};
extern InspectionProtocol protocolDefinitions[];
#endif

107
src/libgui/pixAdvancedDialog.cpp
View File

@ -473,19 +473,43 @@ pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o)
NULL,
"tftp_fixup", "tftp", 18));
string lst=Resources::platform_res[platform]->getResourceStr(
"/FWBuilderResources/Target/options/"+vers+"/fixups/list");
allFixups.push_back(fixupControl(
m_dialog->pix_ip_options_eool_switch,
NULL,
NULL,
NULL,
"ip_options_eool_fixup", "IP options", 19));
allFixups.push_back(fixupControl(
m_dialog->pix_ip_options_nop_switch,
NULL,
NULL,
NULL,
"ip_options_nop_fixup", "IP options", 20));
allFixups.push_back(fixupControl(
m_dialog->pix_ip_options_rtralt_switch,
NULL,
NULL,
NULL,
"ip_options_rtralt_fixup", "IP options", 21));
QStringList allowed_fixups =
QString(Resources::platform_res[platform]->getResourceStr(
"/FWBuilderResources/Target/options/" + vers +
"/fixups/list").c_str()).split(",");
if (fwbdebug)
qDebug("pixAdvancedDialog::pixAdvancedDialog lst = %s",lst.c_str());
qDebug() << "pixAdvancedDialog::pixAdvancedDialog allowed_fixups:"
<< allowed_fixups;
for (list<fixupControl>::iterator fi=allFixups.begin();
fi!=allFixups.end(); fi++)
{
if (fwbdebug)
qDebug("pixAdvancedDialog::pixAdvancedDialog fwopt = %s",
fi->fwoption.toAscii().constData());
qDebug() << "pixAdvancedDialog::pixAdvancedDialog fwopt:"
<< fi->fwoption;
if (fi->switch_widget!=NULL)
connect( fi->switch_widget, SIGNAL(activated(int)),
@ -500,22 +524,11 @@ pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o)
if (fi->arg3!=NULL) connect( fi->arg3, SIGNAL(clicked()),
this, SLOT(fixupCmdChanged()));
string::size_type i,j;
i=0;
bool present=false;
while ( i<lst.size() )
{
j=lst.find(",",i);
if (QString(lst.substr(i,j-i).c_str())==fi->fwoption)
{ present=true; break; }
if (j==string::npos) break;
i=j+1;
}
if (!present)
{
fi->active=false;
m_dialog->fixup_notebook->setTabEnabled( fi->page, false);
}
bool active = allowed_fixups.contains(fi->fwoption);
fi->active = active;
m_dialog->fixup_notebook->setTabEnabled( fi->page, active);
}
/* page Logging */
@ -605,11 +618,13 @@ pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o)
m_dialog->fragguard->setEnabled(
Resources::platform_res[platform]->getResourceBool(
"/FWBuilderResources/Target/options/"+vers+"/pix_security_fragguard_supported"));
"/FWBuilderResources/Target/options/" + vers +
"/pix_security_fragguard_supported"));
m_dialog->route_dnat->setEnabled(
Resources::platform_res[platform]->getResourceBool(
"/FWBuilderResources/Target/options/"+vers+"/pix_route_dnat_supported"));
"/FWBuilderResources/Target/options/" + vers +
"/pix_route_dnat_supported"));
data.registerOption( m_dialog->fragguard, fwoptions, "pix_fragguard");
data.registerOption( m_dialog->route_dnat, fwoptions, "pix_route_dnat");
@ -617,10 +632,13 @@ pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o)
data.registerOption( m_dialog->resetinbound, fwoptions, "pix_resetinbound");
data.registerOption( m_dialog->resetoutside, fwoptions, "pix_resetoutside");
data.registerOption( m_dialog->connection_timewait, fwoptions, "pix_connection_timewait");
data.registerOption( m_dialog->connection_timewait, fwoptions,
"pix_connection_timewait");
data.registerOption( m_dialog->floodguard, fwoptions, "pix_floodguard");
data.registerOption( m_dialog->nodnsalias_inbound, fwoptions, "pix_nodnsalias_inbound");
data.registerOption( m_dialog->nodnsalias_outbound, fwoptions, "pix_nodnsalias_outbound");
data.registerOption( m_dialog->nodnsalias_inbound, fwoptions,
"pix_nodnsalias_inbound");
data.registerOption( m_dialog->nodnsalias_outbound, fwoptions,
"pix_nodnsalias_outbound");
data.registerOption( m_dialog->max_conns, fwoptions, "pix_max_conns");
data.registerOption( m_dialog->emb_limit, fwoptions, "pix_emb_limit");
@ -639,22 +657,27 @@ pixAdvancedDialog::~pixAdvancedDialog()
}
/*
* items in the switch_widget (QComboBox) are layed out as follows:
* items in the switch_widget (QComboBox) | values in FirewallOptions object
* |
* Skip (item 0) | 2
* Enable (item 1) | 0
* Disable (item 2) | 1
*
* Skip - item 0
* Enable - item 1
* Disable - item 2
* this strange mapping is historical.
*
* values in the attribute in the FirewallOptions object are as follows:
* ip options switch has the following items:
*
* 0 - enable
* 1 - disable
* 2 - skip
* skip
* allow
* drop
* clear
*
* this is historical.
* The last item is just added at the bottom and is mapped to FirewallOptions
* value "3"
*
*/
static int fixupOpt2Widget[] = { 1, 2, 0 };
static int fixupWidget2Opt[] = { 2, 0, 1 };
static int fixupOpt2Widget[] = { 1, 2, 0, 3 };
static int fixupWidget2Opt[] = { 2, 0, 1, 3 };
int pixAdvancedDialog::translateFixupSwitchFromOptionToWidget(int o)
{
@ -690,7 +713,7 @@ void pixAdvancedDialog::loadFixups()
for (list<fixupControl>::iterator fi=allFixups.begin(); fi!=allFixups.end(); fi++)
{
if (!fi->active) continue;
string f=options->getStr(fi->fwoption.toLatin1().constData());
string f = options->getStr(fi->fwoption.toLatin1().constData());
if (!f.empty())
{
// "0" means "fixup" or "enable" in a pop-down menu (historical)
@ -710,13 +733,15 @@ void pixAdvancedDialog::loadFixups()
fi->switch_widget->setCurrentIndex(
translateFixupSwitchFromOptionToWidget(sw) );
/* if values are 0 in the data file, we stick with defaults. Defaults are preconfigured
* in the GUI (via appropriate settings in pix.glade file */
/* if values are 0 in the data file, we stick with defaults. Defaults
* are preconfigured in the GUI
*/
if (fi->arg1 && p1!=0) fi->arg1->setValue(p1);
if (fi->arg2 && p2!=0) fi->arg2->setValue(p2);
if (fi->arg3) fi->arg3->setChecked(arg3v);
} else {
} else
{
fi->switch_widget->setCurrentIndex(0);
}
}

39
src/libgui/pixAdvancedDialog.h
View File

@ -44,22 +44,29 @@ namespace libfwbuilder {
};
struct fixupControl {
class QComboBox *switch_widget;
class QSpinBox *arg1;
class QSpinBox *arg2;
class QCheckBox *arg3;
QString fwoption;
QString fixup_cmd;
int page; // number of the notebook page in fixup_notebook widget
bool active; // if false, then this fixup is not supported on the given version of PIX OS
fixupControl(QComboBox *s,
QSpinBox *w1,
QSpinBox *w2,
QCheckBox *w3,
const QString &o,
const QString &f,
int p)
{ switch_widget=s; arg1=w1; arg2=w2; arg3=w3; fwoption=o; fixup_cmd=f; page=p; active=true; }
class QComboBox *switch_widget;
class QSpinBox *arg1;
class QSpinBox *arg2;
class QCheckBox *arg3;
QString fwoption;
QString fixup_cmd;
int page; // number of the notebook page in fixup_notebook widget
bool active; // if false, then this fixup is not supported on the given
// version of PIX OS
fixupControl(QComboBox *s,
QSpinBox *w1,
QSpinBox *w2,
QCheckBox *w3,
const QString &o,
const QString &f,
int p)
{
switch_widget=s;
arg1=w1; arg2=w2; arg3=w3;
fwoption=o; fixup_cmd=f; page=p;
active=true;
}
};

336
src/libgui/pixadvanceddialog_q.ui
View File

@ -13,7 +13,7 @@
<x>0</x>
<y>0</y>
<width>829</width>
<height>592</height>
<height>596</height>
</rect>
</property>
<property name="windowTitle">
@ -82,7 +82,7 @@
<enum>QTabWidget::Rounded</enum>
</property>
<property name="currentIndex">
<number>0</number>
<number>4</number>
</property>
<property name="elideMode">
<enum>Qt::ElideNone</enum>
@ -1486,7 +1486,7 @@
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_4">
<property name="text">
<string>Policy compiler generates 'fixup' commands for PIX v6.1-6.3 and FWSM v2.3. For PIX 7.0 it generates 'class-map' and 'inspect' commands assigned to the 'policy-map' under either default or custom inspection classes.</string>
<string>Policy compiler generates 'fixup' commands for PIX/ASA v6.1-6.3 and FWSM v2.3. For v7.x and v8.x it generates 'class-map' and 'inspect' commands assigned to the 'policy-map' under either default or custom inspection classes.</string>
</property>
<property name="alignment">
<set>Qt::AlignVCenter</set>
@ -1536,7 +1536,7 @@
<enum>QTabWidget::Triangular</enum>
</property>
<property name="currentIndex">
<number>18</number>
<number>19</number>
</property>
<property name="elideMode">
<enum>Qt::ElideNone</enum>
@ -1549,7 +1549,16 @@
<string>ctiqbe</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="0" column="0">
@ -1636,7 +1645,16 @@
<string>dns</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="4">
@ -1723,7 +1741,16 @@
<string>esp ike</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="2">
@ -1781,7 +1808,16 @@
<string>ftp</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="0" column="4">
@ -1888,7 +1924,16 @@
<string>h323 h225</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="6">
@ -2001,7 +2046,16 @@
<string>h323 ras</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="6">
@ -2114,7 +2168,16 @@
<string>http</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="6">
@ -2227,7 +2290,16 @@
<string>icmp error</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="2">
@ -2285,7 +2357,16 @@
<string>ils</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="6">
@ -2398,7 +2479,16 @@
<string>mgcp</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="3" column="0" colspan="3">
@ -2527,7 +2617,16 @@
<string>pptp</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="4">
@ -2614,7 +2713,16 @@
<string>rsh</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="4">
@ -2698,7 +2806,16 @@
<string>rtsp</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="4">
@ -2785,7 +2902,16 @@
<string>sip</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="6">
@ -2898,7 +3024,16 @@
<string>sip udp</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="4">
@ -2982,7 +3117,16 @@
<string>skinny</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="6">
@ -3095,7 +3239,16 @@
<string>smtp</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="6">
@ -3208,7 +3361,16 @@
<string>sqlnet</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="6">
@ -3321,7 +3483,16 @@
<string>tftp</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="leftMargin">
<number>10</number>
</property>
<property name="topMargin">
<number>10</number>
</property>
<property name="rightMargin">
<number>0</number>
</property>
<property name="bottomMargin">
<number>0</number>
</property>
<item row="1" column="0" colspan="4">
@ -3403,6 +3574,125 @@
</item>
</layout>
</widget>
<widget class="QWidget" name="tab_3">
<attribute name="title">
<string>IP options</string>
</attribute>
<layout class="QGridLayout" name="gridLayout">
<property name="horizontalSpacing">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QLabel" name="label_5">
<property name="text">
<string>End of Options List (EOOL) </string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QComboBox" name="pix_ip_options_eool_switch">
<item>
<property name="text">
<string>skip</string>
</property>
</item>
<item>
<property name="text">
<string>allow</string>
</property>
</item>
<item>
<property name="text">
<string>drop</string>
</property>
</item>
<item>
<property name="text">
<string>clear</string>
</property>
</item>
</widget>
</item>
<item row="0" column="2" rowspan="2">
<widget class="QLabel" name="label_8">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>IP Options analysis is only available in PIX 8.2 and later and olnly EOOL, NOP and RTRALT options can be inspected. The firewall can allow IP packet with one of the options through or clear the option and then forward the packet, or drop the packet. Packets with any other option are always dropped.</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="label_6">
<property name="text">
<string>No Operation (NOP) </string>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QComboBox" name="pix_ip_options_nop_switch">
<item>
<property name="text">
<string>skip</string>
</property>
</item>
<item>
<property name="text">
<string>allow</string>
</property>
</item>
<item>
<property name="text">
<string>drop</string>
</property>
</item>
<item>
<property name="text">
<string>clear</string>
</property>
</item>
</widget>
</item>
<item row="2" column="0">
<widget class="QLabel" name="label_7">
<property name="text">
<string>Router Alert (RTRALT)</string>
</property>
</widget>
</item>
<item row="2" column="1">
<widget class="QComboBox" name="pix_ip_options_rtralt_switch">
<item>
<property name="text">
<string>skip</string>
</property>
</item>
<item>
<property name="text">
<string>allow</string>
</property>
</item>
<item>
<property name="text">
<string>drop</string>
</property>
</item>
<item>
<property name="text">
<string>clear</string>
</property>
</item>
</widget>
</item>
</layout>
</widget>
</widget>
</item>
<item row="3" column="0">

107
src/res/platform/pix.xml
View File

@ -10,7 +10,7 @@
<diff>fwb_pix_diff</diff>
<supported_os>pix_os</supported_os>
<versions>6.1,6.2,6.3,7.0,8.0,8.3</versions>
<versions>6.1,6.2,6.3,7.0,8.0,8.2,8.3</versions>
<options>
<default>
@ -104,7 +104,8 @@
<fixups>
<list>ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup</list>
<use_mpf>false</use_mpf>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_6.1>
@ -184,7 +185,8 @@
<fixups>
<list>ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,ils_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup</list>
<use_mpf>false</use_mpf>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_6.2>
@ -264,7 +266,8 @@
<fixups>
<list>ctiqbe_fixup,dns_fixup,espike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,pptp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_mpf>false</use_mpf>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_6.3>
@ -344,7 +347,9 @@
<fixups>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_mpf>true</use_mpf>
<use_policy_map_global_policy>true</use_policy_map_global_policy>
<use_policy_map_type_inspect>false</use_policy_map_type_inspect>
</fixups>
</version_7.0>
@ -425,11 +430,97 @@
<fixups>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_mpf>true</use_mpf>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_policy_map_type_inspect>true</use_policy_map_type_inspect>
</fixups>
</version_8.0>
<version_8.2>
<pix_emulate_out_acl>true</pix_emulate_out_acl>
<pix_include_comments>true</pix_include_comments>
<pix_use_acl_remarks>true</pix_use_acl_remarks>
<pix_add_clear_statements>true</pix_add_clear_statements>
<pix_assume_fw_part_of_any>true</pix_assume_fw_part_of_any>
<pix_floodguard_supported>false</pix_floodguard_supported>
<pix_floodguard>true</pix_floodguard>
<pix_default_logint>300</pix_default_logint>
<pix_emblem_log_format>true</pix_emblem_log_format>
<pix_rule_syslog_settings>true</pix_rule_syslog_settings>
<pix_syslog_device_id_supported>true</pix_syslog_device_id_supported>
<pix_security_fragguard_supported>false</pix_security_fragguard_supported>
<pix_route_dnat_supported>false</pix_route_dnat_supported>
<pix_outbound_acl_supported>true</pix_outbound_acl_supported>
<pix_timeout_rpc_is_sunrpc>true</pix_timeout_rpc_is_sunrpc>
<supports_mixed_service_groups>True</supports_mixed_service_groups>
<pix_commands>
<clear_acl>clear config access-list</clear_acl>
<clear_og>clear config object-group</clear_og>
<clear_icmp>clear config icmp</clear_icmp>
<clear_telnet>clear config telnet</clear_telnet>
<clear_ssh>clear config ssh</clear_ssh>
<clear_xlate>clear xlate</clear_xlate>
<clear_static>clear config static</clear_static>
<clear_global>clear config global</clear_global>
<clear_nat>clear config nat</clear_nat>
</pix_commands>
<timeouts>
<xlate_hh>3</xlate_hh>
<xlate_mm>0</xlate_mm>
<xlate_ss>0</xlate_ss>
<conn_hh>1</conn_hh>
<conn_mm>0</conn_mm>
<conn_ss>0</conn_ss>
<udp_hh>0</udp_hh>
<udp_mm>2</udp_mm>
<udp_ss>0</udp_ss>
<rpc_hh>0</rpc_hh>
<rpc_mm>10</rpc_mm>
<rpc_ss>0</rpc_ss>
<h323_hh>0</h323_hh>
<h323_mm>5</h323_mm>
<h323_ss>0</h323_ss>
<sip_hh>0</sip_hh>
<sip_mm>30</sip_mm>
<sip_ss>0</sip_ss>
<sip_media_hh>0</sip_media_hh>
<sip_media_mm>2</sip_media_mm>
<sip_media_ss>0</sip_media_ss>
<half-closed_hh>0</half-closed_hh>
<half-closed_mm>10</half-closed_mm>
<half-closed_ss>0</half-closed_ss>
<uauth_hh>2</uauth_hh>
<uauth_mm>0</uauth_mm>
<uauth_ss>0</uauth_ss>
<uauth_abs>True</uauth_abs>
<uauth_inact>False</uauth_inact>
<telnet_timeout>5</telnet_timeout>
<ssh_timeout>5</ssh_timeout>
</timeouts>
<fixups>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup,ip_options_eool_fixup,ip_options_nop_fixup,ip_options_rtralt_fixup</list>
<use_policy_map_global_policy>false</use_policy_map_global_policy>
<use_policy_map_type_inspect>true</use_policy_map_type_inspect>
</fixups>
</version_8.2>
<version_8.3>
<pix_emulate_out_acl>true</pix_emulate_out_acl>
<pix_include_comments>true</pix_include_comments>
@ -505,8 +596,8 @@
</timeouts>
<fixups>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup</list>
<use_mpf>true</use_mpf>
<list>ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup,ip_options_eool_fixup,ip_options_nop_fixup,ip_options_rtralt_fixup</list>
<use_policy_map_global_policy>true</use_policy_map_global_policy>
</fixups>
</version_8.3>

2
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:59 2011 PST by vadim
! Generated Tue Jan 4 17:00:29 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:59 2011 PST by vadim
! Generated Tue Jan 4 17:00:29 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:59 2011 PST by vadim
! Generated Tue Jan 4 17:00:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:59 2011 PST by vadim
! Generated Tue Jan 4 17:00:29 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:41 2011 PST by vadim
! Generated Tue Jan 4 17:00:10 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:41 2011 PST by vadim
! Generated Tue Jan 4 17:00:11 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

2
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:42 2011 PST by vadim
! Generated Tue Jan 4 17:00:12 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:43 2011 PST by vadim
! Generated Tue Jan 4 17:00:12 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:43 2011 PST by vadim
! Generated Tue Jan 4 17:00:13 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:44 2011 PST by vadim
! Generated Tue Jan 4 17:00:13 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:44 2011 PST by vadim
! Generated Tue Jan 4 17:00:14 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:45 2011 PST by vadim
! Generated Tue Jan 4 17:00:15 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:46 2011 PST by vadim
! Generated Tue Jan 4 17:00:15 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:47 2011 PST by vadim
! Generated Tue Jan 4 17:00:16 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:46 2011 PST by vadim
! Generated Tue Jan 4 17:00:16 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:47 2011 PST by vadim
! Generated Tue Jan 4 17:00:17 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:48 2011 PST by vadim
! Generated Tue Jan 4 17:00:18 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:49 2011 PST by vadim
! Generated Tue Jan 4 17:00:19 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:50 2011 PST by vadim
! Generated Tue Jan 4 17:00:19 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:50 2011 PST by vadim
! Generated Tue Jan 4 17:00:20 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:51 2011 PST by vadim
! Generated Tue Jan 4 17:00:21 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:52 2011 PST by vadim
! Generated Tue Jan 4 17:00:21 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:53 2011 PST by vadim
! Generated Tue Jan 4 17:00:22 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

14
test/pix/firewall80.fw.orig
View File

@ -3,9 +3,9 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:53 2011 PST by vadim
! Generated Tue Jan 4 17:00:23 2011 PST by vadim
!
! Compiled for pix 8.0
! Compiled for pix 8.2
! Outbound ACLs: supported
! Emulate outbound ACLs: yes
! Generating outbound ACLs: no
@ -51,13 +51,13 @@ timeout udp 0:2:0
timeout sunrpc 0:10:0
timeout h323 0:5:0
timeout sip 0:30:0
timeout sip_media 0:0:0
timeout half-closed 0:0:0
timeout uauth 2:0:0 absolute
telnet timeout -1
clear config ssh
aaa authentication ssh console LOCAL
ssh timeout -1
clear config snmp-server
no snmp-server enable traps
@ -72,10 +72,16 @@ no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
router-alert action clear
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
service-policy global_policy global

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:54 2011 PST by vadim
! Generated Tue Jan 4 17:00:23 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:55 2011 PST by vadim
! Generated Tue Jan 4 17:00:24 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

2
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:55 2011 PST by vadim
! Generated Tue Jan 4 17:00:25 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

77
test/pix/objects-for-regression-tests.fwb
View File

@ -16907,7 +16907,7 @@ no sysopt nodnsalias outbound
</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294171726" platform="pix" version="8.0" name="firewall80" comment="testing rules with broadcasts" ro="False">
<Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1294189027" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
<NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -17118,24 +17118,46 @@ no sysopt nodnsalias outbound
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="conn_hh">1</Option>
<Option name="conn_mm">0</Option>
<Option name="conn_ss">0</Option>
<Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
<Option name="debug">False</Option>
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="dyn_addr">False</Option>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="filesystem"></Option>
<Option name="firewall_dir"></Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ftp_fixup">2 21 0 strict 0</Option>
<Option name="h323_h225_fixup">2 1720 1720 nil 0</Option>
<Option name="h323_hh">0</Option>
<Option name="h323_mm">5</Option>
<Option name="h323_ras_fixup">2 1718 1719 nil 0</Option>
<Option name="h323_ss">0</Option>
<Option name="half-closed_hh">0</Option>
<Option name="half-closed_mm">0</Option>
<Option name="half-closed_ss">0</Option>
<Option name="http_fixup">2 80 80 nil 0</Option>
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ils_fixup">2 389 389 nil 0</Option>
<Option name="in_out_code">True</Option>
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="install_script"></Option>
<Option name="ip_options_eool_fixup">0 0 0 nil 0</Option>
<Option name="ip_options_nop_fixup">1 0 0 nil 0</Option>
<Option name="ip_options_rtralt">2 0 0 nil 0</Option>
<Option name="ip_options_rtralt_fixup">3 0 0 nil 0</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">0</Option>
@ -17151,38 +17173,90 @@ no sysopt nodnsalias outbound
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pix_acl_basic">True</Option>
<Option name="pix_acl_no_clear">False</Option>
<Option name="pix_acl_substitution">False</Option>
<Option name="pix_acl_temp_addr"></Option>
<Option name="pix_add_clear_statements">True</Option>
<Option name="pix_assume_fw_part_of_any">True</Option>
<Option name="pix_check_duplicate_nat">False</Option>
<Option name="pix_check_overlapping_global_pools">True</Option>
<Option name="pix_check_overlapping_global_statics">True</Option>
<Option name="pix_check_overlapping_statics">True</Option>
<Option name="pix_check_rule_shading">False</Option>
<Option name="pix_connection_timewait">False</Option>
<Option name="pix_emb_limit">0</Option>
<Option name="pix_emblem_log_format">False</Option>
<Option name="pix_emulate_out_acl">True</Option>
<Option name="pix_epilog_script"></Option>
<Option name="pix_floodguard">False</Option>
<Option name="pix_fragguard">False</Option>
<Option name="pix_generate_out_acl">False</Option>
<Option name="pix_include_comments">True</Option>
<Option name="pix_ip_address">False</Option>
<Option name="pix_logging_buffered">False</Option>
<Option name="pix_logging_buffered_level">0</Option>
<Option name="pix_logging_console">False</Option>
<Option name="pix_logging_console_level">0</Option>
<Option name="pix_logging_timestamp">False</Option>
<Option name="pix_logging_trap_level">0</Option>
<Option name="pix_max_conns">0</Option>
<Option name="pix_nodnsalias_inbound">False</Option>
<Option name="pix_nodnsalias_outbound">False</Option>
<Option name="pix_optimize_default_nat">False</Option>
<Option name="pix_prolog_script"></Option>
<Option name="pix_regroup_commands">False</Option>
<Option name="pix_replace_natted_objects">True</Option>
<Option name="pix_resetinbound">False</Option>
<Option name="pix_resetoutside">False</Option>
<Option name="pix_route_dnat">False</Option>
<Option name="pix_set_host_name">False</Option>
<Option name="pix_ssh_timeout">0</Option>
<Option name="pix_syslog_device_id_opt"></Option>
<Option name="pix_syslog_device_id_val"></Option>
<Option name="pix_syslog_facility"></Option>
<Option name="pix_syslog_host"></Option>
<Option name="pix_syslog_queue_size">0</Option>
<Option name="pix_telnet_timeout">0</Option>
<Option name="pix_use_acl_remarks">False</Option>
<Option name="pix_use_manual_commit">False</Option>
<Option name="platform">iptables</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="proxy_arp">False</Option>
<Option name="rpc_hh">0</Option>
<Option name="rpc_mm">10</Option>
<Option name="rpc_ss">0</Option>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="script_env_path"></Option>
<Option name="short_script">False</Option>
<Option name="sip_fixup">2 5060 5060 nil 0</Option>
<Option name="sip_hh">0</Option>
<Option name="sip_media_hh">0</Option>
<Option name="sip_media_mm">0</Option>
<Option name="sip_media_ss">0</Option>
<Option name="sip_mm">30</Option>
<Option name="sip_ss">0</Option>
<Option name="sip_udp_fixup">2 5060 0 nil 0</Option>
<Option name="skinny_fixup">2 2000 2000 nil 0</Option>
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="ssh_timeout">5</Option>
<Option name="telnet_timeout">5</Option>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="uauth_abs">True</Option>
<Option name="uauth_hh">2</Option>
<Option name="uauth_inact">False</Option>
@ -17193,6 +17267,7 @@ no sysopt nodnsalias outbound
<Option name="udp_ss">0</Option>
<Option name="use_ip_tool">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="use_scp">False</Option>
<Option name="xlate_hh">3</Option>
<Option name="xlate_mm">0</Option>
<Option name="xlate_ss">0</Option>

2
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:56 2011 PST by vadim
! Generated Tue Jan 4 17:00:26 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 12:09:57 2011 PST by vadim
! Generated Tue Jan 4 17:00:27 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported