From b9a9d7a2c99c4142f9303d9ce9a82492cc039fdc Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Tue, 4 Jan 2011 17:05:43 -0800 Subject: [PATCH] refs #1893 fixes #1882 "inspect ip options in pix8". Added support for "policy-map type inspect ip-options" command in PIX v8.2 and later. At this time, of all possible types of "policy-map type inspect" command only "ip-options" is implemented. --- doc/ChangeLog | 6 + src/cisco_lib/OSConfigurator_pix_os.h | 5 +- .../OSConfigurator_pix_os_fixups.cpp | 294 +-------------- .../OSConfigurator_pix_os_inspectors.cpp | 177 +++++++++ .../OSConfigurator_pix_os_inspectors_pix8.cpp | 135 +++++++ src/cisco_lib/cisco_lib.pro | 6 + src/cisco_lib/inspectionClassMap.cpp | 65 ++++ src/cisco_lib/inspectionClassMap.h | 67 ++++ src/cisco_lib/inspectionProtocol.cpp | 77 ++++ src/cisco_lib/inspectionProtocol.h | 64 ++++ src/libgui/pixAdvancedDialog.cpp | 107 +++--- src/libgui/pixAdvancedDialog.h | 39 +- src/libgui/pixadvanceddialog_q.ui | 336 ++++++++++++++++-- src/res/platform/pix.xml | 107 +++++- test/pix/cluster1-1_pix1.fw.orig | 2 +- test/pix/cluster1-1_pix2.fw.orig | 2 +- test/pix/cluster1_pix1.fw.orig | 2 +- test/pix/cluster1_pix2.fw.orig | 2 +- test/pix/firewall.fw.orig | 2 +- test/pix/firewall1.fw.orig | 2 +- test/pix/firewall10.fw.orig | 2 +- test/pix/firewall11.fw.orig | 2 +- test/pix/firewall12.fw.orig | 2 +- test/pix/firewall13.fw.orig | 2 +- test/pix/firewall14.fw.orig | 2 +- test/pix/firewall2.fw.orig | 2 +- test/pix/firewall20.fw.orig | 2 +- test/pix/firewall21-1.fw.orig | 2 +- test/pix/firewall21.fw.orig | 2 +- test/pix/firewall22.fw.orig | 2 +- test/pix/firewall3.fw.orig | 2 +- test/pix/firewall33.fw.orig | 2 +- test/pix/firewall34.fw.orig | 2 +- test/pix/firewall4.fw.orig | 2 +- test/pix/firewall50.fw.orig | 2 +- test/pix/firewall6.fw.orig | 2 +- test/pix/firewall8.fw.orig | 2 +- test/pix/firewall80.fw.orig | 14 +- test/pix/firewall9.fw.orig | 2 +- test/pix/fwsm1.fw.orig | 2 +- test/pix/fwsm2.fw.orig | 2 +- test/pix/objects-for-regression-tests.fwb | 77 +++- test/pix/pix515.fw.orig | 2 +- test/pix/real.fw.orig | 2 +- 44 files changed, 1231 insertions(+), 401 deletions(-) create mode 100644 src/cisco_lib/OSConfigurator_pix_os_inspectors.cpp create mode 100644 src/cisco_lib/OSConfigurator_pix_os_inspectors_pix8.cpp create mode 100644 src/cisco_lib/inspectionClassMap.cpp create mode 100644 src/cisco_lib/inspectionClassMap.h create mode 100644 src/cisco_lib/inspectionProtocol.cpp create mode 100644 src/cisco_lib/inspectionProtocol.h diff --git a/doc/ChangeLog b/doc/ChangeLog index 0f896f76d..609611f8a 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,11 @@ 2011-01-04 vadim + * OSConfigurator_pix_os_inspectors_pix8.cpp (_printPolicyMapTypeInspect): + refs #1893 fixes #1882 "inspect ip options in pix8". Added support for + "policy-map type inspect ip-options" command in PIX v8.2 and later. + At this time, of all possible types of "policy-map type inspect" + command only "ip-options" is implemented. + * PIX8ObjectGroup.cpp (toString): refs #1882 "Mixed service groups in PIX8". Added pix versions 8.0 and 8.3; added support for mixed servcie groups in pix 8.0 and later. diff --git a/src/cisco_lib/OSConfigurator_pix_os.h b/src/cisco_lib/OSConfigurator_pix_os.h index ad2586376..ec6d3ea83 100644 --- a/src/cisco_lib/OSConfigurator_pix_os.h +++ b/src/cisco_lib/OSConfigurator_pix_os.h @@ -79,8 +79,9 @@ namespace fwcompiler { int arg2, bool ov); std::string _printFixups(); - std::string _printMPF(); - + std::string _printPolicyMapGlobalPolicy(); + std::string _printPolicyMapTypeInspect(); + public: virtual ~OSConfigurator_pix_os() {}; diff --git a/src/cisco_lib/OSConfigurator_pix_os_fixups.cpp b/src/cisco_lib/OSConfigurator_pix_os_fixups.cpp index 7ed7d3dd5..200112c15 100644 --- a/src/cisco_lib/OSConfigurator_pix_os_fixups.cpp +++ b/src/cisco_lib/OSConfigurator_pix_os_fixups.cpp @@ -122,15 +122,14 @@ string OSConfigurator_pix_os::_printFixupCommand(const string &fixup_name, string OSConfigurator_pix_os::_printFixups() { ostringstream res; - string platform=fw->getStr("platform"); - string version=fw->getStr("version"); - - FWOptions *options=fw->getOptionsObject(); + string platform = fw->getStr("platform"); + string version = fw->getStr("version"); + FWOptions *options = fw->getOptionsObject(); assert(options!=NULL); - - string lst=Resources::platform_res[platform]->getResourceStr( - "/FWBuilderResources/Target/options/version_"+version+"/fixups/list"); + string lst = Resources::platform_res[platform]->getResourceStr( + "/FWBuilderResources/Target/options/version_" + version + + "/fixups/list"); string::size_type i,j, k; i=0; @@ -167,283 +166,22 @@ string OSConfigurator_pix_os::_printFixups() } -/* ******************************************************************** - * - * Generating class-map, class and match commands instead of fixups - * for PIX 7.0 - * - * ********************************************************************/ - -class InspectionProtocol; -typedef enum { FIXUP_ENABLE=0, FIXUP_DISABLE=1, FIXUP_SKIP=2 } FixupTypes; - -std::map protocols; -FixupTypes fixupStatus; - -/* - * par1 and par2 are parameters for the inspection protocol. These are - * port numbers most of the time, but for some protocols the meaning - * may be different. For example for dns it is "maximum-length". - */ -class InspectionProtocol { - public: - - string name; - string printable_name; - string ip_proto; - int par1,par2; - - InspectionProtocol(const string &fn, - const string &prn, - const string &pn, - int p1, - int p2) - { - name=fn; printable_name=prn; ip_proto=pn; par1=p1; par2=p2; - if (protocols.count(fn)==0) protocols[fn]=this; - } -}; - -/* - * Default ports are defined here jsut like they are filled in the - * options by the GUI. If the GUI allows for port range, we specify - * port range here, and vice versa. Some of the cases seem to differ - * from what Cisco doc specify in the table of the default ports here - * http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html - * I suppose this is ok since we always can use port range map with - * "match" command even if they did not intend it to be like that by - * default. However if the GUI returned port numbers that match those - * defined in protocolDefinitions, we do not generate 'match' commands - * at all and put everything in the "inspection_default" class-map - * - * Here is how this works: constructor of the class InspectionProtocols - * adds object to map 'protocols'. Every initialization of an object - * of this class in array protocolDefinitions calls constructor and - * therefore creates an entry in the map 'protocols'. It is done this - * way because we can statically initialize an array but cant initialize - * std::map (at least I do not know how) - * - * Note: in PIX 7.0 inspector that corresponds to fixup 'smtp' is - * called 'esmtp' - */ -InspectionProtocol protocolDefinitions[] = -{ - InspectionProtocol("ctiqbe", "ctiqbe", "tcp", 2748, 0 ), - InspectionProtocol("dns", "dns", "udp", 53, 0 ), - InspectionProtocol("ftp", "ftp", "tcp", 21, 0 ), - InspectionProtocol("gtp", "gtp", "udp", 2123, 3386 ), - InspectionProtocol("h323_h225", "h323 h225", "tcp", 1720, 1720 ), - InspectionProtocol("h323_ras", "h323 ras", "udp", 1718, 1719 ), - InspectionProtocol("http", "http", "tcp", 80, 80 ), - InspectionProtocol("icmp_error","icmp", "icmp", 0, 0 ), - InspectionProtocol("ils", "ils", "tcp", 389, 389 ), - InspectionProtocol("mgcp", "mgcp", "udp", 2427, 2727 ), - InspectionProtocol("netbios", "netbios", "udp", 137, 138 ), - InspectionProtocol("rpc", "rpc", "udp", 111, 0 ), - InspectionProtocol("rsh", "rsh", "tcp", 514, 0 ), - InspectionProtocol("rtsp", "rtsp", "tcp", 554, 0 ), - InspectionProtocol("sip", "sip", "tcp", 5060, 5060 ), - InspectionProtocol("sip_udp", "sip", "udp", 5060, 0 ), - InspectionProtocol("skinny", "skinny", "tcp", 2000, 2000 ), - InspectionProtocol("smtp", "esmtp", "tcp", 25, 25 ), - InspectionProtocol("sqlnet", "sqlnet", "tcp", 1521, 1521 ), - InspectionProtocol("tftp", "tftp", "udp", 69, 0 ), - InspectionProtocol("xdmcp", "xdmcp", "udp", 177, 0 ), -}; - - -/* - * status: - * 0: enable - * 1: disable - * 2: skip - */ -class InspectionClassMap { - public: - - string class_map_name; - string fixup_name; - string inspect_name; - int status; - int port1,port2; - string arg_name; - int arg_val; - - InspectionClassMap(const string &fn,int s,int p1,int p2,const string &a,int v) - { - status=s; port1=p1; port2=p2; arg_name=a; arg_val=v; - string ss = fn; - string::size_type k; - while ( (k=ss.find(" "))!=string::npos ) - ss.replace(k,1,1,'_'); - inspect_name = ss; - fixup_name = fn; - class_map_name = string("custom_")+ss+string("_inspection"); - } - - bool isDefault(); - string getIPProtocol(); - string getPrintableName(); - string getMatchCommand(); -}; - -std::list defaultClassMaps; -std::list customClassMaps; -std::map DefaultInspectionInspectStatements; -std::map CustomInspectionInspectStatements; - -bool InspectionClassMap::isDefault() -{ - InspectionProtocol *ip = protocols[fixup_name]; - if (ip!=NULL) return (ip->par1==port1 && ip->par2==port2); - return false; -} - -string InspectionClassMap::getIPProtocol() -{ - InspectionProtocol *ip = protocols[fixup_name]; - if (ip!=NULL) return ip->ip_proto; - return ""; -} - -string InspectionClassMap::getPrintableName() -{ - InspectionProtocol *ip = protocols[fixup_name]; - if (ip!=NULL) return ip->printable_name; - return ""; -} - -string InspectionClassMap::getMatchCommand() -{ - ostringstream res; - res << "match port " << getIPProtocol() << " "; - if (port1!=0 && port2==0) - res << "eq " << port1; - if (port1!=0 && port1==port2) - res << "eq " << port1; - if (port1!=0 && port2!=0 && port1!=port2) - res << "range " << port1 << " " << port2; - res << endl; - return res.str(); -} - -string OSConfigurator_pix_os::_printMPF() -{ - ostringstream res; - string platform=fw->getStr("platform"); - string version=fw->getStr("version"); - - FWOptions *options=fw->getOptionsObject(); - assert(options!=NULL); - - string lst=Resources::platform_res[platform]->getResourceStr( - "/FWBuilderResources/Target/options/version_"+version+"/fixups/list"); - - defaultClassMaps.clear(); - customClassMaps.clear(); - DefaultInspectionInspectStatements.clear(); - CustomInspectionInspectStatements.clear(); - - string::size_type i,j; - i=0; - while ( igetStr(fixup_xml_element); - - if (!f.empty()) - { - string fixup_name=fixup_xml_element.substr(0, fixup_xml_element.find("_fixup") ); - - int status; - int p1,p2; - string an; - int av; - istringstream str(f); - - str >> status >> p1 >> p2 >> an >> av; - -/* We should really fix this in the GUI and pass max length parameter - * as an/av rather than as port p1 - */ - if (fixup_name=="dns" && p1!=0) { an="maximum-length"; av=p1; p1=53; } - - InspectionClassMap cm(fixup_name,status,p1,p2,an,av); - if (cm.isDefault()) defaultClassMaps.push_back(cm); - else customClassMaps.push_back(cm); - } - if (j==string::npos) break; - } - - res << "class-map inspection_default" << endl; - res << " match default-inspection-traffic" << endl; - res << endl; - - std::list::iterator i1; - - if (customClassMaps.size()>0) - { - for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++) - { - res << "class-map " << i1->class_map_name << endl; - res << " " << i1->getMatchCommand() << endl; - } - res << endl; - } - - res << "policy-map global_policy" << endl; - if (defaultClassMaps.size()>0) - { - res << " class inspection_default" << endl; - for (i1=defaultClassMaps.begin(); i1!=defaultClassMaps.end(); i1++) - { - string pn = i1->getPrintableName(); - if (i1->status!=FIXUP_SKIP && - DefaultInspectionInspectStatements[pn]!=1) - { - res << " "; - if (i1->status==FIXUP_DISABLE) res << "no "; - res << "inspect " << pn << endl; - DefaultInspectionInspectStatements[pn]=1; - } - } - } - if (customClassMaps.size()>0) - { - for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++) - { - string pn = i1->getPrintableName(); - if (i1->status!=FIXUP_SKIP && - CustomInspectionInspectStatements[pn]!=1) - { - res << " class " << i1->class_map_name << endl; - res << " "; - if (i1->status==FIXUP_DISABLE) res << "no "; - res << "inspect " << i1->getPrintableName() << endl; - CustomInspectionInspectStatements[pn]=1; - } - } - } - res << endl; - - res << "service-policy global_policy global" << endl; - - return res.str(); -} string OSConfigurator_pix_os::getProtocolInspectionCommands() { - string platform=fw->getStr("platform"); - string version=fw->getStr("version"); + string platform = fw->getStr("platform"); + string version = fw->getStr("version"); if (Resources::platform_res[platform]->getResourceBool( - "/FWBuilderResources/Target/options/version_"+version+"/fixups/use_mpf")) - return _printMPF(); + "/FWBuilderResources/Target/options/version_" + version + + "/fixups/use_policy_map_global_policy")) + return _printPolicyMapGlobalPolicy(); + + if (Resources::platform_res[platform]->getResourceBool( + "/FWBuilderResources/Target/options/version_" + version + + "/fixups/use_policy_map_type_inspect")) + return _printPolicyMapTypeInspect(); return _printFixups(); } diff --git a/src/cisco_lib/OSConfigurator_pix_os_inspectors.cpp b/src/cisco_lib/OSConfigurator_pix_os_inspectors.cpp new file mode 100644 index 000000000..7bed1934e --- /dev/null +++ b/src/cisco_lib/OSConfigurator_pix_os_inspectors.cpp @@ -0,0 +1,177 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + + +#include "OSConfigurator_pix_os.h" +#include "inspectionProtocol.h" +#include "inspectionClassMap.h" + +#include "fwbuilder/Resources.h" +#include "fwbuilder/Firewall.h" +#include "fwbuilder/FWOptions.h" +#include "fwbuilder/Interface.h" +#include "fwbuilder/Management.h" +#include "fwbuilder/Resources.h" + +#include +#include + +#include +#include +#include +#include +#include + +using namespace libfwbuilder; +using namespace fwcompiler; +using namespace std; + + +/* ******************************************************************** + * + * Generating class-map, class and match commands instead of fixups + * for PIX 7.0 + * + * ********************************************************************/ + + +string OSConfigurator_pix_os::_printPolicyMapGlobalPolicy() +{ + ostringstream res; + string platform = fw->getStr("platform"); + string version = fw->getStr("version"); + string vers = "version_" + version; + FWOptions *options = fw->getOptionsObject(); + assert(options!=NULL); + + std::list defaultClassMaps; + std::list customClassMaps; + std::map DefaultInspectionInspectStatements; + std::map CustomInspectionInspectStatements; + + + QStringList allowed_fixups = + QString(Resources::platform_res[platform]->getResourceStr( + "/FWBuilderResources/Target/options/" + vers + + "/fixups/list").c_str()).split(","); + + defaultClassMaps.clear(); + customClassMaps.clear(); + DefaultInspectionInspectStatements.clear(); + CustomInspectionInspectStatements.clear(); + + foreach (QString fixup_xml_element, allowed_fixups) + { + string f = options->getStr(fixup_xml_element.toAscii().constData()); + + if (!f.empty()) + { + QString fixup_name = fixup_xml_element.replace("_fixup", ""); + + int status; + int p1,p2; + string an; + int av; + istringstream str(f); + + str >> status >> p1 >> p2 >> an >> av; + +/* We should really fix this in the GUI and pass max length parameter + * as an/av rather than as port p1 + */ + if (fixup_name == "dns" && p1 != 0) + { + an = "maximum-length"; + av = p1; + p1 = 53; + } + + if (fixup_name.startsWith("ip_options")) + { + continue; + } + + InspectionClassMap cm(fixup_name.toAscii().constData(), + status, p1, p2, an, av); + if (cm.isDefault()) defaultClassMaps.push_back(cm); + else customClassMaps.push_back(cm); + } + } + + res << "class-map inspection_default" << endl; + res << " match default-inspection-traffic" << endl; + res << endl; + + std::list::iterator i1; + + if (customClassMaps.size()>0) + { + for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++) + { + res << "class-map " << i1->class_map_name << endl; + res << " " << i1->getMatchCommand() << endl; + } + res << endl; + } + + res << "policy-map global_policy" << endl; + if (defaultClassMaps.size()>0) + { + res << " class inspection_default" << endl; + for (i1=defaultClassMaps.begin(); i1!=defaultClassMaps.end(); i1++) + { + string pn = i1->getPrintableName(); + if (i1->status!=FIXUP_SKIP && + DefaultInspectionInspectStatements[pn]!=1) + { + res << " "; + if (i1->status==FIXUP_DISABLE) res << "no "; + res << "inspect " << pn << endl; + DefaultInspectionInspectStatements[pn]=1; + } + } + } + if (customClassMaps.size()>0) + { + for (i1=customClassMaps.begin(); i1!=customClassMaps.end(); i1++) + { + string pn = i1->getPrintableName(); + if (i1->status!=FIXUP_SKIP && + CustomInspectionInspectStatements[pn]!=1) + { + res << " class " << i1->class_map_name << endl; + res << " "; + if (i1->status==FIXUP_DISABLE) res << "no "; + res << "inspect " << i1->getPrintableName() << endl; + CustomInspectionInspectStatements[pn]=1; + } + } + } + res << endl; + + res << "service-policy global_policy global" << endl; + + return res.str(); +} + + diff --git a/src/cisco_lib/OSConfigurator_pix_os_inspectors_pix8.cpp b/src/cisco_lib/OSConfigurator_pix_os_inspectors_pix8.cpp new file mode 100644 index 000000000..df2047ca8 --- /dev/null +++ b/src/cisco_lib/OSConfigurator_pix_os_inspectors_pix8.cpp @@ -0,0 +1,135 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + + +#include "OSConfigurator_pix_os.h" +#include "Helper.h" +#include "inspectionProtocol.h" +#include "inspectionClassMap.h" + +#include "fwbuilder/Resources.h" +#include "fwbuilder/Firewall.h" +#include "fwbuilder/FWOptions.h" +#include "fwbuilder/Interface.h" +#include "fwbuilder/Management.h" +#include "fwbuilder/Resources.h" + +#include +#include + +#include +#include +#include +#include +#include + +using namespace libfwbuilder; +using namespace fwcompiler; +using namespace std; + + +/* ******************************************************************** + * + * Generating policy-map type inspect commands for PIX 8.0 + * + * ********************************************************************/ + + + +string OSConfigurator_pix_os::_printPolicyMapTypeInspect() +{ + ostringstream res; + string platform = fw->getStr("platform"); + string version = fw->getStr("version"); + string vers = "version_" + version; + FWOptions *options = fw->getOptionsObject(); + assert(options!=NULL); + + // first, generate commands for ip-options + + QStringList allowed_fixups = + QString(Resources::platform_res[platform]->getResourceStr( + "/FWBuilderResources/Target/options/" + vers + + "/fixups/list").c_str()).split(","); + + list ip_options_matches; + + foreach (QString fixup_xml_element, allowed_fixups) + { + string f = options->getStr(fixup_xml_element.toAscii().constData()); + + if (!f.empty()) + { + QString fixup_name = fixup_xml_element.replace("_fixup", ""); + + int status; + int p1,p2; + string an; + int av; + istringstream str(f); + + str >> status >> p1 >> p2 >> an >> av; + + if (fixup_name.startsWith("ip_options") && status != FIXUP_SKIP) + { + InspectionClassMap cm(fixup_name.toAscii().constData(), + status, p1, p2, an, av); + ip_options_matches.push_back(cm); + } + } + } + + if (ip_options_matches.size() > 0) + { + res << "policy-map type inspect ip-options ip-options-map" << endl; + res << "parameters" << endl; + + for(list::iterator i=ip_options_matches.begin(); + i!=ip_options_matches.end(); ++i) + { + + switch (i->status) + { + case FIXUP_ENABLE: + res << " " << i->getPrintableName() << " action "; + res << "allow" << endl; + break; + case FIXUP_CLEAR: + res << " " << i->getPrintableName() << " action "; + res << "clear" << endl; + break; + default: + break; + } + } + } + + res << endl; + + // now generate class-map and "policy-map global_policy" commands + res << _printPolicyMapGlobalPolicy(); + + return res.str(); +} + + diff --git a/src/cisco_lib/cisco_lib.pro b/src/cisco_lib/cisco_lib.pro index 780d078e6..1cc1e9875 100644 --- a/src/cisco_lib/cisco_lib.pro +++ b/src/cisco_lib/cisco_lib.pro @@ -11,6 +11,8 @@ SOURCES = PolicyCompiler_cisco.cpp \ RoutingCompiler_cisco_writers.cpp \ ACL.cpp \ Helper.cpp \ + inspectionProtocol.cpp \ + InspectionClassMap.cpp \ OSConfigurator_ios.cpp \ CompilerDriver_iosacl.cpp \ CompilerDriver_iosacl_run.cpp \ @@ -24,6 +26,8 @@ SOURCES = PolicyCompiler_cisco.cpp \ NATCompiler_pix_writers.cpp \ OSConfigurator_pix_os.cpp \ OSConfigurator_pix_os_fixups.cpp \ + OSConfigurator_pix_os_inspectors.cpp \ + OSConfigurator_pix_os_inspectors_pix8.cpp \ CompilerDriver_procurve_acl.cpp \ CompilerDriver_procurve_acl_run.cpp \ OSConfigurator_procurve.cpp \ @@ -44,6 +48,8 @@ SOURCES = PolicyCompiler_cisco.cpp \ HEADERS = ../../config.h \ ACL.h \ Helper.h \ + inspectionProtocol.h \ + InspectionClassMap.h \ PolicyCompiler_cisco.h \ RoutingCompiler_cisco.h \ CompilerDriver_iosacl.h \ diff --git a/src/cisco_lib/inspectionClassMap.cpp b/src/cisco_lib/inspectionClassMap.cpp new file mode 100644 index 000000000..46cdde0bd --- /dev/null +++ b/src/cisco_lib/inspectionClassMap.cpp @@ -0,0 +1,65 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +#include "inspectionClassMap.h" +#include "inspectionProtocol.h" + +#include + +using namespace std; + +bool InspectionClassMap::isDefault() +{ + InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name]; + if (ip!=NULL) return (ip->par1==port1 && ip->par2==port2); + return false; +} + +string InspectionClassMap::getIPProtocol() +{ + InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name]; + if (ip!=NULL) return ip->ip_proto; + return ""; +} + +string InspectionClassMap::getPrintableName() +{ + InspectionProtocol *ip = InspectionProtocol::protocols[fixup_name]; + if (ip!=NULL) return ip->printable_name; + return ""; +} + +string InspectionClassMap::getMatchCommand() +{ + ostringstream res; + res << "match port " << getIPProtocol() << " "; + if (port1!=0 && port2==0) + res << "eq " << port1; + if (port1!=0 && port1==port2) + res << "eq " << port1; + if (port1!=0 && port2!=0 && port1!=port2) + res << "range " << port1 << " " << port2; + res << endl; + return res.str(); +} + diff --git a/src/cisco_lib/inspectionClassMap.h b/src/cisco_lib/inspectionClassMap.h new file mode 100644 index 000000000..60c6c6d13 --- /dev/null +++ b/src/cisco_lib/inspectionClassMap.h @@ -0,0 +1,67 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +#ifndef INSPECTION_CLASS_MAP_HH +#define INSPECTION_CLASS_MAP_HH + + +#include + +/* + * status: + * 0: enable + * 1: disable + * 2: skip + */ +class InspectionClassMap { + +public: + + std::string class_map_name; + std::string fixup_name; + std::string inspect_name; + int status; + int port1,port2; + std::string arg_name; + int arg_val; + + InspectionClassMap(const std::string &fn,int s,int p1,int p2, + const std::string &a,int v) + { + status=s; port1=p1; port2=p2; arg_name=a; arg_val=v; + std::string ss = fn; + std::string::size_type k; + while ( (k=ss.find(" ")) != std::string::npos ) + ss.replace(k,1,1,'_'); + inspect_name = ss; + fixup_name = fn; + class_map_name = std::string("custom_") + ss + std::string("_inspection"); + } + + bool isDefault(); + std::string getIPProtocol(); + std::string getPrintableName(); + std::string getMatchCommand(); +}; + +#endif diff --git a/src/cisco_lib/inspectionProtocol.cpp b/src/cisco_lib/inspectionProtocol.cpp new file mode 100644 index 000000000..4e28a80af --- /dev/null +++ b/src/cisco_lib/inspectionProtocol.cpp @@ -0,0 +1,77 @@ +/* + + Firewall Builder + + Copyright (C) 2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + + +#include "inspectionProtocol.h" + +std::map InspectionProtocol::protocols; + +/* + * Default ports are defined here jsut like they are filled in the + * options by the GUI. If the GUI allows for port range, we specify + * port range here, and vice versa. Some of the cases seem to differ + * from what Cisco doc specify in the table of the default ports here + * http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html + * I suppose this is ok since we always can use port range map with + * "match" command even if they did not intend it to be like that by + * default. However if the GUI returned port numbers that match those + * defined in protocolDefinitions, we do not generate 'match' commands + * at all and put everything in the "inspection_default" class-map + * + * Here is how this works: constructor of the class InspectionProtocols + * adds object to map 'protocols'. Every initialization of an object + * of this class in array protocolDefinitions calls constructor and + * therefore creates an entry in the map 'protocols'. It is done this + * way because we can statically initialize an array but cant initialize + * std::map (at least I do not know how) + * + * Note: in PIX 7.0 inspector that corresponds to fixup 'smtp' is + * called 'esmtp' + */ +InspectionProtocol protocolDefinitions[] = +{ + InspectionProtocol("ctiqbe", "ctiqbe", "tcp", 2748, 0 ), + InspectionProtocol("dns", "dns", "udp", 53, 0 ), + InspectionProtocol("ftp", "ftp", "tcp", 21, 0 ), + InspectionProtocol("gtp", "gtp", "udp", 2123, 3386 ), + InspectionProtocol("h323_h225", "h323 h225", "tcp", 1720, 1720 ), + InspectionProtocol("h323_ras", "h323 ras", "udp", 1718, 1719 ), + InspectionProtocol("http", "http", "tcp", 80, 80 ), + InspectionProtocol("icmp_error","icmp", "icmp", 0, 0 ), + InspectionProtocol("ils", "ils", "tcp", 389, 389 ), + InspectionProtocol("mgcp", "mgcp", "udp", 2427, 2727 ), + InspectionProtocol("netbios", "netbios", "udp", 137, 138 ), + InspectionProtocol("rpc", "rpc", "udp", 111, 0 ), + InspectionProtocol("rsh", "rsh", "tcp", 514, 0 ), + InspectionProtocol("rtsp", "rtsp", "tcp", 554, 0 ), + InspectionProtocol("sip", "sip", "tcp", 5060, 5060 ), + InspectionProtocol("sip_udp", "sip", "udp", 5060, 0 ), + InspectionProtocol("skinny", "skinny", "tcp", 2000, 2000 ), + InspectionProtocol("smtp", "esmtp", "tcp", 25, 25 ), + InspectionProtocol("sqlnet", "sqlnet", "tcp", 1521, 1521 ), + InspectionProtocol("tftp", "tftp", "udp", 69, 0 ), + InspectionProtocol("xdmcp", "xdmcp", "udp", 177, 0 ), + InspectionProtocol("ip_options_eool", "eool","", 0, 0 ), + InspectionProtocol("ip_options_nop", "nop", "", 0, 0 ), + InspectionProtocol("ip_options_rtralt", "router-alert", "", 0, 0 ), +}; diff --git a/src/cisco_lib/inspectionProtocol.h b/src/cisco_lib/inspectionProtocol.h new file mode 100644 index 000000000..ab23e26b0 --- /dev/null +++ b/src/cisco_lib/inspectionProtocol.h @@ -0,0 +1,64 @@ +/* + + Firewall Builder + + Copyright (C) 2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +#ifndef INSPECTION_PROTOCOL_HH +#define INSPECTION_PROTOCOL_HH + +#include +#include + +typedef enum { FIXUP_ENABLE=0, FIXUP_DISABLE=1, FIXUP_SKIP=2, FIXUP_CLEAR=3 } FixupTypes; + +/* + * par1 and par2 are parameters for the inspection protocol. These are + * port numbers most of the time, but for some protocols the meaning + * may be different. For example for dns it is "maximum-length". + */ +class InspectionProtocol { +public: + + std::string name; + std::string printable_name; + std::string ip_proto; + int par1,par2; + + static std::map protocols; + + InspectionProtocol(const std::string &fn, + const std::string &prn, + const std::string &pn, + int p1, + int p2) + { + name = fn; + printable_name = prn; + ip_proto = pn; + par1 = p1; + par2 = p2; + if (protocols.count(fn)==0) protocols[fn] = this; + } +}; + +extern InspectionProtocol protocolDefinitions[]; + +#endif diff --git a/src/libgui/pixAdvancedDialog.cpp b/src/libgui/pixAdvancedDialog.cpp index 0e2baa315..36f313408 100644 --- a/src/libgui/pixAdvancedDialog.cpp +++ b/src/libgui/pixAdvancedDialog.cpp @@ -473,19 +473,43 @@ pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o) NULL, "tftp_fixup", "tftp", 18)); - string lst=Resources::platform_res[platform]->getResourceStr( - "/FWBuilderResources/Target/options/"+vers+"/fixups/list"); + allFixups.push_back(fixupControl( + m_dialog->pix_ip_options_eool_switch, + NULL, + NULL, + NULL, + "ip_options_eool_fixup", "IP options", 19)); + + allFixups.push_back(fixupControl( + m_dialog->pix_ip_options_nop_switch, + NULL, + NULL, + NULL, + "ip_options_nop_fixup", "IP options", 20)); + + allFixups.push_back(fixupControl( + m_dialog->pix_ip_options_rtralt_switch, + NULL, + NULL, + NULL, + "ip_options_rtralt_fixup", "IP options", 21)); + + QStringList allowed_fixups = + QString(Resources::platform_res[platform]->getResourceStr( + "/FWBuilderResources/Target/options/" + vers + + "/fixups/list").c_str()).split(","); if (fwbdebug) - qDebug("pixAdvancedDialog::pixAdvancedDialog lst = %s",lst.c_str()); + qDebug() << "pixAdvancedDialog::pixAdvancedDialog allowed_fixups:" + << allowed_fixups; for (list::iterator fi=allFixups.begin(); fi!=allFixups.end(); fi++) { if (fwbdebug) - qDebug("pixAdvancedDialog::pixAdvancedDialog fwopt = %s", - fi->fwoption.toAscii().constData()); + qDebug() << "pixAdvancedDialog::pixAdvancedDialog fwopt:" + << fi->fwoption; if (fi->switch_widget!=NULL) connect( fi->switch_widget, SIGNAL(activated(int)), @@ -500,22 +524,11 @@ pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o) if (fi->arg3!=NULL) connect( fi->arg3, SIGNAL(clicked()), this, SLOT(fixupCmdChanged())); - string::size_type i,j; - i=0; - bool present=false; - while ( ifwoption) - { present=true; break; } - if (j==string::npos) break; - i=j+1; - } - if (!present) - { - fi->active=false; - m_dialog->fixup_notebook->setTabEnabled( fi->page, false); - } + bool active = allowed_fixups.contains(fi->fwoption); + + fi->active = active; + m_dialog->fixup_notebook->setTabEnabled( fi->page, active); + } /* page Logging */ @@ -605,11 +618,13 @@ pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o) m_dialog->fragguard->setEnabled( Resources::platform_res[platform]->getResourceBool( - "/FWBuilderResources/Target/options/"+vers+"/pix_security_fragguard_supported")); + "/FWBuilderResources/Target/options/" + vers + + "/pix_security_fragguard_supported")); m_dialog->route_dnat->setEnabled( Resources::platform_res[platform]->getResourceBool( - "/FWBuilderResources/Target/options/"+vers+"/pix_route_dnat_supported")); + "/FWBuilderResources/Target/options/" + vers + + "/pix_route_dnat_supported")); data.registerOption( m_dialog->fragguard, fwoptions, "pix_fragguard"); data.registerOption( m_dialog->route_dnat, fwoptions, "pix_route_dnat"); @@ -617,10 +632,13 @@ pixAdvancedDialog::pixAdvancedDialog(QWidget*parent, FWObject *o) data.registerOption( m_dialog->resetinbound, fwoptions, "pix_resetinbound"); data.registerOption( m_dialog->resetoutside, fwoptions, "pix_resetoutside"); - data.registerOption( m_dialog->connection_timewait, fwoptions, "pix_connection_timewait"); + data.registerOption( m_dialog->connection_timewait, fwoptions, + "pix_connection_timewait"); data.registerOption( m_dialog->floodguard, fwoptions, "pix_floodguard"); - data.registerOption( m_dialog->nodnsalias_inbound, fwoptions, "pix_nodnsalias_inbound"); - data.registerOption( m_dialog->nodnsalias_outbound, fwoptions, "pix_nodnsalias_outbound"); + data.registerOption( m_dialog->nodnsalias_inbound, fwoptions, + "pix_nodnsalias_inbound"); + data.registerOption( m_dialog->nodnsalias_outbound, fwoptions, + "pix_nodnsalias_outbound"); data.registerOption( m_dialog->max_conns, fwoptions, "pix_max_conns"); data.registerOption( m_dialog->emb_limit, fwoptions, "pix_emb_limit"); @@ -639,22 +657,27 @@ pixAdvancedDialog::~pixAdvancedDialog() } /* - * items in the switch_widget (QComboBox) are layed out as follows: + * items in the switch_widget (QComboBox) | values in FirewallOptions object + * | + * Skip (item 0) | 2 + * Enable (item 1) | 0 + * Disable (item 2) | 1 * - * Skip - item 0 - * Enable - item 1 - * Disable - item 2 + * this strange mapping is historical. * - * values in the attribute in the FirewallOptions object are as follows: + * ip options switch has the following items: * - * 0 - enable - * 1 - disable - * 2 - skip + * skip + * allow + * drop + * clear * - * this is historical. + * The last item is just added at the bottom and is mapped to FirewallOptions + * value "3" + * */ -static int fixupOpt2Widget[] = { 1, 2, 0 }; -static int fixupWidget2Opt[] = { 2, 0, 1 }; +static int fixupOpt2Widget[] = { 1, 2, 0, 3 }; +static int fixupWidget2Opt[] = { 2, 0, 1, 3 }; int pixAdvancedDialog::translateFixupSwitchFromOptionToWidget(int o) { @@ -690,7 +713,7 @@ void pixAdvancedDialog::loadFixups() for (list::iterator fi=allFixups.begin(); fi!=allFixups.end(); fi++) { if (!fi->active) continue; - string f=options->getStr(fi->fwoption.toLatin1().constData()); + string f = options->getStr(fi->fwoption.toLatin1().constData()); if (!f.empty()) { // "0" means "fixup" or "enable" in a pop-down menu (historical) @@ -710,13 +733,15 @@ void pixAdvancedDialog::loadFixups() fi->switch_widget->setCurrentIndex( translateFixupSwitchFromOptionToWidget(sw) ); -/* if values are 0 in the data file, we stick with defaults. Defaults are preconfigured - * in the GUI (via appropriate settings in pix.glade file */ +/* if values are 0 in the data file, we stick with defaults. Defaults + * are preconfigured in the GUI + */ if (fi->arg1 && p1!=0) fi->arg1->setValue(p1); if (fi->arg2 && p2!=0) fi->arg2->setValue(p2); if (fi->arg3) fi->arg3->setChecked(arg3v); - } else { + } else + { fi->switch_widget->setCurrentIndex(0); } } diff --git a/src/libgui/pixAdvancedDialog.h b/src/libgui/pixAdvancedDialog.h index dafd1c022..52cb55e2b 100644 --- a/src/libgui/pixAdvancedDialog.h +++ b/src/libgui/pixAdvancedDialog.h @@ -44,22 +44,29 @@ namespace libfwbuilder { }; struct fixupControl { - class QComboBox *switch_widget; - class QSpinBox *arg1; - class QSpinBox *arg2; - class QCheckBox *arg3; - QString fwoption; - QString fixup_cmd; - int page; // number of the notebook page in fixup_notebook widget - bool active; // if false, then this fixup is not supported on the given version of PIX OS - fixupControl(QComboBox *s, - QSpinBox *w1, - QSpinBox *w2, - QCheckBox *w3, - const QString &o, - const QString &f, - int p) - { switch_widget=s; arg1=w1; arg2=w2; arg3=w3; fwoption=o; fixup_cmd=f; page=p; active=true; } + class QComboBox *switch_widget; + class QSpinBox *arg1; + class QSpinBox *arg2; + class QCheckBox *arg3; + QString fwoption; + QString fixup_cmd; + int page; // number of the notebook page in fixup_notebook widget + bool active; // if false, then this fixup is not supported on the given + // version of PIX OS + + fixupControl(QComboBox *s, + QSpinBox *w1, + QSpinBox *w2, + QCheckBox *w3, + const QString &o, + const QString &f, + int p) + { + switch_widget=s; + arg1=w1; arg2=w2; arg3=w3; + fwoption=o; fixup_cmd=f; page=p; + active=true; + } }; diff --git a/src/libgui/pixadvanceddialog_q.ui b/src/libgui/pixadvanceddialog_q.ui index df0bbfb14..27d02dcec 100644 --- a/src/libgui/pixadvanceddialog_q.ui +++ b/src/libgui/pixadvanceddialog_q.ui @@ -13,7 +13,7 @@ 0 0 829 - 592 + 596 @@ -82,7 +82,7 @@ QTabWidget::Rounded - 0 + 4 Qt::ElideNone @@ -1486,7 +1486,7 @@ - Policy compiler generates 'fixup' commands for PIX v6.1-6.3 and FWSM v2.3. For PIX 7.0 it generates 'class-map' and 'inspect' commands assigned to the 'policy-map' under either default or custom inspection classes. + Policy compiler generates 'fixup' commands for PIX/ASA v6.1-6.3 and FWSM v2.3. For v7.x and v8.x it generates 'class-map' and 'inspect' commands assigned to the 'policy-map' under either default or custom inspection classes. Qt::AlignVCenter @@ -1536,7 +1536,7 @@ QTabWidget::Triangular - 18 + 19 Qt::ElideNone @@ -1549,7 +1549,16 @@ ctiqbe - + + 10 + + + 10 + + + 0 + + 0 @@ -1636,7 +1645,16 @@ dns - + + 10 + + + 10 + + + 0 + + 0 @@ -1723,7 +1741,16 @@ esp ike - + + 10 + + + 10 + + + 0 + + 0 @@ -1781,7 +1808,16 @@ ftp - + + 10 + + + 10 + + + 0 + + 0 @@ -1888,7 +1924,16 @@ h323 h225 - + + 10 + + + 10 + + + 0 + + 0 @@ -2001,7 +2046,16 @@ h323 ras - + + 10 + + + 10 + + + 0 + + 0 @@ -2114,7 +2168,16 @@ http - + + 10 + + + 10 + + + 0 + + 0 @@ -2227,7 +2290,16 @@ icmp error - + + 10 + + + 10 + + + 0 + + 0 @@ -2285,7 +2357,16 @@ ils - + + 10 + + + 10 + + + 0 + + 0 @@ -2398,7 +2479,16 @@ mgcp - + + 10 + + + 10 + + + 0 + + 0 @@ -2527,7 +2617,16 @@ pptp - + + 10 + + + 10 + + + 0 + + 0 @@ -2614,7 +2713,16 @@ rsh - + + 10 + + + 10 + + + 0 + + 0 @@ -2698,7 +2806,16 @@ rtsp - + + 10 + + + 10 + + + 0 + + 0 @@ -2785,7 +2902,16 @@ sip - + + 10 + + + 10 + + + 0 + + 0 @@ -2898,7 +3024,16 @@ sip udp - + + 10 + + + 10 + + + 0 + + 0 @@ -2982,7 +3117,16 @@ skinny - + + 10 + + + 10 + + + 0 + + 0 @@ -3095,7 +3239,16 @@ smtp - + + 10 + + + 10 + + + 0 + + 0 @@ -3208,7 +3361,16 @@ sqlnet - + + 10 + + + 10 + + + 0 + + 0 @@ -3321,7 +3483,16 @@ tftp - + + 10 + + + 10 + + + 0 + + 0 @@ -3403,6 +3574,125 @@ + + + IP options + + + + 20 + + + + + End of Options List (EOOL) + + + + + + + + skip + + + + + allow + + + + + drop + + + + + clear + + + + + + + + + 0 + 0 + + + + IP Options analysis is only available in PIX 8.2 and later and olnly EOOL, NOP and RTRALT options can be inspected. The firewall can allow IP packet with one of the options through or clear the option and then forward the packet, or drop the packet. Packets with any other option are always dropped. + + + true + + + + + + + No Operation (NOP) + + + + + + + + skip + + + + + allow + + + + + drop + + + + + clear + + + + + + + + Router Alert (RTRALT) + + + + + + + + skip + + + + + allow + + + + + drop + + + + + clear + + + + + + diff --git a/src/res/platform/pix.xml b/src/res/platform/pix.xml index 9a9054709..e0a79bdb3 100644 --- a/src/res/platform/pix.xml +++ b/src/res/platform/pix.xml @@ -10,7 +10,7 @@ fwb_pix_diff pix_os - 6.1,6.2,6.3,7.0,8.0,8.3 + 6.1,6.2,6.3,7.0,8.0,8.2,8.3 @@ -104,7 +104,8 @@ ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup - false + false + false @@ -184,7 +185,8 @@ ftp_fixup,http_fixup,h323_h225_fixup,h323_ras_fixup,ils_fixup,rsh_fixup,rtsp_fixup,sip_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup - false + false + false @@ -264,7 +266,8 @@ ctiqbe_fixup,dns_fixup,espike_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,pptp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup - false + false + false @@ -344,7 +347,9 @@ ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup - true + + true + false @@ -425,11 +430,97 @@ ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup - true + + false + true + + true + true + true + true + true + false + true + 300 + true + true + true + false + false + true + true + + True + + + clear config access-list + clear config object-group + clear config icmp + clear config telnet + clear config ssh + clear xlate + clear config static + clear config global + clear config nat + + + + 3 + 0 + 0 + + 1 + 0 + 0 + + 0 + 2 + 0 + + 0 + 10 + 0 + + 0 + 5 + 0 + + 0 + 30 + 0 + + 0 + 2 + 0 + + 0 + 10 + 0 + + 2 + 0 + 0 + True + False + + 5 + 5 + + + + ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup,ip_options_eool_fixup,ip_options_nop_fixup,ip_options_rtralt_fixup + + false + true + + + + + true true @@ -505,8 +596,8 @@ - ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup - true + ctiqbe_fixup,dns_fixup,ftp_fixup,h323_h225_fixup,h323_ras_fixup,http_fixup,icmp_error_fixup,ils_fixup,mgcp_fixup,rsh_fixup,rtsp_fixup,sip_fixup,sip_udp_fixup,skinny_fixup,smtp_fixup,sqlnet_fixup,tftp_fixup,ip_options_eool_fixup,ip_options_nop_fixup,ip_options_rtralt_fixup + true diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 239f78328..e33740b6c 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:59 2011 PST by vadim +! Generated Tue Jan 4 17:00:29 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index fdb5c3d72..f37d2aeff 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:59 2011 PST by vadim +! Generated Tue Jan 4 17:00:29 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index a6a4daa7f..048e70eda 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:59 2011 PST by vadim +! Generated Tue Jan 4 17:00:28 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 60c32f040..632a74649 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:59 2011 PST by vadim +! Generated Tue Jan 4 17:00:29 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index fd3e1183b..73baafc45 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:41 2011 PST by vadim +! Generated Tue Jan 4 17:00:10 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 920931e98..2ef946d8b 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:41 2011 PST by vadim +! Generated Tue Jan 4 17:00:11 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index 1d13f0a15..8f113ee79 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:42 2011 PST by vadim +! Generated Tue Jan 4 17:00:12 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index 0b8d08673..3ebef2355 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:43 2011 PST by vadim +! Generated Tue Jan 4 17:00:12 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index b02b76ec1..d16bb75ac 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:43 2011 PST by vadim +! Generated Tue Jan 4 17:00:13 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 37be7d8c8..656e6d2e7 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:44 2011 PST by vadim +! Generated Tue Jan 4 17:00:13 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index 1a6644285..49b5a3bb6 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:44 2011 PST by vadim +! Generated Tue Jan 4 17:00:14 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index d1c0f121b..2d389dc59 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:45 2011 PST by vadim +! Generated Tue Jan 4 17:00:15 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index fd1d77298..06d9035fc 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:46 2011 PST by vadim +! Generated Tue Jan 4 17:00:15 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index e9f9e46cb..9e6f0af34 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:47 2011 PST by vadim +! Generated Tue Jan 4 17:00:16 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 2664da992..05658876e 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:46 2011 PST by vadim +! Generated Tue Jan 4 17:00:16 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index 5f830fd43..aa4b8a366 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:47 2011 PST by vadim +! Generated Tue Jan 4 17:00:17 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index be24374f6..b975c3e78 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:48 2011 PST by vadim +! Generated Tue Jan 4 17:00:18 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index 07f6e6523..b84118b20 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:49 2011 PST by vadim +! Generated Tue Jan 4 17:00:19 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index 78f481514..8b762e301 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:50 2011 PST by vadim +! Generated Tue Jan 4 17:00:19 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 315e88c79..daf63c554 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:50 2011 PST by vadim +! Generated Tue Jan 4 17:00:20 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index 0dca1e9a6..b63abb01d 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:51 2011 PST by vadim +! Generated Tue Jan 4 17:00:21 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 1ad094d3c..6b22da213 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:52 2011 PST by vadim +! Generated Tue Jan 4 17:00:21 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index 0c65a771b..34a27617a 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:53 2011 PST by vadim +! Generated Tue Jan 4 17:00:22 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index d0b72926e..1f579d664 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,9 +3,9 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:53 2011 PST by vadim +! Generated Tue Jan 4 17:00:23 2011 PST by vadim ! -! Compiled for pix 8.0 +! Compiled for pix 8.2 ! Outbound ACLs: supported ! Emulate outbound ACLs: yes ! Generating outbound ACLs: no @@ -51,13 +51,13 @@ timeout udp 0:2:0 timeout sunrpc 0:10:0 timeout h323 0:5:0 timeout sip 0:30:0 +timeout sip_media 0:0:0 +timeout half-closed 0:0:0 timeout uauth 2:0:0 absolute -telnet timeout -1 clear config ssh aaa authentication ssh console LOCAL -ssh timeout -1 clear config snmp-server no snmp-server enable traps @@ -72,10 +72,16 @@ no sysopt nodnsalias inbound no sysopt nodnsalias outbound +policy-map type inspect ip-options ip-options-map +parameters + eool action allow + router-alert action clear + class-map inspection_default match default-inspection-traffic policy-map global_policy + class inspection_default service-policy global_policy global diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index 02a0b88cb..303e7b122 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:54 2011 PST by vadim +! Generated Tue Jan 4 17:00:23 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index 08dde0d1b..837ea5fab 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:55 2011 PST by vadim +! Generated Tue Jan 4 17:00:24 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index a83052e4f..6419e91cb 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:55 2011 PST by vadim +! Generated Tue Jan 4 17:00:25 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index d0bc3434e..e2640eb4e 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -16907,7 +16907,7 @@ no sysopt nodnsalias outbound - + @@ -17118,24 +17118,46 @@ no sysopt nodnsalias outbound + + + + + + + + + + + + + + + + + + + + + + @@ -17151,38 +17173,90 @@ no sysopt nodnsalias outbound + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -17193,6 +17267,7 @@ no sysopt nodnsalias outbound + diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index a5099faf7..dbcdcb0bf 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:56 2011 PST by vadim +! Generated Tue Jan 4 17:00:26 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 192c4fb7a..8aafe6176 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 12:09:57 2011 PST by vadim +! Generated Tue Jan 4 17:00:27 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported