onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

support for ipv6 in compiler for ipt

Browse Source
This commit is contained in:
Vadim Kurland 2008-05-18 02:50:43 +00:00
parent 2695e97184
commit badd1d6397
11 changed files with 158 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/ipt/OSConfigurator_linux24.cpp
View File

@ -574,7 +574,8 @@ string OSConfigurator_linux24::printPathForAllTools(const string &os)
FWOptions* options=fw->getOptionsObject();
string s, path_lsmod, path_modprobe, path_iptables, path_iptables_restore, path_ip, path_logger;
string s, path_lsmod, path_modprobe, path_iptables, path_ip6tables;
string path_iptables_restore, path_ip, path_logger;
s=options->getStr("linux24_path_lsmod");
if (!s.empty()) path_lsmod=s;
@ -588,6 +589,10 @@ string OSConfigurator_linux24::printPathForAllTools(const string &os)
if (!s.empty()) path_iptables=s;
else path_iptables=os_data.getPathForTool(os,OSData::IPTABLES);
s=options->getStr("linux24_path_ip6tables");
if (!s.empty()) path_ip6tables=s;
else path_ip6tables=os_data.getPathForTool(os,OSData::IP6TABLES);
s=options->getStr("linux24_path_iptables_restore");
if (!s.empty()) path_iptables_restore=s;
else path_iptables_restore=os_data.getPathForTool(os,OSData::IPTABLES_RESTORE);
@ -604,6 +609,7 @@ string OSConfigurator_linux24::printPathForAllTools(const string &os)
res += "LSMOD=\"" +path_lsmod+"\"\n";
res += "MODPROBE=\""+path_modprobe+"\"\n";
res += "IPTABLES=\""+path_iptables+"\"\n";
res += "IP6TABLES=\""+path_ip6tables+"\"\n";
res += "IPTABLES_RESTORE=\""+path_iptables_restore+"\"\n";
res += "IP=\"" +path_ip+"\"\n";
res += "LOGGER=\"" +path_logger+"\"\n";

1
src/ipt/OSData.cpp
View File

@ -41,6 +41,7 @@ string OSData::getPathForTool(const string &distro,tools t)
case LSMOD: r+="path_lsmod"; break;
case MODPROBE: r+="path_modprobe"; break;
case IPTABLES: r+="path_iptables"; break;
case IP6TABLES: r+="path_ip6tables"; break;
case IPTABLES_RESTORE: r+="path_iptables_restore"; break;
case IP: r+="path_ip"; break;
case LOGGER: r+="path_logger"; break;

2
src/ipt/OSData.h
View File

@ -40,7 +40,7 @@ class OSData {
OSData(const std::string &ho) { host_os=ho; }
typedef enum { LSMOD, MODPROBE , IPTABLES , IPTABLES_RESTORE , IP , LOGGER } tools;
typedef enum { LSMOD, MODPROBE, IPTABLES, IP6TABLES, IPTABLES_RESTORE, IP, LOGGER } tools;
std::string getPathForTool(const std::string &distro,tools t);
};

162
src/ipt/PolicyCompiler_PrintRule.cpp
View File

@ -46,6 +46,8 @@
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/Inet6AddrMask.h"
#include "combinedAddress.h"
@ -77,14 +79,15 @@ using namespace std;
/*
* check and create new chain if needed
*/
string PolicyCompiler_ipt::PrintRule::_createChain(const string &chain)
string PolicyCompiler_ipt::PrintRule::_createChain(const string &chain,
bool ipv6)
{
string res;
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
if ( ! chains[chain] )
{
res = "$IPTABLES -N " + chain;
res = string((ipv6) ? "$IP6TABLES -N " : "$IPTABLES -N ") + chain;
if (ipt_comp->my_table != "filter") res += " -t " + ipt_comp->my_table;
res += "\n";
chains[chain]=true;
@ -92,9 +95,9 @@ string PolicyCompiler_ipt::PrintRule::_createChain(const string &chain)
return res;
}
string PolicyCompiler_ipt::PrintRule::_startRuleLine()
string PolicyCompiler_ipt::PrintRule::_startRuleLine(bool ipv6)
{
string res = "$IPTABLES ";
string res = (ipv6) ? "$IP6TABLES " : "$IPTABLES ";
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
if (ipt_comp->my_table != "filter") res += "-t " + ipt_comp->my_table + " ";
@ -112,7 +115,9 @@ string PolicyCompiler_ipt::PrintRule::_printRuleLabel(PolicyRule *rule)
{
ostringstream res;
bool nocomm=Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments");
bool nocomm = Resources::os_res[compiler->fw->getStr("host_OS")]->
Resources::getResourceBool(
"/FWBuilderResources/Target/options/suppress_comments");
string rl=rule->getLabel();
if (rl!=current_rule_label)
@ -1075,9 +1080,11 @@ bool PolicyCompiler_ipt::PrintRule::processNext()
string PolicyCompiler_ipt::PrintRule::PolicyRuleToString(PolicyRule *rule)
{
FWOptions *ruleopt =rule->getOptionsObject();
FWOptions *ruleopt = rule->getOptionsObject();
FWObject *ref;
bool isIPv6 = rule->getBool("ipv6_rule");
RuleElementSrc *srcrel=rule->getSrc();
ref=srcrel->front();
Address *src=Address::cast(FWReference::cast(ref)->getPointer());
@ -1099,7 +1106,7 @@ string PolicyCompiler_ipt::PrintRule::PolicyRuleToString(PolicyRule *rule)
std::ostringstream command_line;
command_line << _startRuleLine();
command_line << _startRuleLine(isIPv6);
command_line << _printChain(rule);
command_line << _printDirectionAndInterface(rule);
@ -1215,27 +1222,10 @@ string PolicyCompiler_ipt::PrintRule::_flushAndSetDefaultPolicy()
res << "$IPTABLES -P INPUT DROP" << endl;
res << "$IPTABLES -P FORWARD DROP" << endl;
if ( ! fwopt->getBool("no_ipv6_default_policy") )
{
/*
* test if ip6tables is installed and if it works. It may be installed
* on the system but fail because ipv6 is not compiled into the
* kernel.
*/
res << "ip6tables -L -n > /dev/null 2>&1 && {" << endl;
res << " ip6tables -P OUTPUT DROP" << endl;
res << " ip6tables -P INPUT DROP" << endl;
res << " ip6tables -P FORWARD DROP" << endl;
res << " ip6tables -A INPUT -i lo -j ACCEPT " << endl;
res << " ip6tables -A OUTPUT -o lo -j ACCEPT " << endl;
res << "}" << endl;
res << endl;
}
/*
* need to flush all tables and chains before setting up any rules
*/
/*
* need to flush all tables and chains before setting up any rules
*/
res << "\n\
\n\
cat /proc/net/ip_tables_names | while read table; do\n\
$IPTABLES -t $table -L -n | while read c chain rest; do\n\
if test \"X$c\" = \"XChain\" ; then\n\
@ -1243,8 +1233,34 @@ cat /proc/net/ip_tables_names | while read table; do\n\
fi\n\
done\n\
$IPTABLES -t $table -X\n\
done\n\
done\n";
res << endl;
res << endl;
/*
* test if ip6tables is installed and if it works. It may be installed
* on the system but fail because ipv6 is not compiled into the
* kernel.
*/
res << "$IP6TABLES -L -n > /dev/null 2>&1 && {" << endl;
res << " $IP6TABLES -P OUTPUT DROP" << endl;
res << " $IP6TABLES -P INPUT DROP" << endl;
res << " $IP6TABLES -P FORWARD DROP" << endl;
res << "\n\
cat /proc/net/ip6_tables_names | while read table; do\n\
$IP6TABLES -t $table -L -n | while read c chain rest; do\n\
if test \"X$c\" = \"XChain\" ; then\n\
$IP6TABLES -t $table -F $chain\n\
fi\n\
done\n\
$IP6TABLES -t $table -X\n\
done\n\
\n\
\n";
res << "}";
res << endl;
res << endl;
// }
return res.str();
@ -1255,9 +1271,9 @@ string PolicyCompiler_ipt::PrintRule::_commit()
return "";
}
string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules(bool isIPv6)
{
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
ostringstream res;
/*
@ -1265,13 +1281,13 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
* Need rules in FORWARD chain only if ip forwarding is on or set to
* "no change"
*/
bool ipforward=false;
string s=compiler->getCachedFwOpt()->getStr("linux24_ip_forward");
bool ipforward = false;
string s = compiler->getCachedFwOpt()->getStr("linux24_ip_forward");
ipforward= (s.empty() || s=="1" || s=="On" || s=="on");
if ( compiler->getCachedFwOpt()->getBool("clamp_mss_to_mtu") && ipforward)
{
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"
<< _endRuleLine();
@ -1281,16 +1297,16 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
if ( compiler->getCachedFwOpt()->getBool("accept_established") &&
ipt_comp->my_table=="filter")
{
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
if (ipforward)
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
@ -1310,24 +1326,50 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
if ( compiler->getCachedFwOpt()->getBool("mgmt_ssh") &&
! compiler->getCachedFwOpt()->getStr("mgmt_addr").empty() )
{
string addr = compiler->getCachedFwOpt()->getStr("mgmt_addr");
res << "# backup ssh access" << endl;
res << "#" << endl;
string addr_str = compiler->getCachedFwOpt()->getStr("mgmt_addr");
InetAddrMask *inet_addr;
bool addr_is_good = true;
if (isIPv6)
{
// check if given address is ipv6
try
{
inet_addr = new Inet6AddrMask(addr_str);
} catch(const FWException &ex) {
// address does not parse as ipv6, skip this rule.
addr_is_good = false;
}
} else
{
// check if given address parses as ipv4
try
{
inet_addr = new InetAddrMask(addr_str);
} catch(const FWException &ex) {
// address does not parse
addr_is_good = false;
}
}
if (addr_is_good)
{
res << "# backup ssh access" << endl;
res << "#" << endl;
/* bug #1106701: 'backup ssh access' and statefulness interation
* Need to add rules with ESTABLISHED and RELATED to make sure backup ssh access
* works even when global rule that accepts ESTABLISHED and RELATED is disabled
*/
res << _startRuleLine() << "INPUT -p tcp -m tcp -s "
<< addr
<< " --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT"
<< _endRuleLine();
res << _startRuleLine(isIPv6) << "INPUT -p tcp -m tcp -s "
<< inet_addr->toString()
<< " --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT"
<< _endRuleLine();
res << _startRuleLine() << "OUTPUT -p tcp -m tcp -d "
<< addr
<< " --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
res << _startRuleLine(isIPv6) << "OUTPUT -p tcp -m tcp -d "
<< inet_addr->toString()
<< " --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
res << endl;
res << endl;
}
}
if ( ! compiler->getCachedFwOpt()->getBool("accept_new_tcp_with_no_syn") )
@ -1337,16 +1379,16 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
res << "#" << endl;
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP"
<< _endRuleLine();
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP"
<< _endRuleLine();
if (ipforward)
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP"
<< _endRuleLine();
@ -1361,37 +1403,37 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
if ( !compiler->getCachedFwOpt()->getBool("log_invalid"))
{
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "OUTPUT -m state --state INVALID -j DROP"
<< _endRuleLine();
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "INPUT -m state --state INVALID -j DROP"
<< _endRuleLine();
if (ipforward)
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "FORWARD -m state --state INVALID -j DROP"
<< _endRuleLine();
} else
{
res << _createChain("drop_invalid");
res << _createChain("drop_invalid", isIPv6);
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "OUTPUT -m state --state INVALID -j drop_invalid"
<< _endRuleLine();
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "INPUT -m state --state INVALID -j drop_invalid"
<< _endRuleLine();
if (ipforward)
res << _startRuleLine()
res << _startRuleLine(isIPv6)
<< "FORWARD -m state --state INVALID -j drop_invalid"
<< _endRuleLine();
res << _startRuleLine();
res << _startRuleLine(isIPv6);
if (compiler->getCachedFwOpt()->getBool("use_ULOG"))
@ -1423,7 +1465,7 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
res << _printLogPrefix("-1", "DENY","global","drop_invalid","BLOCK INVALID",s)
<< _endRuleLine()
<< _startRuleLine() << "drop_invalid -j DROP" << _endRuleLine();
<< _startRuleLine(isIPv6) << "drop_invalid -j DROP" << _endRuleLine();
}
res << endl;

5
src/ipt/PolicyCompiler_PrintRuleIptRst.cpp
View File

@ -57,7 +57,8 @@ using namespace std;
/*
* check and create new chain if needed
*/
string PolicyCompiler_ipt::PrintRuleIptRst::_createChain(const string &chain)
string PolicyCompiler_ipt::PrintRuleIptRst::_createChain(const string &chain,
bool ipv6)
{
string res;
if ( ! chains[chain] )
@ -68,7 +69,7 @@ string PolicyCompiler_ipt::PrintRuleIptRst::_createChain(const string &chain)
return res;
}
string PolicyCompiler_ipt::PrintRuleIptRst::_startRuleLine()
string PolicyCompiler_ipt::PrintRuleIptRst::_startRuleLine(bool ipv6)
{
return string("-A ");
}

5
src/ipt/PolicyCompiler_PrintRuleIptRstEcho.cpp
View File

@ -57,7 +57,8 @@ using namespace std;
/*
* check and create new chain if needed
*/
string PolicyCompiler_ipt::PrintRuleIptRstEcho::_createChain(const string &chain)
string PolicyCompiler_ipt::PrintRuleIptRstEcho::_createChain(
const string &chain, bool ipv6)
{
string res;
if ( ! chains[chain] )
@ -68,7 +69,7 @@ string PolicyCompiler_ipt::PrintRuleIptRstEcho::_createChain(const string &chain
return res;
}
string PolicyCompiler_ipt::PrintRuleIptRstEcho::_startRuleLine()
string PolicyCompiler_ipt::PrintRuleIptRstEcho::_startRuleLine(bool ipv6)
{
return string("echo \"-A ");
}

11
src/ipt/PolicyCompiler_ipt.cpp
View File

@ -3910,16 +3910,17 @@ void PolicyCompiler_ipt::compile()
add( new ConvertToAtomicForAddresses(
"convert to atomic rules by address elements") );
add( new checkForZeroAddr( "check for zero addresses" ) );
add( new checkMACinOUTPUTChain("check for MAC in OUTPUT chain" ) );
add( new checkForZeroAddr("check for zero addresses") );
add( new checkMACinOUTPUTChain("check for MAC in OUTPUT chain") );
add( new ConvertToAtomicForIntervals(
"convert to atomic rules by interval element") );
add( new SkipActionContinueWithNoLogging(
"drop rules with action Continue") );
add( new convertInterfaceIdToStr("prepare interface assignments" ) );
add( new optimize3( "optimization 3" ) );
add( new convertInterfaceIdToStr("prepare interface assignments") );
add( new optimize3("optimization 3") );
add( new CheckIfIPv6Rule("find ipv6 rules"));
add( createPrintRuleProcessor() );
@ -4100,6 +4101,8 @@ string PolicyCompiler_ipt::flushAndSetDefaultPolicy()
res += printRule->_declareTable();
res += printRule->_flushAndSetDefaultPolicy();
res += printRule->_printOptionalGlobalRules();
// same rules for ipv6
res += printRule->_printOptionalGlobalRules(true);
return res;
}

17
src/ipt/PolicyCompiler_ipt.h
View File

@ -795,7 +795,8 @@ namespace fwcompiler {
std::string current_rule_label;
std::map<const std::string,bool> chains;
virtual std::string _createChain(const std::string &chain);
virtual std::string _createChain(const std::string &chain,
bool ipv6=false);
virtual std::string _printRuleLabel(libfwbuilder::PolicyRule *r);
virtual std::string _printSrcService(libfwbuilder::RuleElementSrv *o);
@ -837,13 +838,13 @@ namespace fwcompiler {
PrintRule(const std::string &name);
virtual std::string _printGlobalLogParameters();
virtual std::string _printOptionalGlobalRules();
virtual std::string _printOptionalGlobalRules(bool ipv6=false);
virtual std::string _declareTable();
virtual std::string _flushAndSetDefaultPolicy();
virtual std::string _commit();
virtual std::string _quote(const std::string &s);
virtual std::string _startRuleLine();
virtual std::string _startRuleLine(bool ipv6=false);
virtual std::string _endRuleLine();
virtual bool processNext();
@ -855,8 +856,9 @@ namespace fwcompiler {
class PrintRuleIptRst : public PrintRule
{
virtual std::string _createChain(const std::string &chain);
virtual std::string _startRuleLine();
virtual std::string _createChain(const std::string &chain,
bool ipv6=false);
virtual std::string _startRuleLine(bool ipv6=false);
virtual std::string _endRuleLine();
virtual std::string _printRuleLabel(libfwbuilder::PolicyRule *r);
@ -873,8 +875,9 @@ namespace fwcompiler {
class PrintRuleIptRstEcho : public PrintRuleIptRst
{
virtual std::string _createChain(const std::string &chain);
virtual std::string _startRuleLine();
virtual std::string _createChain(const std::string &chain,
bool ipv6=false);
virtual std::string _startRuleLine(bool ipv6=false);
virtual std::string _endRuleLine();
public:

1
src/res/os/linksys.xml.in
View File

@ -97,6 +97,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
<path_lsmod>lsmod</path_lsmod>
<path_modprobe>modprobe</path_modprobe>
<path_iptables>iptables</path_iptables>
<path_ip6tables>ip6tables</path_iptables>
<path_iptables_restore>iptables-restore</path_iptables_restore>
<path_ip>ip</path_ip>
<path_logger>logger</path_logger>

5
src/res/os/linux24.xml.in
View File

@ -118,6 +118,7 @@ sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_iptables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
@ -127,6 +128,7 @@ sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_iptables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
@ -136,6 +138,7 @@ sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/usr/sbin/iptables</path_iptables>
<path_ip6tables>/usr/sbin/ip6tables</path_iptables>
<path_iptables_restore>/usr/sbin/iptables-restore</path_iptables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/bin/logger</path_logger>
@ -145,6 +148,7 @@ sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
<path_lsmod>/sbin/lsmod</path_lsmod>
<path_modprobe>/sbin/modprobe</path_modprobe>
<path_iptables>/sbin/iptables</path_iptables>
<path_ip6tables>/sbin/ip6tables</path_iptables>
<path_iptables_restore>/sbin/iptables-restore</path_iptables_restore>
<path_ip>/sbin/ip</path_ip>
<path_logger>/usr/bin/logger</path_logger>
@ -154,6 +158,7 @@ sh %FWDIR%/tmp/%FWSCRIPT% &#38;&#38; echo 'Policy activated'
<path_lsmod>lsmod</path_lsmod>
<path_modprobe>modprobe</path_modprobe>
<path_iptables>iptables</path_iptables>
<path_ip6tables>ip6tables</path_iptables>
<path_iptables_restore>iptables-restore</path_iptables_restore>
<path_ip>ip</path_ip>
<path_logger>logger</path_logger>

54
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="5" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="6" id="root">
<Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User">
<ObjectGroup id="stdid01_1" name="Objects">
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
@ -819,8 +819,7 @@
<TagService comment="" id="id43EC877332486" name="tag16" tagcode="16"/>
<TagService comment="" id="id449328D824380" name="Tag1" tagcode="1"/>
<TagService comment="" id="id449328D924380" name="Tag2" tagcode="2"/>
</ServiceGroup>
<ServiceGroup id="stdid10_1" name="Groups">
</ServiceGroup><ServiceGroup id="stdid10_1" name="Groups">
<ServiceGroup id="id3B457567" name="svcgroup1">
<ServiceRef ref="id3B457561"/>
<ServiceRef ref="ip-IPSEC"/>
@ -910,17 +909,14 @@
<ServiceRef ref="id3B4FEDA3"/>
<ServiceRef ref="id3B4FED69"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07_1" name="ICMP">
</ServiceGroup><ServiceGroup id="stdid07_1" name="ICMP">
<ICMPService code="-1" comment="" id="id3C1A5D46" name="any ICMP" type="-1"/>
</ServiceGroup>
<ServiceGroup id="stdid06_1" name="IP">
</ServiceGroup><ServiceGroup id="stdid06_1" name="IP">
<IPService comment="" fragm="False" id="id3B457561" lsrr="False" name="ICMP" protocol_num="1" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="" fragm="False" id="id3B6659A5" lsrr="False" name="TS" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="True"/>
<IPService comment="" fragm="False" id="id3F3E9EFC" lsrr="False" name="EIGRP" protocol_num="88" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="" fragm="False" id="id419D6869" lsrr="False" name="any protocol" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09_1" name="TCP">
</ServiceGroup><ServiceGroup id="stdid09_1" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="70" dst_range_start="70" fin_flag="False" fin_flag_mask="False" id="id3C1A66EF" name="gopher" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="tcp-IRC" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B5009F7" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
@ -936,12 +932,10 @@
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="id3E3747AF" name="TCP no flags" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="True" comment="TCP packet with dest. port 5190 (AIM) and SYN flag set&#10;This is the opening of the new AIM session" dst_range_end="5190" dst_range_start="5190" fin_flag="False" fin_flag_mask="True" id="id40038E79" name="new AIM connection" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="True" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="id459E36F110170" name="ack" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
</ServiceGroup>
<ServiceGroup id="stdid08_1" name="UDP">
</ServiceGroup><ServiceGroup id="stdid08_1" name="UDP">
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="id3ED59BF0" name="udp-src-6767" src_range_end="6767" src_range_start="6767"/>
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="id3ED59BF1" name="udp-src-67" src_range_end="67" src_range_start="67"/>
</ServiceGroup>
<ServiceGroup id="stdid13_1" name="Custom">
</ServiceGroup><ServiceGroup id="stdid13_1" name="Custom">
<CustomService comment="Talk support" id="id3B64FE22" name="talk">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="fwsm"/>
@ -986,6 +980,7 @@
<CustomServiceCommand platform="unknown"/>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid05_1_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls">
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule&#10;" host_OS="linux24" id="fw-firewall2" inactive="False" lastCompiled="1188096924" lastInstalled="1142003872" lastModified="1208501354" name="firewall" platform="iptables" ro="False" version="">
@ -21981,14 +21976,9 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<ObjectGroup id="id44EC14038791" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id44EC14048791" name="Services">
<ServiceGroup id="id44EC14058791" name="Groups"/>
<ServiceGroup id="id44EC14068791" name="ICMP"/>
<ServiceGroup id="id44EC14078791" name="IP"/>
<ServiceGroup id="id44EC14088791" name="TCP"/>
<ServiceGroup id="id44EC14098791" name="UDP"/>
<ServiceGroup id="id44EC140A8791" name="Custom"/>
<ServiceGroup id="id44EC140B8791" name="TagServices"/>
</ServiceGroup>
<ServiceGroup id="id44EC14058791" name="Groups"/><ServiceGroup id="id44EC14068791" name="ICMP"/><ServiceGroup id="id44EC14078791" name="IP"/><ServiceGroup id="id44EC14088791" name="TCP"/><ServiceGroup id="id44EC14098791" name="UDP"/><ServiceGroup id="id44EC140A8791" name="Custom"/><ServiceGroup id="id44EC140B8791" name="TagServices"/>
<ServiceGroup id="id44EC14048791_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id44EC140C8791" name="Firewalls"/>
<IntervalGroup id="id44EC140D8791" name="Time"/>
</Library>
@ -22011,13 +22001,8 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<ObjectGroup id="id4387B43F18346" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id4387B44018346" name="Services">
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices"/>
<ServiceGroup id="id4387B44118346" name="Groups"/>
<ServiceGroup id="id4387B44218346" name="ICMP"/>
<ServiceGroup id="id4387B44318346" name="IP"/>
<ServiceGroup id="id4387B44418346" name="TCP"/>
<ServiceGroup id="id4387B44518346" name="UDP"/>
<ServiceGroup id="id4387B44618346" name="Custom"/>
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices"/><ServiceGroup id="id4387B44118346" name="Groups"/><ServiceGroup id="id4387B44218346" name="ICMP"/><ServiceGroup id="id4387B44318346" name="IP"/><ServiceGroup id="id4387B44418346" name="TCP"/><ServiceGroup id="id4387B44518346" name="UDP"/><ServiceGroup id="id4387B44618346" name="Custom"/>
<ServiceGroup id="id4387B44018346_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id4387B44718346" name="Firewalls"/>
<IntervalGroup id="id4387B44818346" name="Time"/>
@ -22030,8 +22015,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IPService comment="Route recording packets" fragm="False" id="ip-RR" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
<IPService comment="IPSEC Authentication Header Protocol" fragm="False" id="id3CB12797" lsrr="False" name="AH" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09" name="TCP">
</ServiceGroup><ServiceGroup id="stdid09" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" fin_flag_mask="False" id="tcp-Auth" name="auth" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS_zone_transf" name="dns-tcp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" fin_flag_mask="False" id="tcp-FTP" name="ftp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
@ -22068,15 +22052,13 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="tcp-TCP-SYN" name="tcp-syn" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP">
</ServiceGroup><ServiceGroup id="stdid08" name="UDP">
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="161" dst_range_start="161" id="udp-SNMP" name="snmp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="0" dst_range_start="0" id="udp-All_UDP" name="All UDP" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="67" dst_range_start="67" id="udp-bootps" name="bootps" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" name="bootpc" src_range_end="0" src_range_start="0"/>
</ServiceGroup>
<ServiceGroup id="stdid10" name="Groups">
</ServiceGroup><ServiceGroup id="stdid10" name="Groups">
<ServiceGroup comment="" id="sg-DHCP" name="DHCP">
<ServiceRef ref="udp-bootpc"/>
<ServiceRef ref="udp-bootps"/>
@ -22091,8 +22073,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<ServiceRef ref="id3CB12797"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP">
</ServiceGroup><ServiceGroup id="stdid07" name="ICMP">
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>
<ICMPService code="-1" comment="" id="icmp-Unreachables" name="all ICMP unreachables" type="3"/>
<ICMPService code="-1" comment="" id="id3C20EEB5" name="any ICMP" type="-1"/>
@ -22100,6 +22081,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" type="11"/>
<ICMPService code="0" comment="" id="icmp-ping_reply" name="ping reply" type="0"/>
</ServiceGroup>
<ServiceGroup id="stdid05_userservices" name="User"/>
</ServiceGroup>
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>