From c34a7584304b36c0adfdf855aa4a0566ef18a021 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Wed, 19 Jan 2011 20:27:47 -0800 Subject: [PATCH] see #1959 ASA Policy - ranges are broken into composite network instead of using range command --- doc/ChangeLog | 19 +++ src/cisco_lib/CompilerDriver_iosacl_run.cpp | 6 +- src/cisco_lib/CompilerDriver_pix_run.cpp | 5 +- .../CompilerDriver_procurve_acl_run.cpp | 6 +- .../NamedObjectsAndGroupsSupport.cpp | 39 ++++- src/cisco_lib/NamedObjectsAndGroupsSupport.h | 2 + src/cisco_lib/PolicyCompiler_pix.cpp | 13 +- src/cisco_lib/PolicyCompiler_pix_writers.cpp | 80 +++++----- test/pix/cluster1-1_pix1.fw.orig | 2 +- test/pix/cluster1-1_pix2.fw.orig | 2 +- test/pix/cluster1_pix1.fw.orig | 2 +- test/pix/cluster1_pix2.fw.orig | 2 +- test/pix/firewall.fw.orig | 2 +- test/pix/firewall1.fw.orig | 2 +- test/pix/firewall10.fw.orig | 2 +- test/pix/firewall11.fw.orig | 2 +- test/pix/firewall12.fw.orig | 2 +- test/pix/firewall13.fw.orig | 2 +- test/pix/firewall14.fw.orig | 2 +- test/pix/firewall2.fw.orig | 2 +- test/pix/firewall20.fw.orig | 2 +- test/pix/firewall21-1.fw.orig | 2 +- test/pix/firewall21.fw.orig | 2 +- test/pix/firewall22.fw.orig | 2 +- test/pix/firewall3.fw.orig | 2 +- test/pix/firewall33.fw.orig | 2 +- test/pix/firewall34.fw.orig | 2 +- test/pix/firewall4.fw.orig | 2 +- test/pix/firewall50.fw.orig | 2 +- test/pix/firewall6.fw.orig | 2 +- test/pix/firewall8.fw.orig | 2 +- test/pix/firewall80.fw.orig | 2 +- test/pix/firewall81.fw.orig | 38 +++-- test/pix/firewall82.fw.orig | 26 +-- test/pix/firewall83.fw.orig | 26 +-- test/pix/firewall9.fw.orig | 2 +- test/pix/firewall90.fw.orig | 149 ++++++++++-------- test/pix/firewall91.fw.orig | 60 ++++--- test/pix/firewall92.fw.orig | 60 ++++--- test/pix/firewall93.fw.orig | 18 ++- test/pix/fwsm1.fw.orig | 2 +- test/pix/fwsm2.fw.orig | 2 +- test/pix/objects-for-regression-tests.fwb | 6 +- test/pix/pix515.fw.orig | 2 +- test/pix/real.fw.orig | 2 +- 45 files changed, 362 insertions(+), 249 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index 0499df430..f8b4dfc17 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,24 @@ 2011-01-19 vadim + * PolicyCompiler_pix.cpp (compile): See #1959 "ASA Policy - ranges + are broken into composite network instead of using range command." + Added support for address ranges using named network object with + parameter "range" for ASA 8.3 and later. NOTE: if a network or ip + address object is used in a nat rule for ASA 8.3, a named object + has to be created for it since ASA 8.3 does not accept ip + addresses or subnets in "nat" commands. In the situation like + this, if the same address or network object is used in any Policy + rule, the same named object will be used in the generated + access-lists command. + + * NamedObjectsAndGroupsSupport.cpp (getNamedObjectsDefinitions): + see #1959 Moved generation of the code that defines named objects + to class NamedObjectManager. This allows me to put all named + object commands on top of the generated policy, nat and routing + configurations and make sure each object is defined only once. + Still need to do #1963 - move code that generates commands to + define object-groups to class NamedObjectManager. + * NATCompiler_asa8.cpp (processNext): see #1954 "ASA NAT - generate warning if nat rule is split and one of the resulting nat rules have the same real interface and mapped interface". Compiler diff --git a/src/cisco_lib/CompilerDriver_iosacl_run.cpp b/src/cisco_lib/CompilerDriver_iosacl_run.cpp index 0c889f174..e5fda97e3 100644 --- a/src/cisco_lib/CompilerDriver_iosacl_run.cpp +++ b/src/cisco_lib/CompilerDriver_iosacl_run.cpp @@ -318,11 +318,15 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id, all_errors.push_front(getErrors("").c_str()); } + system_configuration_script += + named_object_manager.getNamedObjectsDefinitions(); if (single_rule_compile_on) { return formSingleRuleCompileOutput( - QString::fromUtf8((policy_script + routing_script).c_str())); + QString::fromUtf8( + (named_object_manager.getNamedObjectsDefinitions() + + policy_script + routing_script).c_str())); } QString script_buffer = assembleFwScript( diff --git a/src/cisco_lib/CompilerDriver_pix_run.cpp b/src/cisco_lib/CompilerDriver_pix_run.cpp index 71919dd36..7f61139c7 100644 --- a/src/cisco_lib/CompilerDriver_pix_run.cpp +++ b/src/cisco_lib/CompilerDriver_pix_run.cpp @@ -450,6 +450,8 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, } system_configuration_script = oscnf->getCompiledScript(); + system_configuration_script += + named_object_manager.getNamedObjectsDefinitions(); policy_script = c->getCompiledScript(); nat_script = n->getCompiledScript(); routing_script = r->getCompiledScript(); @@ -468,7 +470,8 @@ QString CompilerDriver_pix::run(const std::string &cluster_id, { return formSingleRuleCompileOutput( QString::fromUtf8( - (policy_script + nat_script + routing_script).c_str())); + (named_object_manager.getNamedObjectsDefinitions() + + policy_script + nat_script + routing_script).c_str())); } ofname = getAbsOutputFileName(ofname); diff --git a/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp b/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp index ef4e06c61..5c3bb5e97 100644 --- a/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp +++ b/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp @@ -305,11 +305,15 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id, all_errors.push_front(getErrors("").c_str()); } + system_configuration_script += + named_object_manager.getNamedObjectsDefinitions(); if (single_rule_compile_on) { return formSingleRuleCompileOutput( - QString::fromUtf8((policy_script + routing_script).c_str())); + QString::fromUtf8( + (named_object_manager.getNamedObjectsDefinitions() + + policy_script + routing_script).c_str())); } QString script_buffer = assembleFwScript( diff --git a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp index a4555ed51..b4c7ea784 100644 --- a/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp +++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.cpp @@ -42,6 +42,7 @@ #include "fwbuilder/Management.h" #include "fwbuilder/Resources.h" #include "fwbuilder/AddressTable.h" +#include "fwbuilder/AddressRange.h" #include "fwbuilder/Firewall.h" #include "fwcompiler/Compiler.h" @@ -104,6 +105,19 @@ NamedObject* NamedObjectManager::getNamedObject(const FWObject *obj) return named_objects[obj->getId()]; } +string NamedObjectManager::getNamedObjectsDefinitions() +{ + QStringList output; + map::iterator it; + + for (it=named_objects.begin(); it!=named_objects.end(); ++it) + { + NamedObject *nobj = it->second; + if (nobj==NULL) continue; + output << nobj->getCommand(fw); + } + return output.join("\n").toUtf8().constData(); +} void CreateObjectGroups::init(FWObjectDatabase *db) @@ -283,12 +297,17 @@ void printNamedObjectsCommon::printObjectsForRE(RuleElement *re) { FWObject *obj = FWReference::getObject(*it); if (Interface::isA(obj)) continue; - compiler->output << named_objects_manager->addNamedObject(obj); + //compiler->output << named_objects_manager->addNamedObject(obj); + named_objects_manager->addNamedObject(obj); } } /* - * We do not need object-groups for policy rules. + * We support named objects only for ASA 8.3 and in policy rules, only for + * address ranges. + * + * See #1962, it looks like ASA 8.3 does not support named objects or + * object-groups in place of port specification in access-list commands. */ bool printNamedObjectsForPolicy::processNext() { @@ -302,12 +321,16 @@ bool printNamedObjectsForPolicy::processNext() PolicyRule *policy_rule = PolicyRule::cast( *k ); if (policy_rule) { - // RuleElementSrc *src_re = policy_rule->getSrc(); assert(src_re); - // printObjectsForRE(src_re); - // RuleElementDst *dst_re = policy_rule->getDst(); assert(dst_re); - // printObjectsForRE(dst_re); - // RuleElementSrv *srv_re = policy_rule->getSrv(); assert(srv_re); - // if (haveCustomService(srv_re)) printObjectsForRE(srv_re); + RuleElementSrc *src_re = policy_rule->getSrc(); assert(src_re); + FWObject *srcobj = FWReference::getObject(src_re->front()); + if (AddressRange::isA(srcobj)) printObjectsForRE(src_re); + + RuleElementDst *dst_re = policy_rule->getDst(); assert(dst_re); + FWObject *dstobj = FWReference::getObject(dst_re->front()); + if (AddressRange::isA(srcobj)) printObjectsForRE(dst_re); + + //RuleElementSrv *srv_re = policy_rule->getSrv(); assert(srv_re); + //printObjectsForRE(srv_re); } } diff --git a/src/cisco_lib/NamedObjectsAndGroupsSupport.h b/src/cisco_lib/NamedObjectsAndGroupsSupport.h index b2d6458b2..485a2bfdb 100644 --- a/src/cisco_lib/NamedObjectsAndGroupsSupport.h +++ b/src/cisco_lib/NamedObjectsAndGroupsSupport.h @@ -51,6 +51,8 @@ public: virtual ~NamedObjectManager(); std::string addNamedObject(const libfwbuilder::FWObject *obj); NamedObject* getNamedObject(const libfwbuilder::FWObject *obj); + + std::string getNamedObjectsDefinitions(); }; class CreateObjectGroups : public BasicRuleProcessor diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index cf1fafb71..b85be86d5 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -511,7 +511,8 @@ void PolicyCompiler_pix::compile() add( new InterfacePolicyRules( "process interface policy rules and store interface ids")); - add( new addressRanges("process address ranges" )); + if (XMLTools::version_compare(vers, "8.3")<0) + add( new addressRanges("process address ranges" )); if ( fwopt->getBool("pix_assume_fw_part_of_any")) { @@ -642,11 +643,11 @@ void PolicyCompiler_pix::compile() add( new printClearCommands("Clear ACLs and object groups")); - //if (XMLTools::version_compare(vers, "8.3")>=0) - //{ - // add( new printNamedObjectsForPolicy( - // "definitions of named objects", named_objects_manager)); - //} + if (XMLTools::version_compare(vers, "8.3")>=0) + { + add( new printNamedObjectsForPolicy( + "definitions of named objects", named_objects_manager)); + } add( new printObjectGroups( "generate code for object groups", named_objects_manager)); diff --git a/src/cisco_lib/PolicyCompiler_pix_writers.cpp b/src/cisco_lib/PolicyCompiler_pix_writers.cpp index 82c731a5e..a8dda6d59 100644 --- a/src/cisco_lib/PolicyCompiler_pix_writers.cpp +++ b/src/cisco_lib/PolicyCompiler_pix_writers.cpp @@ -473,42 +473,26 @@ bool PolicyCompiler_pix::PrintRule::processNext() * be either group (in case processor CreateObjectGroups created * object group for it) or a regular object */ - RuleElementSrc *src=rule->getSrc(); - RuleElementDst *dst=rule->getDst(); - RuleElementSrv *srv=rule->getSrv(); + RuleElementSrc *src = rule->getSrc(); + RuleElementDst *dst = rule->getDst(); + RuleElementSrv *srv = rule->getSrv(); assert(src->size()==1); assert(dst->size()==1); assert(srv->size()==1); - FWObject *srcobj=src->front(); - FWObject *dstobj=dst->front(); - FWObject *srvobj=srv->front(); + FWObject *srcobj = FWReference::getObject(src->front()); + FWObject *dstobj = FWReference::getObject(dst->front()); + FWObject *srvobj = FWReference::getObject(srv->front()); assert(srcobj); assert(dstobj); assert(srvobj); - if (FWReference::cast(srcobj)!=NULL) - { - srcobj=FWReference::cast(srcobj)->getPointer(); - assert(srcobj); - } - if (FWReference::cast(dstobj)!=NULL) - { - dstobj=FWReference::cast(dstobj)->getPointer(); - assert(dstobj); - } - if (FWReference::cast(srvobj)!=NULL) - { - srvobj=FWReference::cast(srvobj)->getPointer(); - assert(srvobj); - } - ostringstream aclstr; - string acl_name=rule->getStr("acl"); - assert (acl_name!=""); + string acl_name = rule->getStr("acl"); + assert(acl_name!=""); ciscoACL *acl = pix_comp->acls[acl_name]; assert(acl!=NULL); @@ -549,32 +533,48 @@ bool PolicyCompiler_pix::PrintRule::processNext() aclstr << " "; - if ( pgsrc!=NULL && pgsrc->isObjectGroup()) + NamedObject* asa8_object; + + asa8_object = pix_comp->named_objects_manager->getNamedObject(srcobj); + if (asa8_object) { - aclstr << "object-group " << srcobj->getName(); - aclstr << " "; + aclstr << "object " << asa8_object->getCommandWord().toStdString() << " "; } else { - aclstr << _printAddr( compiler->getFirstSrc(rule) ); + if (pgsrc!=NULL) + { + aclstr << "object-group " << srcobj->getName() << " "; + } else + { + aclstr << _printAddr(Address::cast(srcobj)); + } } if ( pgsrv==NULL ) aclstr << _printSrcService( compiler->getFirstSrv(rule) ); - if ( pgdst!=NULL && pgdst->isObjectGroup()) + asa8_object = pix_comp->named_objects_manager->getNamedObject(dstobj); + if (asa8_object) { - aclstr << "object-group " << dstobj->getName(); - aclstr << " "; - } else - aclstr << _printAddr( compiler->getFirstDst(rule) ); - - - if ( pgsrv!=NULL ) + aclstr << "object " << asa8_object->getCommandWord().toStdString() << " "; + } else { - aclstr << "object-group " << srvobj->getName(); - aclstr << " "; - } else - aclstr << _printDstService( compiler->getFirstSrv(rule) ); + if (pgdst!=NULL) + { + aclstr << "object-group " << dstobj->getName() << " "; + } else + { + aclstr << _printAddr(Address::cast(dstobj)); + } + } + + if (pgsrv!=NULL) + { + aclstr << "object-group " << srvobj->getName() << " "; + } else + { + aclstr << _printDstService(Service::cast(srvobj)); + } aclstr << _printLog( rule ); diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 4ee189da3..256e6bd57 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:28 2011 PST by vadim +! Generated Wed Jan 19 20:15:56 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index 4230ced5f..4bebfb227 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:28 2011 PST by vadim +! Generated Wed Jan 19 20:15:56 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 05ebe0445..3cd1b8857 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:27 2011 PST by vadim +! Generated Wed Jan 19 20:15:55 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index b3d3a325d..511c01f3b 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:27 2011 PST by vadim +! Generated Wed Jan 19 20:15:55 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index 82b4b2e13..22a4bc062 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:13 2011 PST by vadim +! Generated Wed Jan 19 20:15:42 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 37b51b766..a02a3cd81 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:13 2011 PST by vadim +! Generated Wed Jan 19 20:15:41 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index 362ceb96b..a75d8bdaf 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:14 2011 PST by vadim +! Generated Wed Jan 19 20:15:42 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index 75cbce0b9..31c35aa92 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:14 2011 PST by vadim +! Generated Wed Jan 19 20:15:42 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 927a2f60f..64f38d671 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:15 2011 PST by vadim +! Generated Wed Jan 19 20:15:43 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 64787ba28..0ca8b43df 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:15 2011 PST by vadim +! Generated Wed Jan 19 20:15:43 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index bf753e871..b750ae0bb 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:15 2011 PST by vadim +! Generated Wed Jan 19 20:15:44 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 73501ef7a..6697fb78a 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:16 2011 PST by vadim +! Generated Wed Jan 19 20:15:44 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index 0b23ef063..264bcb86b 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:16 2011 PST by vadim +! Generated Wed Jan 19 20:15:45 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index c99e085dc..6fe213ebc 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:17 2011 PST by vadim +! Generated Wed Jan 19 20:15:45 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 990cfc333..ecb8018c9 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:16 2011 PST by vadim +! Generated Wed Jan 19 20:15:45 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index b7b118ced..bb088946d 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:17 2011 PST by vadim +! Generated Wed Jan 19 20:15:46 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index 4ce0aa526..2940d475a 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:18 2011 PST by vadim +! Generated Wed Jan 19 20:15:46 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index 00940cd2b..dc29182dd 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:18 2011 PST by vadim +! Generated Wed Jan 19 20:15:47 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index d55b1310c..05dbbf769 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:19 2011 PST by vadim +! Generated Wed Jan 19 20:15:47 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 1baff4399..a6fe86442 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:19 2011 PST by vadim +! Generated Wed Jan 19 20:15:48 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index b05d9b7e5..bb86fb2c6 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:20 2011 PST by vadim +! Generated Wed Jan 19 20:15:48 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 15eb2310a..56ed7b2f1 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:20 2011 PST by vadim +! Generated Wed Jan 19 20:15:48 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index 5480113cf..0c798917a 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:21 2011 PST by vadim +! Generated Wed Jan 19 20:15:49 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index de5483550..c6d54e895 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:21 2011 PST by vadim +! Generated Wed Jan 19 20:15:49 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index de5ee837b..e8f633d8c 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:22 2011 PST by vadim +! Generated Wed Jan 19 20:21:33 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -89,20 +89,30 @@ parameters router-alert action clear +object service http.0 + service tcp destination eq 80 +quit + +object network hostA:eth0.0 + host 192.168.1.10 +quit + + !################ clear config access-list clear config object-group clear config icmp clear config telnet + ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp ! in one service-group ! -access-list inside_acl_in deny icmp any host 192.168.1.10 -access-list outside_acl_in deny icmp any host 192.168.1.10 -access-list inside_acl_in deny tcp any host 192.168.1.10 -access-list outside_acl_in deny tcp any host 192.168.1.10 +access-list inside_acl_in deny icmp any object hostA:eth0.0 +access-list outside_acl_in deny icmp any object hostA:eth0.0 +access-list inside_acl_in deny tcp any object hostA:eth0.0 +access-list outside_acl_in deny tcp any object hostA:eth0.0 ! ! Rule 1 (FastEthernet1) ! test rule using translated address in dst @@ -123,16 +133,16 @@ access-list outside_acl_in permit tcp any host 22.22.22.22 eq 80 ! Rule 4 (global) ! for #1942 ! using custom service -access-list inside_acl_in deny tcp any host 192.168.1.10 tcp destination neq 8080 -access-list outside_acl_in deny tcp any host 192.168.1.10 tcp destination neq 8080 +access-list inside_acl_in deny tcp any object hostA:eth0.0 neq 8080 +access-list outside_acl_in deny tcp any object hostA:eth0.0 neq 8080 ! ! Rule 5 (global) ! for #1942 ! using custom service -access-list inside_acl_in deny tcp any host 192.168.1.10 tcp destination neq 8080 -access-list outside_acl_in deny tcp any host 192.168.1.10 tcp destination neq 8080 -access-list inside_acl_in deny tcp any host 192.168.1.10 eq 3128 -access-list outside_acl_in deny tcp any host 192.168.1.10 eq 3128 +access-list inside_acl_in deny tcp any object hostA:eth0.0 neq 8080 +access-list outside_acl_in deny tcp any object hostA:eth0.0 neq 8080 +access-list inside_acl_in deny tcp any object hostA:eth0.0 eq 3128 +access-list outside_acl_in deny tcp any object hostA:eth0.0 eq 3128 ! ! Rule 6 (global) access-list inside_acl_in deny ip any any @@ -146,12 +156,6 @@ clear xlate clear config nat clear config object -object service http.0 - service tcp destination eq 80 -quit -object network hostA:eth0.0 - host 192.168.1.10 -quit ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)" diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index e6c379252..9201781e9 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:22 2011 PST by vadim +! Generated Wed Jan 19 20:15:50 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -89,20 +89,30 @@ parameters router-alert action clear +object service http.0 + service tcp destination eq 80 +quit + +object network hostA:eth0.0 + host 192.168.1.10 +quit + + !################ clear config access-list clear config object-group clear config icmp clear config telnet + ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp ! in one service-group ! -access-list inside_acl_in deny icmp any host 192.168.1.10 -access-list outside_acl_in deny icmp any host 192.168.1.10 -access-list inside_acl_in deny tcp any host 192.168.1.10 -access-list outside_acl_in deny tcp any host 192.168.1.10 +access-list inside_acl_in deny icmp any object hostA:eth0.0 +access-list outside_acl_in deny icmp any object hostA:eth0.0 +access-list inside_acl_in deny tcp any object hostA:eth0.0 +access-list outside_acl_in deny tcp any object hostA:eth0.0 ! ! Rule 1 (FastEthernet1) ! test rule using translated address in dst @@ -132,12 +142,6 @@ clear xlate clear config nat clear config object -object service http.0 - service tcp destination eq 80 -quit -object network hostA:eth0.0 - host 192.168.1.10 -quit ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 service http.0 http.0 description "0 (NAT)" diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 5ce8140ba..2ad2872e3 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:22 2011 PST by vadim +! Generated Wed Jan 19 20:15:51 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -87,20 +87,30 @@ parameters router-alert action clear +object service http.0 + service tcp destination eq 80 +quit + +object network hostA:eth0.0 + host 192.168.1.10 +quit + + !################ clear config access-list clear config object-group clear config icmp clear config telnet + ! ! Rule 0 (global) ! matching "any" icmp and "all" tcp ! in one service-group ! -access-list inside_acl_in deny icmp any host 192.168.1.10 -access-list outside_acl_in deny icmp any host 192.168.1.10 -access-list inside_acl_in deny tcp any host 192.168.1.10 -access-list outside_acl_in deny tcp any host 192.168.1.10 +access-list inside_acl_in deny icmp any object hostA:eth0.0 +access-list outside_acl_in deny icmp any object hostA:eth0.0 +access-list inside_acl_in deny tcp any object hostA:eth0.0 +access-list outside_acl_in deny tcp any object hostA:eth0.0 ! ! Rule 1 (FastEthernet1) ! test rule using translated address in dst @@ -127,12 +137,6 @@ clear xlate clear config nat clear config object -object network hostA:eth0.0 - host 192.168.1.10 -quit -object service http.0 - service tcp destination eq 80 -quit ! ! Rule 0 (NAT) nat (inside,outside) source static hostA:eth0.0 interface service http.0 http.0 description "0 (NAT)" diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index 003403d42..c42b4fae3 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:23 2011 PST by vadim +! Generated Wed Jan 19 20:15:51 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index 3fadd11ef..5cd75d601 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:23 2011 PST by vadim +! Generated Wed Jan 19 20:15:51 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -90,12 +90,90 @@ parameters router-alert action clear +object service http.0 + service tcp destination eq 80 +quit + +object service smtp.0 + service tcp destination eq 25 +quit + +object service smtps.0 + service tcp destination eq 465 +quit + +object service squid.0 + service tcp destination eq 3128 +quit + +object network spamhost1.0 + host 61.150.47.112 +quit + +object network external_gw_1.0 + host 22.22.22.254 +quit + +object network external_gw2.0 + host 22.22.22.100 +quit + +object network spamhost2.0 + host 61.150.47.113 +quit + +object network hostA:eth0.0 + host 192.168.1.10 +quit + +object network Internal_net.0 + subnet 192.168.1.0 255.255.255.0 +quit + +object network internal_subnet_1.0 + subnet 192.168.1.0 255.255.255.192 +quit + +object network internal_subnet_2.0 + subnet 192.168.1.64 255.255.255.192 +quit + +object network ext_subnet.0 + subnet 22.22.22.128 255.255.255.224 +quit + +object network ext_subnet-192.0 + subnet 22.22.22.128 255.255.255.192 +quit + +object network test_range_1.0 + range 192.168.1.11 192.168.1.15 +quit + +object network outside_range.0 + range 22.22.22.21 22.22.22.25 +quit + +object network outside_range-1.0 + range 22.22.22.30 22.22.22.40 +quit + +object network firewall90:FastEthernet1:ip.0 + host 22.22.22.22 +quit + +object network firewall90:FastEthernet1:ip-1.0 + host 22.22.22.23 +quit + + !################ clear config access-list clear config object-group clear config icmp clear config telnet + object-group network outside.id78630X30274.src.net.0 network-object 10.1.2.0 255.255.255.0 network-object 10.1.3.0 255.255.255.0 @@ -107,16 +185,16 @@ access-list outside_acl_in deny ip object-group outside.id78630X30274.src.net. ! Rule 1 (global) ! for #1942 ! using custom service -access-list inside_acl_in deny tcp any host 192.168.1.10 tcp destination neq 8080 -access-list outside_acl_in deny tcp any host 192.168.1.10 tcp destination neq 8080 +access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080 +access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080 ! ! Rule 2 (global) ! for #1942 ! using custom service -access-list inside_acl_in deny tcp any host 192.168.1.10 tcp destination neq 8080 -access-list outside_acl_in deny tcp any host 192.168.1.10 tcp destination neq 8080 -access-list inside_acl_in deny tcp any host 192.168.1.10 eq 3128 -access-list outside_acl_in deny tcp any host 192.168.1.10 eq 3128 +access-list inside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080 +access-list outside_acl_in deny tcp any object hostA:eth0.0 tcp destination neq 8080 +access-list inside_acl_in deny tcp any object hostA:eth0.0 eq 3128 +access-list outside_acl_in deny tcp any object hostA:eth0.0 eq 3128 ! ! Rule 3 (global) access-list inside_acl_in deny ip any any @@ -130,63 +208,6 @@ clear xlate clear config nat clear config object -object network Internal_net.0 - subnet 192.168.1.0 255.255.255.0 -quit -object service http.0 - service tcp destination eq 80 -quit -object network hostA:eth0.0 - host 192.168.1.10 -quit -object network spamhost1.0 - host 61.150.47.112 -quit -object service smtp.0 - service tcp destination eq 25 -quit -object network firewall90:FastEthernet1:ip-1.0 - host 22.22.22.23 -quit -object network internal_subnet_1.0 - subnet 192.168.1.0 255.255.255.192 -quit -object network internal_subnet_2.0 - subnet 192.168.1.64 255.255.255.192 -quit -object network test_range_1.0 - range 192.168.1.11 192.168.1.15 -quit -object network external_gw_1.0 - host 22.22.22.254 -quit -object network outside_range.0 - range 22.22.22.21 22.22.22.25 -quit -object network firewall90:FastEthernet1:ip.0 - host 22.22.22.22 -quit -object network external_gw2.0 - host 22.22.22.100 -quit -object network ext_subnet.0 - subnet 22.22.22.128 255.255.255.224 -quit -object network outside_range-1.0 - range 22.22.22.30 22.22.22.40 -quit -object service squid.0 - service tcp destination eq 3128 -quit -object network spamhost2.0 - host 61.150.47.113 -quit -object service smtps.0 - service tcp destination eq 465 -quit -object network ext_subnet-192.0 - subnet 22.22.22.128 255.255.255.192 -quit object-group network outside.id178211X29963.osrc.net.0 network-object object internal_subnet_1.0 diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 5f6ad71a7..954d8c47f 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:23 2011 PST by vadim +! Generated Wed Jan 19 20:15:52 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -92,11 +92,45 @@ parameters router-alert action clear +object service http.0 + service tcp destination eq 80 +quit + +object service https.0 + service tcp destination eq 443 +quit + +object service squid.0 + service tcp destination eq 3128 +quit + +object network external_gw2.0 + host 22.22.22.100 +quit + +object network hostA:eth0.0 + host 192.168.1.10 +quit + +object network internal_subnet_1.0 + subnet 192.168.1.0 255.255.255.192 +quit + +object network test_range_1.0 + range 192.168.1.11 192.168.1.15 +quit + +object network outside_range.0 + range 22.22.22.21 22.22.22.25 +quit + + !################ clear config access-list clear config object-group clear config icmp clear config telnet + ! ! Rule 0 (global) access-list inside_acl_in deny ip any any @@ -110,30 +144,6 @@ clear xlate clear config nat clear config object -object network hostA:eth0.0 - host 192.168.1.10 -quit -object network external_gw2.0 - host 22.22.22.100 -quit -object service http.0 - service tcp destination eq 80 -quit -object service squid.0 - service tcp destination eq 3128 -quit -object service https.0 - service tcp destination eq 443 -quit -object network outside_range.0 - range 22.22.22.21 22.22.22.25 -quit -object network internal_subnet_1.0 - subnet 192.168.1.0 255.255.255.192 -quit -object network test_range_1.0 - range 192.168.1.11 192.168.1.15 -quit ! ! Rule 0 (NAT) nat (outside,inside) source static any any destination static interface hostA:eth0.0 description "0 (NAT)" diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index 2bdd3e46f..9da762b03 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:24 2011 PST by vadim +! Generated Wed Jan 19 20:15:52 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -87,11 +87,45 @@ parameters router-alert action clear +object service http.0 + service tcp destination eq 80 +quit + +object service smtp.0 + service tcp destination eq 25 +quit + +object network spamhost1.0 + host 61.150.47.112 +quit + +object network hostA:eth0.0 + host 192.168.1.10 +quit + +object network Internal_net.0 + subnet 192.168.1.0 255.255.255.0 +quit + +object network internal_subnet_1.0 + subnet 192.168.1.0 255.255.255.192 +quit + +object network internal_subnet_2.0 + subnet 192.168.1.64 255.255.255.192 +quit + +object network test_range_1.0 + range 192.168.1.11 192.168.1.15 +quit + + !################ clear config access-list clear config object-group clear config icmp clear config telnet + ! ! Rule 0 (global) access-list inside_acl_in deny ip any any @@ -105,30 +139,6 @@ clear xlate clear config nat clear config object -object network Internal_net.0 - subnet 192.168.1.0 255.255.255.0 -quit -object service http.0 - service tcp destination eq 80 -quit -object network hostA:eth0.0 - host 192.168.1.10 -quit -object service smtp.0 - service tcp destination eq 25 -quit -object network spamhost1.0 - host 61.150.47.112 -quit -object network internal_subnet_1.0 - subnet 192.168.1.0 255.255.255.192 -quit -object network internal_subnet_2.0 - subnet 192.168.1.64 255.255.255.192 -quit -object network test_range_1.0 - range 192.168.1.11 192.168.1.15 -quit object-group network outside.id20655X6113.osrc.net.0 network-object object internal_subnet_1.0 diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index cbb1595c1..99e7af6eb 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:24 2011 PST by vadim +! Generated Wed Jan 19 20:15:52 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported @@ -88,18 +88,22 @@ policy-map global_policy service-policy global_policy global + +object network dmz-range-1.0 + range 172.16.0.10 172.16.0.15 +quit + +object network inside-range-1.0 + range 10.0.0.1 10.0.0.5 +quit + + !################ clear xlate clear config nat clear config object -object network inside-range-1.0 - range 10.0.0.1 10.0.0.5 -quit -object network dmz-range-1.0 - range 172.16.0.10 172.16.0.15 -quit ! ! Rule 0 (NAT) nat (inside,outside) source dynamic inside-range-1.0 interface description "0 (NAT)" diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index 71ff33360..eb6987395 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:25 2011 PST by vadim +! Generated Wed Jan 19 20:15:53 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 25c719547..d36231132 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:25 2011 PST by vadim +! Generated Wed Jan 19 20:15:53 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index 3c9cdd52d..64d2d5933 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -17486,7 +17486,7 @@ no sysopt nodnsalias outbound - + @@ -17601,7 +17601,7 @@ no sysopt nodnsalias outbound - + @@ -17622,8 +17622,8 @@ no sysopt nodnsalias outbound - + diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index 31c231bcd..ad1d4f38e 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:26 2011 PST by vadim +! Generated Wed Jan 19 20:15:54 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 52a417131..8d9352041 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3439 ! -! Generated Wed Jan 19 18:23:26 2011 PST by vadim +! Generated Wed Jan 19 20:15:54 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported