onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

fixes #1948 incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA v<8.3

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-17 14:35:55 -08:00
parent 8a91ae3882
commit ca475b24d7
46 changed files with 246 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/ChangeLog
View File

@ -1,5 +1,11 @@
2011-01-17 vadim <vadim@netcitadel.com>
* PolicyCompiler_pix.cpp (processNext): fixes #1948 "incorrect
configuration created when a CustomService object is used in a
policy rule for PIX/ASA v<8.3". Since we do not support custom
service objects in policy and nat rules for versions older than
8.3, added check to generate fatal error when such object is used.
* NamedObjectsAndGroupsSupport.cpp (init): fixes #1945
"object-group names include ever-growing suffix". Object-groups
created by the compiler for PIX/ASA had numerical suffix that was

1
src/cisco_lib/NATCompiler_asa8.cpp
View File

@ -352,6 +352,7 @@ void NATCompiler_asa8::compile()
add( new VerifyValidityOfDNSOption(
"Check validity of 'translate dns' option"));
add( new SpecialServicesOSrv( "check for special services" ));
add( new CreateObjectGroupsForOSrc("create object groups for OSrc"));
add( new CreateObjectGroupsForODst("create object groups for ODst"));

2
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -1728,6 +1728,8 @@ void NATCompiler_pix::compile()
if (fw->getOptionsObject()->getBool("pix_optimize_default_nat"))
add (new clearOSrc ("clear OSrc" ));
add( new SpecialServicesOSrv( "check for special services" ));
add( new createNATCmd ("create NAT commands" ));
add( new createStaticCmd ("create static commands" ));
add( new mergeNATCmd ("merge NAT commands" ));

8
src/cisco_lib/NATCompiler_pix.h
View File

@ -31,6 +31,7 @@
#include "Helper.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "splitByNetworkZonesForRE.h"
#include "specialServices.h"
#include <map>
#include <deque>
@ -278,6 +279,13 @@ namespace fwcompiler {
DECLARE_NAT_RULE_PROCESSOR( clearOSrc );
friend class NATCompiler_pix::clearOSrc;
class SpecialServicesOSrv : public SpecialServices
{
public:
SpecialServicesOSrv(const std::string &n):
SpecialServices(n, libfwbuilder::RuleElementOSrv::TYPENAME) {}
};
/**
* eliminates duplicate objects in SRC. Uses default comparison
* in eliminateDuplicatesInRE which compares IDs

43
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -38,6 +38,7 @@
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
@ -251,46 +252,6 @@ bool PolicyCompiler_pix::checkVersionAndDynamicInterface::processNext()
return true;
}
bool PolicyCompiler_pix::SpecialServices::processNext()
{
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Service *s=compiler->getFirstSrv(rule);
if (IPService::cast(s)!=NULL) {
if (s->getBool("short_fragm") ||
s->getBool("fragm") ) {
pix_comp->fragguard=true;
return true; // do not copy the rule
}
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
{
compiler->abort(
rule,
"PIX does not support checking for IP options in ACLs.");
return true;
}
}
if (TCPService::cast(s)!=NULL) {
if (s->getBool("ack_flag") ||
s->getBool("fin_flag") ||
s->getBool("rst_flag") ||
s->getBool("syn_flag") )
{
compiler->abort(
rule,
"PIX does not support checking for TCP options in ACLs.");
return true;
}
}
tmp_queue.push_back(rule);
return true;
}
/*
* if dst contains firewall, it must be a single object there.
*/
@ -651,7 +612,7 @@ void PolicyCompiler_pix::compile()
else
add( new pickACL_v6( "assign ACLs for v6" ));
add( new SpecialServices( "check for special services" ));
add( new SpecialServicesSrv( "check for special services" ));
add( new CheckForUnsupportedUserService("check for user service") );
add( new checkForZeroAddr( "check for zero addresses" ));
add( new checkVersionAndDynamicInterface(

22
src/cisco_lib/PolicyCompiler_pix.h
View File

@ -34,6 +34,7 @@
#include "Helper.h"
#include "ACL.h"
#include "PolicyCompiler_cisco.h"
#include "specialServices.h"
namespace libfwbuilder {
class IPService;
@ -149,19 +150,14 @@ namespace fwcompiler {
*************************************************************************
*/
/**
* this processor checks for the services which require
* special treatment. Some of these will be checking for
* source or destination object as well because special
* command may need to be generated in case source or
* destination is a firewall itself. Therefore this processor
* should be called after converting to atomic rules, but
* before interface addresses in source and destination are
* expanded.
*/
DECLARE_POLICY_RULE_PROCESSOR( SpecialServices );
friend class PolicyCompiler_pix::SpecialServices;
class SpecialServicesSrv : public SpecialServices
{
public:
SpecialServicesSrv(const std::string &n):
SpecialServices(n, libfwbuilder::RuleElementSrv::TYPENAME) {}
};
friend class SpecialServices;
/**
* sets boolean flag icmp_cmd to be able to generate command
* "icmp" instead of "access-list" later. Call this processor

2
src/cisco_lib/cisco_lib.pro
View File

@ -10,6 +10,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
RoutingCompiler_cisco.cpp \
RoutingCompiler_cisco_writers.cpp \
splitByNetworkZonesForRE.cpp \
specialServices.cpp \
ACL.cpp \
NamedObject.cpp \
ASA8TwiceNatLogic.cpp \
@ -54,6 +55,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
HEADERS = ../../config.h \
splitByNetworkZonesForRE.h \
specialServices.h \
ACL.h \
Helper.h \
NamedObject.h \

93
src/cisco_lib/specialServices.cpp Normal file
View File

@ -0,0 +1,93 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "specialServices.h"
#include "PolicyCompiler_pix.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/CustomService.h"
#include "fwcompiler/Compiler.h"
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
bool SpecialServices::processNext()
{
PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false;
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
FWObject *obj = FWReference::getObject(re->front());
Service *s = Service::cast(obj);
string version = compiler->fw->getStr("version");
if (IPService::cast(s)!=NULL)
{
if (s->getBool("short_fragm") ||
s->getBool("fragm") )
{
if (pix_comp) pix_comp->fragguard = true;
return true; // do not copy the rule
}
if (s->getBool("rr") ||
s->getBool("ssrr") ||
s->getBool("ts") )
{
compiler->abort(
rule,
"PIX does not support checking for IP options in ACLs.");
return true;
}
}
if (TCPService::cast(s)!=NULL)
{
if (s->getBool("ack_flag") ||
s->getBool("fin_flag") ||
s->getBool("rst_flag") ||
s->getBool("syn_flag") )
{
compiler->abort(
rule,
"PIX does not support checking for TCP options in ACLs.");
return true;
}
}
if (CustomService::cast(s)!=NULL &&
XMLTools::version_compare(version, "8.3")<0)
{
compiler->abort(
rule,
"CustomService objects are only supported for ASA 8.3 and later");
return true;
}
tmp_queue.push_back(rule);
return true;
}

59
src/cisco_lib/specialServices.h Normal file
View File

@ -0,0 +1,59 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __SPECIALSERVICES_HH
#define __SPECIALSERVICES_HH
#include "fwbuilder/RuleElement.h"
#include "fwcompiler/RuleProcessor.h"
namespace libfwbuilder {
class Address;
class Rule;
};
namespace fwcompiler
{
/**
* this processor checks for the services which require
* special treatment. Some of these will be checking for
* source or destination object as well because special
* command may need to be generated in case source or
* destination is a firewall itself. Therefore this processor
* should be called after converting to atomic rules, but
* before interface addresses in source and destination are
* expanded.
*/
class SpecialServices : public BasicRuleProcessor
{
std::string re_type;
public:
SpecialServices(const std::string &name, const std::string &_type) :
BasicRuleProcessor(name) {re_type=_type; }
virtual bool processNext();
};
}
#endif

2
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:26 2011 PST by vadim
! Generated Mon Jan 17 14:35:09 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:26 2011 PST by vadim
! Generated Mon Jan 17 14:35:09 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:26 2011 PST by vadim
! Generated Mon Jan 17 14:35:09 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:26 2011 PST by vadim
! Generated Mon Jan 17 14:35:09 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:00 2011 PST by vadim
! Generated Mon Jan 17 14:34:43 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:01 2011 PST by vadim
! Generated Mon Jan 17 14:34:44 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

2
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:02 2011 PST by vadim
! Generated Mon Jan 17 14:34:44 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:03 2011 PST by vadim
! Generated Mon Jan 17 14:34:45 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:03 2011 PST by vadim
! Generated Mon Jan 17 14:34:46 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:04 2011 PST by vadim
! Generated Mon Jan 17 14:34:47 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:05 2011 PST by vadim
! Generated Mon Jan 17 14:34:47 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:05 2011 PST by vadim
! Generated Mon Jan 17 14:34:48 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:06 2011 PST by vadim
! Generated Mon Jan 17 14:34:49 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:07 2011 PST by vadim
! Generated Mon Jan 17 14:34:50 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:07 2011 PST by vadim
! Generated Mon Jan 17 14:34:49 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:08 2011 PST by vadim
! Generated Mon Jan 17 14:34:51 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:09 2011 PST by vadim
! Generated Mon Jan 17 14:34:52 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:10 2011 PST by vadim
! Generated Mon Jan 17 14:34:53 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:11 2011 PST by vadim
! Generated Mon Jan 17 14:34:54 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:11 2011 PST by vadim
! Generated Mon Jan 17 14:34:54 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:12 2011 PST by vadim
! Generated Mon Jan 17 14:34:55 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:13 2011 PST by vadim
! Generated Mon Jan 17 14:34:56 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:14 2011 PST by vadim
! Generated Mon Jan 17 14:34:57 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

22
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:15 2011 PST by vadim
! Generated Mon Jan 17 14:34:58 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported
@ -15,7 +15,12 @@
!
! testing rules with broadcasts
! C firewall80:Policy:: error: ASA8ObjectGroup: Unsupported object 'custom serv 1' found in object group
! C firewall80:Policy:9: error: CustomService objects are only supported for ASA 8.3 and later
! C firewall80:Policy:9: error: CustomService objects are only supported for ASA 8.3 and later
! C firewall80:Policy:10: error: CustomService objects are only supported for ASA 8.3 and later
! C firewall80:Policy:10: error: CustomService objects are only supported for ASA 8.3 and later
! N firewall80:NAT:0: error: CustomService objects are only supported for ASA 8.3 and later
!
! Prolog script:
@ -123,7 +128,6 @@ object-group service inside.id21447X11252.srv.mixed.0
service-object tcp eq 3128
exit
!
! Rule 0 (FastEthernet1)
ssh 0.0.0.0 0.0.0.0 inside
@ -171,18 +175,6 @@ icmp permit 192.168.1.0 255.255.255.192 3 inside
access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.192 host 192.168.1.1 object-group inside.id21447X11252.srv.icmp.0
access-list inside_acl_in permit 192.168.1.0 255.255.255.192 any object-group inside.id21447X11252.srv.mixed.0
!
! Rule 9 (global)
! for #1942
! using custom service
access-list outside_acl_in deny any any host 192.168.1.10
access-list inside_acl_in deny any any host 192.168.1.10
!
! Rule 10 (global)
! for #1942
! using custom service
access-list outside_acl_in deny any host 192.168.1.10 object-group outside.id79024X21575.srv.mixed.0
access-list inside_acl_in deny any host 192.168.1.10 object-group outside.id79024X21575.srv.mixed.0
!
! Rule 11 (global)
access-list outside_acl_in deny ip any any
access-list inside_acl_in deny ip any any

2
test/pix/firewall81.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:15 2011 PST by vadim
! Generated Mon Jan 17 14:34:58 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall82.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:16 2011 PST by vadim
! Generated Mon Jan 17 14:34:59 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall83.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:17 2011 PST by vadim
! Generated Mon Jan 17 14:35:00 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:17 2011 PST by vadim
! Generated Mon Jan 17 14:35:00 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall90.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:18 2011 PST by vadim
! Generated Mon Jan 17 14:35:01 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall91.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:19 2011 PST by vadim
! Generated Mon Jan 17 14:35:02 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall92.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:20 2011 PST by vadim
! Generated Mon Jan 17 14:35:03 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/firewall93.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:20 2011 PST by vadim
! Generated Mon Jan 17 14:35:03 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

2
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:21 2011 PST by vadim
! Generated Mon Jan 17 14:35:04 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

2
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:22 2011 PST by vadim
! Generated Mon Jan 17 14:35:05 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

23
test/pix/objects-for-regression-tests.fwb
View File

@ -17021,8 +17021,29 @@ no sysopt nodnsalias outbound
</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295243635" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
<Firewall id="id18865X29796" host_OS="pix_os" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1295302047" platform="pix" version="8.2" name="firewall80" comment="testing rules with broadcasts" ro="False">
<NAT id="id18933X29796" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id70310X19497" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id86637X27607"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id21571X21575"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="host-hostA"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id18883X29796" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">

2
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:23 2011 PST by vadim
! Generated Mon Jan 17 14:35:06 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 13:49:24 2011 PST by vadim
! Generated Mon Jan 17 14:35:07 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported