From ca475b24d70b7501d7edc316d25c18840638a7b5 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Mon, 17 Jan 2011 14:35:55 -0800 Subject: [PATCH] fixes #1948 incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA v<8.3 --- doc/ChangeLog | 6 ++ src/cisco_lib/NATCompiler_asa8.cpp | 1 + src/cisco_lib/NATCompiler_pix.cpp | 2 + src/cisco_lib/NATCompiler_pix.h | 8 ++ src/cisco_lib/PolicyCompiler_pix.cpp | 43 +---------- src/cisco_lib/PolicyCompiler_pix.h | 22 +++--- src/cisco_lib/cisco_lib.pro | 2 + src/cisco_lib/specialServices.cpp | 93 +++++++++++++++++++++++ src/cisco_lib/specialServices.h | 59 ++++++++++++++ test/pix/cluster1-1_pix1.fw.orig | 2 +- test/pix/cluster1-1_pix2.fw.orig | 2 +- test/pix/cluster1_pix1.fw.orig | 2 +- test/pix/cluster1_pix2.fw.orig | 2 +- test/pix/firewall.fw.orig | 2 +- test/pix/firewall1.fw.orig | 2 +- test/pix/firewall10.fw.orig | 2 +- test/pix/firewall11.fw.orig | 2 +- test/pix/firewall12.fw.orig | 2 +- test/pix/firewall13.fw.orig | 2 +- test/pix/firewall14.fw.orig | 2 +- test/pix/firewall2.fw.orig | 2 +- test/pix/firewall20.fw.orig | 2 +- test/pix/firewall21-1.fw.orig | 2 +- test/pix/firewall21.fw.orig | 2 +- test/pix/firewall22.fw.orig | 2 +- test/pix/firewall3.fw.orig | 2 +- test/pix/firewall33.fw.orig | 2 +- test/pix/firewall34.fw.orig | 2 +- test/pix/firewall4.fw.orig | 2 +- test/pix/firewall50.fw.orig | 2 +- test/pix/firewall6.fw.orig | 2 +- test/pix/firewall8.fw.orig | 2 +- test/pix/firewall80.fw.orig | 22 ++---- test/pix/firewall81.fw.orig | 2 +- test/pix/firewall82.fw.orig | 2 +- test/pix/firewall83.fw.orig | 2 +- test/pix/firewall9.fw.orig | 2 +- test/pix/firewall90.fw.orig | 2 +- test/pix/firewall91.fw.orig | 2 +- test/pix/firewall92.fw.orig | 2 +- test/pix/firewall93.fw.orig | 2 +- test/pix/fwsm1.fw.orig | 2 +- test/pix/fwsm2.fw.orig | 2 +- test/pix/objects-for-regression-tests.fwb | 23 +++++- test/pix/pix515.fw.orig | 2 +- test/pix/real.fw.orig | 2 +- 46 files changed, 246 insertions(+), 105 deletions(-) create mode 100644 src/cisco_lib/specialServices.cpp create mode 100644 src/cisco_lib/specialServices.h diff --git a/doc/ChangeLog b/doc/ChangeLog index 30be8884f..505dc2b1b 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,11 @@ 2011-01-17 vadim + * PolicyCompiler_pix.cpp (processNext): fixes #1948 "incorrect + configuration created when a CustomService object is used in a + policy rule for PIX/ASA v<8.3". Since we do not support custom + service objects in policy and nat rules for versions older than + 8.3, added check to generate fatal error when such object is used. + * NamedObjectsAndGroupsSupport.cpp (init): fixes #1945 "object-group names include ever-growing suffix". Object-groups created by the compiler for PIX/ASA had numerical suffix that was diff --git a/src/cisco_lib/NATCompiler_asa8.cpp b/src/cisco_lib/NATCompiler_asa8.cpp index a3a17e803..46d0ff0a6 100644 --- a/src/cisco_lib/NATCompiler_asa8.cpp +++ b/src/cisco_lib/NATCompiler_asa8.cpp @@ -352,6 +352,7 @@ void NATCompiler_asa8::compile() add( new VerifyValidityOfDNSOption( "Check validity of 'translate dns' option")); + add( new SpecialServicesOSrv( "check for special services" )); add( new CreateObjectGroupsForOSrc("create object groups for OSrc")); add( new CreateObjectGroupsForODst("create object groups for ODst")); diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index b270ed93f..fbfef267a 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -1728,6 +1728,8 @@ void NATCompiler_pix::compile() if (fw->getOptionsObject()->getBool("pix_optimize_default_nat")) add (new clearOSrc ("clear OSrc" )); + add( new SpecialServicesOSrv( "check for special services" )); + add( new createNATCmd ("create NAT commands" )); add( new createStaticCmd ("create static commands" )); add( new mergeNATCmd ("merge NAT commands" )); diff --git a/src/cisco_lib/NATCompiler_pix.h b/src/cisco_lib/NATCompiler_pix.h index 44185fac0..e6549caec 100644 --- a/src/cisco_lib/NATCompiler_pix.h +++ b/src/cisco_lib/NATCompiler_pix.h @@ -31,6 +31,7 @@ #include "Helper.h" #include "NamedObjectsAndGroupsSupport.h" #include "splitByNetworkZonesForRE.h" +#include "specialServices.h" #include #include @@ -278,6 +279,13 @@ namespace fwcompiler { DECLARE_NAT_RULE_PROCESSOR( clearOSrc ); friend class NATCompiler_pix::clearOSrc; + class SpecialServicesOSrv : public SpecialServices + { + public: + SpecialServicesOSrv(const std::string &n): + SpecialServices(n, libfwbuilder::RuleElementOSrv::TYPENAME) {} + }; + /** * eliminates duplicate objects in SRC. Uses default comparison * in eliminateDuplicatesInRE which compares IDs diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index 148f20caf..2a42b4a4c 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -38,6 +38,7 @@ #include "fwbuilder/ICMPService.h" #include "fwbuilder/TCPService.h" #include "fwbuilder/UDPService.h" +#include "fwbuilder/CustomService.h" #include "fwbuilder/Network.h" #include "fwbuilder/Policy.h" #include "fwbuilder/Interface.h" @@ -251,46 +252,6 @@ bool PolicyCompiler_pix::checkVersionAndDynamicInterface::processNext() return true; } -bool PolicyCompiler_pix::SpecialServices::processNext() -{ - PolicyCompiler_pix *pix_comp=dynamic_cast(compiler); - PolicyRule *rule=getNext(); if (rule==NULL) return false; - Service *s=compiler->getFirstSrv(rule); - - if (IPService::cast(s)!=NULL) { - if (s->getBool("short_fragm") || - s->getBool("fragm") ) { - - pix_comp->fragguard=true; - return true; // do not copy the rule - } - if (s->getBool("rr") || - s->getBool("ssrr") || - s->getBool("ts") ) - { - compiler->abort( - rule, - "PIX does not support checking for IP options in ACLs."); - return true; - } - } - if (TCPService::cast(s)!=NULL) { - if (s->getBool("ack_flag") || - s->getBool("fin_flag") || - s->getBool("rst_flag") || - s->getBool("syn_flag") ) - { - compiler->abort( - rule, - "PIX does not support checking for TCP options in ACLs."); - return true; - } - } - - tmp_queue.push_back(rule); - return true; -} - /* * if dst contains firewall, it must be a single object there. */ @@ -651,7 +612,7 @@ void PolicyCompiler_pix::compile() else add( new pickACL_v6( "assign ACLs for v6" )); - add( new SpecialServices( "check for special services" )); + add( new SpecialServicesSrv( "check for special services" )); add( new CheckForUnsupportedUserService("check for user service") ); add( new checkForZeroAddr( "check for zero addresses" )); add( new checkVersionAndDynamicInterface( diff --git a/src/cisco_lib/PolicyCompiler_pix.h b/src/cisco_lib/PolicyCompiler_pix.h index 5c9c8ca76..e0fc1b425 100644 --- a/src/cisco_lib/PolicyCompiler_pix.h +++ b/src/cisco_lib/PolicyCompiler_pix.h @@ -34,6 +34,7 @@ #include "Helper.h" #include "ACL.h" #include "PolicyCompiler_cisco.h" +#include "specialServices.h" namespace libfwbuilder { class IPService; @@ -149,19 +150,14 @@ namespace fwcompiler { ************************************************************************* */ - /** - * this processor checks for the services which require - * special treatment. Some of these will be checking for - * source or destination object as well because special - * command may need to be generated in case source or - * destination is a firewall itself. Therefore this processor - * should be called after converting to atomic rules, but - * before interface addresses in source and destination are - * expanded. - */ - DECLARE_POLICY_RULE_PROCESSOR( SpecialServices ); - friend class PolicyCompiler_pix::SpecialServices; - + class SpecialServicesSrv : public SpecialServices + { + public: + SpecialServicesSrv(const std::string &n): + SpecialServices(n, libfwbuilder::RuleElementSrv::TYPENAME) {} + }; + friend class SpecialServices; + /** * sets boolean flag icmp_cmd to be able to generate command * "icmp" instead of "access-list" later. Call this processor diff --git a/src/cisco_lib/cisco_lib.pro b/src/cisco_lib/cisco_lib.pro index 621d8b7f4..4b7dcd7bc 100644 --- a/src/cisco_lib/cisco_lib.pro +++ b/src/cisco_lib/cisco_lib.pro @@ -10,6 +10,7 @@ SOURCES = PolicyCompiler_cisco.cpp \ RoutingCompiler_cisco.cpp \ RoutingCompiler_cisco_writers.cpp \ splitByNetworkZonesForRE.cpp \ + specialServices.cpp \ ACL.cpp \ NamedObject.cpp \ ASA8TwiceNatLogic.cpp \ @@ -54,6 +55,7 @@ SOURCES = PolicyCompiler_cisco.cpp \ HEADERS = ../../config.h \ splitByNetworkZonesForRE.h \ + specialServices.h \ ACL.h \ Helper.h \ NamedObject.h \ diff --git a/src/cisco_lib/specialServices.cpp b/src/cisco_lib/specialServices.cpp new file mode 100644 index 000000000..b54badfcf --- /dev/null +++ b/src/cisco_lib/specialServices.cpp @@ -0,0 +1,93 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +#include "specialServices.h" +#include "PolicyCompiler_pix.h" + +#include "fwbuilder/IPService.h" +#include "fwbuilder/TCPService.h" +#include "fwbuilder/CustomService.h" +#include "fwcompiler/Compiler.h" + + +using namespace libfwbuilder; +using namespace fwcompiler; +using namespace std; + + +bool SpecialServices::processNext() +{ + PolicyCompiler_pix *pix_comp = dynamic_cast(compiler); + Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false; + RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type)); + FWObject *obj = FWReference::getObject(re->front()); + Service *s = Service::cast(obj); + + string version = compiler->fw->getStr("version"); + + if (IPService::cast(s)!=NULL) + { + if (s->getBool("short_fragm") || + s->getBool("fragm") ) + { + if (pix_comp) pix_comp->fragguard = true; + return true; // do not copy the rule + } + if (s->getBool("rr") || + s->getBool("ssrr") || + s->getBool("ts") ) + { + compiler->abort( + rule, + "PIX does not support checking for IP options in ACLs."); + return true; + } + } + + if (TCPService::cast(s)!=NULL) + { + if (s->getBool("ack_flag") || + s->getBool("fin_flag") || + s->getBool("rst_flag") || + s->getBool("syn_flag") ) + { + compiler->abort( + rule, + "PIX does not support checking for TCP options in ACLs."); + return true; + } + } + + if (CustomService::cast(s)!=NULL && + XMLTools::version_compare(version, "8.3")<0) + { + compiler->abort( + rule, + "CustomService objects are only supported for ASA 8.3 and later"); + return true; + } + + tmp_queue.push_back(rule); + return true; +} + diff --git a/src/cisco_lib/specialServices.h b/src/cisco_lib/specialServices.h new file mode 100644 index 000000000..4f3a9d81f --- /dev/null +++ b/src/cisco_lib/specialServices.h @@ -0,0 +1,59 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + + +#ifndef __SPECIALSERVICES_HH +#define __SPECIALSERVICES_HH + +#include "fwbuilder/RuleElement.h" +#include "fwcompiler/RuleProcessor.h" + +namespace libfwbuilder { + class Address; + class Rule; +}; + +namespace fwcompiler +{ + + /** + * this processor checks for the services which require + * special treatment. Some of these will be checking for + * source or destination object as well because special + * command may need to be generated in case source or + * destination is a firewall itself. Therefore this processor + * should be called after converting to atomic rules, but + * before interface addresses in source and destination are + * expanded. + */ + class SpecialServices : public BasicRuleProcessor + { + std::string re_type; +public: + SpecialServices(const std::string &name, const std::string &_type) : + BasicRuleProcessor(name) {re_type=_type; } + virtual bool processNext(); + }; +} + +#endif diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index 02524df99..069412ac9 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:26 2011 PST by vadim +! Generated Mon Jan 17 14:35:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index eed2594cd..99220f8ce 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:26 2011 PST by vadim +! Generated Mon Jan 17 14:35:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index 056810339..7ff894242 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:26 2011 PST by vadim +! Generated Mon Jan 17 14:35:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 70866455d..a2fe23290 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:26 2011 PST by vadim +! Generated Mon Jan 17 14:35:09 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index 9fa73c540..80b686e55 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:00 2011 PST by vadim +! Generated Mon Jan 17 14:34:43 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 0ffcfcde6..37da55201 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:01 2011 PST by vadim +! Generated Mon Jan 17 14:34:44 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index c630cebcf..af11917cd 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:02 2011 PST by vadim +! Generated Mon Jan 17 14:34:44 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index cc7824512..7b0e7783d 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:03 2011 PST by vadim +! Generated Mon Jan 17 14:34:45 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index 763c60270..bcdbe7ecc 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:03 2011 PST by vadim +! Generated Mon Jan 17 14:34:46 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index 30ef5d38a..93e01b188 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:04 2011 PST by vadim +! Generated Mon Jan 17 14:34:47 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index bd5e85207..885d42e73 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:05 2011 PST by vadim +! Generated Mon Jan 17 14:34:47 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 40147399f..45cae7972 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:05 2011 PST by vadim +! Generated Mon Jan 17 14:34:48 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index 090ef69e3..14a3784b4 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:06 2011 PST by vadim +! Generated Mon Jan 17 14:34:49 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index 0c9ea3f18..e9563edb4 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:07 2011 PST by vadim +! Generated Mon Jan 17 14:34:50 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 626351f64..b98931f00 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:07 2011 PST by vadim +! Generated Mon Jan 17 14:34:49 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index ad802a63e..45af54791 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:08 2011 PST by vadim +! Generated Mon Jan 17 14:34:51 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index 8dabc13f1..747d14153 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:09 2011 PST by vadim +! Generated Mon Jan 17 14:34:52 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index 248e94ebe..f5508389e 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:10 2011 PST by vadim +! Generated Mon Jan 17 14:34:53 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index 32c505e26..f053a5f9a 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:11 2011 PST by vadim +! Generated Mon Jan 17 14:34:54 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index 40ff304ca..d4c11ce5e 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:11 2011 PST by vadim +! Generated Mon Jan 17 14:34:54 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index dd8d5d52f..2603f43fe 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:12 2011 PST by vadim +! Generated Mon Jan 17 14:34:55 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index 3439b522d..56ec6b655 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:13 2011 PST by vadim +! Generated Mon Jan 17 14:34:56 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index d162e4732..6a8bb1538 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:14 2011 PST by vadim +! Generated Mon Jan 17 14:34:57 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index 4588b54df..20be26cc1 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:15 2011 PST by vadim +! Generated Mon Jan 17 14:34:58 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported @@ -15,7 +15,12 @@ ! ! testing rules with broadcasts -! C firewall80:Policy:: error: ASA8ObjectGroup: Unsupported object 'custom serv 1' found in object group +! C firewall80:Policy:9: error: CustomService objects are only supported for ASA 8.3 and later +! C firewall80:Policy:9: error: CustomService objects are only supported for ASA 8.3 and later +! C firewall80:Policy:10: error: CustomService objects are only supported for ASA 8.3 and later +! C firewall80:Policy:10: error: CustomService objects are only supported for ASA 8.3 and later + +! N firewall80:NAT:0: error: CustomService objects are only supported for ASA 8.3 and later ! ! Prolog script: @@ -123,7 +128,6 @@ object-group service inside.id21447X11252.srv.mixed.0 service-object tcp eq 3128 exit - ! ! Rule 0 (FastEthernet1) ssh 0.0.0.0 0.0.0.0 inside @@ -171,18 +175,6 @@ icmp permit 192.168.1.0 255.255.255.192 3 inside access-list inside_acl_in permit icmp 192.168.1.0 255.255.255.192 host 192.168.1.1 object-group inside.id21447X11252.srv.icmp.0 access-list inside_acl_in permit 192.168.1.0 255.255.255.192 any object-group inside.id21447X11252.srv.mixed.0 ! -! Rule 9 (global) -! for #1942 -! using custom service -access-list outside_acl_in deny any any host 192.168.1.10 -access-list inside_acl_in deny any any host 192.168.1.10 -! -! Rule 10 (global) -! for #1942 -! using custom service -access-list outside_acl_in deny any host 192.168.1.10 object-group outside.id79024X21575.srv.mixed.0 -access-list inside_acl_in deny any host 192.168.1.10 object-group outside.id79024X21575.srv.mixed.0 -! ! Rule 11 (global) access-list outside_acl_in deny ip any any access-list inside_acl_in deny ip any any diff --git a/test/pix/firewall81.fw.orig b/test/pix/firewall81.fw.orig index 321d44723..5ad40fd47 100755 --- a/test/pix/firewall81.fw.orig +++ b/test/pix/firewall81.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:15 2011 PST by vadim +! Generated Mon Jan 17 14:34:58 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall82.fw.orig b/test/pix/firewall82.fw.orig index 9bb95dbf5..51cd69e0f 100755 --- a/test/pix/firewall82.fw.orig +++ b/test/pix/firewall82.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:16 2011 PST by vadim +! Generated Mon Jan 17 14:34:59 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall83.fw.orig b/test/pix/firewall83.fw.orig index 052ed0772..0fe194d25 100755 --- a/test/pix/firewall83.fw.orig +++ b/test/pix/firewall83.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:17 2011 PST by vadim +! Generated Mon Jan 17 14:35:00 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index bfe06d3e5..4658dd0d9 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:17 2011 PST by vadim +! Generated Mon Jan 17 14:35:00 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall90.fw.orig b/test/pix/firewall90.fw.orig index c1b4680f6..43d4536f2 100755 --- a/test/pix/firewall90.fw.orig +++ b/test/pix/firewall90.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:18 2011 PST by vadim +! Generated Mon Jan 17 14:35:01 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall91.fw.orig b/test/pix/firewall91.fw.orig index 6bdfb6ff2..c3ee79554 100755 --- a/test/pix/firewall91.fw.orig +++ b/test/pix/firewall91.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:19 2011 PST by vadim +! Generated Mon Jan 17 14:35:02 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall92.fw.orig b/test/pix/firewall92.fw.orig index ae16cc7ea..ded589db4 100755 --- a/test/pix/firewall92.fw.orig +++ b/test/pix/firewall92.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:20 2011 PST by vadim +! Generated Mon Jan 17 14:35:03 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/firewall93.fw.orig b/test/pix/firewall93.fw.orig index c9d53adb3..3ed8e9e10 100755 --- a/test/pix/firewall93.fw.orig +++ b/test/pix/firewall93.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:20 2011 PST by vadim +! Generated Mon Jan 17 14:35:03 2011 PST by vadim ! ! Compiled for pix 8.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index aed3ff0b7..7010e947e 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:21 2011 PST by vadim +! Generated Mon Jan 17 14:35:04 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 6b79879dc..6fc321d88 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:22 2011 PST by vadim +! Generated Mon Jan 17 14:35:05 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/objects-for-regression-tests.fwb b/test/pix/objects-for-regression-tests.fwb index 557c978e7..eec2ecfc7 100644 --- a/test/pix/objects-for-regression-tests.fwb +++ b/test/pix/objects-for-regression-tests.fwb @@ -17021,8 +17021,29 @@ no sysopt nodnsalias outbound - + + + + + + + + + + + + + + + + + + + + + + diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index fceb06193..b52af4dee 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:23 2011 PST by vadim +! Generated Mon Jan 17 14:35:06 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index 0ed3f6e69..58666f39d 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3436 ! -! Generated Mon Jan 17 13:49:24 2011 PST by vadim +! Generated Mon Jan 17 14:35:07 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported