onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 03:07:20 +01:00
Code Issues Releases Wiki Activity

refs #1887 using real IPs in ACL instead of translated addresses in pix 8.3; refactored rule element that finds matching NAT rules and performs substitution for pix v<8.3

Browse Source
This commit is contained in:
Vadim Kurland 2011-01-06 12:54:36 -08:00
parent 5b5edce615
commit d564fbb198
38 changed files with 473 additions and 222 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/cisco_lib/Helper.cpp
View File

@ -440,21 +440,3 @@ list<int> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
}
return intf_id_list;
}
string triplet::hash()
{
ostringstream ostr;
string dst_str;
string src_str;
Interface *intf = Interface::cast(src);
if (intf && intf->isDyn()) src_str = intf->getId();
else src_str = src->getAddressPtr()->toString();
intf = Interface::cast(dst);
if (intf && intf->isDyn()) dst_str = intf->getId();
else dst_str = dst->getAddressPtr()->toString();
ostr << src_str << "." << dst_str <<"." << srv->getId();
return ostr.str();
}

14
src/cisco_lib/Helper.h
View File

@ -78,19 +78,5 @@ namespace fwcompiler {
};
class triplet {
public:
libfwbuilder::Address *src;
libfwbuilder::Address *dst;
libfwbuilder::Service *srv;
triplet() {src=NULL; dst=NULL; srv=NULL;}
triplet(libfwbuilder::Address *s,
libfwbuilder::Address *d,
libfwbuilder::Service *v) {src=s; dst=d; srv=v;}
std::string hash();
};
#endif

54
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -291,60 +291,6 @@ bool NATCompiler_pix::storeProcessedRules::processNext()
return true;
}
list<triplet> NATCompiler_pix::findDNATForAddress(Address *src,
Address *dst,
Service *srv)
{
list<triplet> res;
map<string,triplet> res_dict;
for (FWObject::iterator i=final_ruleset->begin();
i!=final_ruleset->end(); ++i)
{
NATRule *rule=NATRule::cast(*i);
if (rule == NULL) continue; // skip RuleSetOptions object
switch (rule->getRuleType())
{
case NATRule::DNAT:
{
Address *osrc=getFirstOSrc(rule); assert(osrc);
Address *odst=getFirstODst(rule); assert(odst);
Service *osrv=getFirstOSrv(rule); assert(osrv);
Address *tsrc=getFirstTSrc(rule); assert(tsrc);
Address *tdst=getFirstTDst(rule); assert(tdst);
Service *tsrv=getFirstTSrv(rule); assert(tsrv);
if (*(src->getAddressPtr()) == *(osrc->getAddressPtr()) &&
(osrv->isAny() || srv->getId()==tsrv->getId()) &&
*(dst->getAddressPtr()) == *(tdst->getAddressPtr()))
{
if (osrv->isAny())
{
triplet tr(src,odst,srv);
res_dict[tr.hash()] = tr;
}
else
{
triplet tr(src,odst,osrv);
res_dict[tr.hash()] = tr;
}
}
}
break;
default: ; // TODO: should actually be always_assert
}
}
for (map<string,triplet>::iterator i=res_dict.begin();
i!=res_dict.end(); ++i)
{
res.push_back(i->second);
}
return res;
}
bool NATCompiler_pix::VerifyRules::processNext()
{
NATRule *rule=getNext(); if (rule==NULL) return false;

13
src/cisco_lib/NATCompiler_pix.h
View File

@ -496,14 +496,17 @@ namespace fwcompiler {
/**
* scans all rules in combined_ruleset and finds rules (if
* any) that define DNAT translation for a combination of
* src,dst and srv (that is, src is equival OSrc, srv is equal
* OSrv and dst is equal TDst). If such rule could be found,
* returns a list of triplets (src,odst,osrv)
* src,dst and srv where src matches OSrc, srv matches OSrv
* and dst matches rule element defined by argument
* nat_re_type_to_match_dst. If such rules could be found, returns
* a list of triplets (src,odst,osrv)
*/
std::list<triplet> findDNATForAddress(
std::list<libfwbuilder::NATRule*> findMatchingDNATRules(
libfwbuilder::Address *src,
libfwbuilder::Address *dst,
libfwbuilder::Service *srv);
libfwbuilder::Service *srv,
const std::string &nat_re_type_to_match_dst);
// virtual string atomicRuleToString(libfwbuilder::Rule *r);

132
src/cisco_lib/NATCompiler_pix_find_translations.cpp Normal file
View File

@ -0,0 +1,132 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "NATCompiler_pix.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/InetAddr.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/RuleSet.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include <sstream>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
class triplet {
public:
libfwbuilder::Address *src;
libfwbuilder::Address *dst;
libfwbuilder::Service *srv;
triplet() {src=NULL; dst=NULL; srv=NULL;}
triplet(libfwbuilder::Address *s,
libfwbuilder::Address *d,
libfwbuilder::Service *v) {src=s; dst=d; srv=v;}
std::string hash();
};
std::string triplet::hash()
{
ostringstream ostr;
string dst_str;
string src_str;
Interface *intf = Interface::cast(src);
if (intf && intf->isDyn()) src_str = intf->getId();
else src_str = src->getAddressPtr()->toString();
intf = Interface::cast(dst);
if (intf && intf->isDyn()) dst_str = intf->getId();
else dst_str = dst->getAddressPtr()->toString();
ostr << src_str << "." << dst_str <<"." << srv->getId();
return ostr.str();
}
list<NATRule*> NATCompiler_pix::findMatchingDNATRules(
Address *src, Address *dst, Service *srv,
const string &nat_re_type_to_match_dst)
{
list<NATRule*> res;
map<string,NATRule*> res_dict;
for (FWObject::iterator i=final_ruleset->begin();
i!=final_ruleset->end(); ++i)
{
NATRule *rule = NATRule::cast(*i);
if (rule == NULL) continue; // skip RuleSetOptions object
switch (rule->getRuleType())
{
case NATRule::DNAT:
{
FWObject *re_to_compare =
rule->getFirstByType(nat_re_type_to_match_dst);
Address *dst_to_compare = Address::cast(
FWReference::getObject(re_to_compare->front()));
Address *osrc = getFirstOSrc(rule); assert(osrc);
Address *odst = getFirstODst(rule); assert(odst);
Service *osrv = getFirstOSrv(rule); assert(osrv);
Address *tsrc = getFirstTSrc(rule); assert(tsrc);
// Address *tdst = getFirstTDst(rule); assert(tdst);
Service *tsrv = getFirstTSrv(rule); assert(tsrv);
if (*(src->getAddressPtr()) == *(osrc->getAddressPtr()) &&
(osrv->isAny() || srv->getId()==tsrv->getId()) &&
*(dst->getAddressPtr()) == *(dst_to_compare->getAddressPtr()))
{
if (osrv->isAny())
{
triplet tr(src, odst, srv);
res_dict[tr.hash()] = rule;
}
else
{
triplet tr(src, odst, osrv);
res_dict[tr.hash()] = rule;
}
}
}
break;
default: ; // TODO: should actually be always_assert
}
}
for (map<string,NATRule*>::iterator i=res_dict.begin(); i!=res_dict.end(); ++i)
{
res.push_back(i->second);
}
return res;
}

94
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -366,100 +366,6 @@ bool PolicyCompiler_pix::RejectAction::processNext()
return true;
}
bool PolicyCompiler_pix::replaceTranslatedAddresses::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
// string rule_iface_id=rule->getInterfaceId();
// Address *src=compiler->getFirstSrc(rule);
// Service *srv=compiler->getFirstSrv(rule);
RuleElementSrc *srcrel=rule->getSrc();
RuleElementDst *dstrel=rule->getDst();
RuleElementSrv *srvrel=rule->getSrv();
list<PolicyRule*> t_rules;
list<PolicyRule*> transformed_rules;
for (list<FWObject*>::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1)
{
for (list<FWObject*>::iterator i2=dstrel->begin(); i2!=dstrel->end(); ++i2)
{
for (list<FWObject*>::iterator i3=srvrel->begin(); i3!=srvrel->end(); ++i3)
{
FWObject *o1 = *i1;
FWObject *o2 = *i2;
FWObject *o3 = *i3;
FWObject *obj1 = NULL;
FWObject *obj2 = NULL;
FWObject *obj3 = NULL;
if (FWReference::cast(o1)!=NULL)
obj1=FWReference::cast(o1)->getPointer();
Address *src=Address::cast(obj1);
assert(src!=NULL);
if (FWReference::cast(o2)!=NULL)
obj2=FWReference::cast(o2)->getPointer();
Address *dst=Address::cast(obj2);
assert(dst!=NULL);
if (FWReference::cast(o3)!=NULL)
obj3=FWReference::cast(o3)->getPointer();
Service *srv=Service::cast(obj3);
assert(srv!=NULL);
list<triplet> tl = pix_comp->natcmp->findDNATForAddress(
src,dst,srv);
for( list<triplet>::iterator t=tl.begin(); t!=tl.end(); ++t)
{
FWObject *p = t->dst->getParent();
if (t->dst->getId()==rule_iface->getId() ||
p->getId()==rule_iface->getId())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
RuleElementSrc *nsrc=r->getSrc();
nsrc->clearChildren();
nsrc->addRef( src );
RuleElementDst *ndst=r->getDst();
ndst->clearChildren();
ndst->addRef( t->dst );
RuleElementSrv *nsrv=r->getSrv();
nsrv->clearChildren();
nsrv->addRef( t->srv );
t_rules.push_back(r);
}
}
}
}
}
/* list t_rules has all the atomic rules that have a
* matching NAT rule, with dst and srv already converted. We just add them to
* the policy on top of the original rule.
*/
for (list<PolicyRule*>::iterator i1=t_rules.begin(); i1!=t_rules.end(); ++i1)
{
PolicyRule *r=PolicyRule::cast( *i1 );
tmp_queue.push_back(r);
}
tmp_queue.push_back(rule);
return true;
}
/*
* processor splitIfDstMatchesFw should have made a firewall a single
* object in dst

65
src/cisco_lib/PolicyCompiler_pix.h
View File

@ -180,20 +180,77 @@ namespace fwcompiler {
DECLARE_POLICY_RULE_PROCESSOR( RejectAction );
friend class PolicyCompiler_pix::RejectAction;
/*
* Rule processors that inherit this class match objects used
* in policy rules to the nat rules and do something about
* them.
*/
class matchTranslatedAddresses : public PolicyRuleProcessor
{
protected:
std::list<libfwbuilder::PolicyRule*> transformed_rules;
public:
matchTranslatedAddresses(const std::string &n):PolicyRuleProcessor(n) {}
virtual bool processNext();
virtual std::list<libfwbuilder::NATRule*> findMatchingNATRules(
libfwbuilder::Address *src,
libfwbuilder::Address *dst,
libfwbuilder::Service *srv);
virtual void action(
libfwbuilder::PolicyRule* policy_rule,
libfwbuilder::NATRule* nat_rule,
libfwbuilder::Address *src,
libfwbuilder::Address *dst,
libfwbuilder::Service *srv);
};
/**
* this processor replaces objects in dst for which we have
* DNAT rule in a NAT policy. Call _after_ telnetToFirewall,
* sshToFirewall and PrepareForICMPCmd
*/
class replaceTranslatedAddresses : public PolicyRuleProcessor
class replaceTranslatedAddresses : public matchTranslatedAddresses
{
public:
replaceTranslatedAddresses(const std::string &n):PolicyRuleProcessor(n) {}
virtual bool processNext();
replaceTranslatedAddresses(const std::string &n) :
matchTranslatedAddresses(n) {}
virtual std::list<libfwbuilder::NATRule*> findMatchingNATRules(
libfwbuilder::Address *src,
libfwbuilder::Address *dst,
libfwbuilder::Service *srv);
virtual void action(
libfwbuilder::PolicyRule* policy_rule,
libfwbuilder::NATRule* nat_rule,
libfwbuilder::Address *src,
libfwbuilder::Address *dst,
libfwbuilder::Service *srv);
};
friend class PolicyCompiler_pix::replaceTranslatedAddresses;
/**
* this processor issues warning when translated addresses are
* used in policy rules. Use for PIX 8.3 and later.
*/
class warnWhenTranslatedAddressesAreUsed : public matchTranslatedAddresses
{
public:
warnWhenTranslatedAddressesAreUsed(const std::string &n) :
matchTranslatedAddresses(n) {}
virtual std::list<libfwbuilder::NATRule*> findMatchingNATRules(
libfwbuilder::Address *src,
libfwbuilder::Address *dst,
libfwbuilder::Service *srv);
virtual void action(
libfwbuilder::PolicyRule* policy_rule,
libfwbuilder::NATRule* nat_rule,
libfwbuilder::Address *src,
libfwbuilder::Address *dst,
libfwbuilder::Service *srv);
};
friend class PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed;
/**
* can not use object-group in "icmp", "telnet" and "ssh" commands
*/

236
src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp Normal file
View File

@ -0,0 +1,236 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "Helper.h"
#include "PolicyCompiler_pix.h"
#include "NATCompiler_pix.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleSet.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include <QString>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
bool PolicyCompiler_pix::matchTranslatedAddresses::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
string version = compiler->fw->getStr("version");
bool v83_behavior = XMLTools::version_compare(version, "8.3")>=0;
transformed_rules.clear();
// string rule_iface_id=rule->getInterfaceId();
// Address *src=compiler->getFirstSrc(rule);
// Service *srv=compiler->getFirstSrv(rule);
RuleElementSrc *srcrel = rule->getSrc();
RuleElementDst *dstrel = rule->getDst();
RuleElementSrv *srvrel = rule->getSrv();
for (list<FWObject*>::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1)
{
for (list<FWObject*>::iterator i2=dstrel->begin(); i2!=dstrel->end(); ++i2)
{
for (list<FWObject*>::iterator i3=srvrel->begin(); i3!=srvrel->end(); ++i3)
{
FWObject *o1 = *i1;
FWObject *o2 = *i2;
FWObject *o3 = *i3;
FWObject *obj1 = NULL;
FWObject *obj2 = NULL;
FWObject *obj3 = NULL;
obj1 = FWReference::getObject(o1);
Address *src = Address::cast(obj1);
assert(src!=NULL);
obj2 = FWReference::getObject(o2);
Address *dst = Address::cast(obj2);
assert(dst!=NULL);
obj3 = FWReference::getObject(o3);
Service *srv = Service::cast(obj3);
assert(srv!=NULL);
list<NATRule*> tl = findMatchingNATRules(src, dst, srv);
for( list<NATRule*>::iterator t=tl.begin(); t!=tl.end(); ++t)
action(rule, *t, src, dst, srv);
}
}
}
/*
*list transformed_rules has all the atomic rules that have a matching
* NAT rule, with dst and srv already converted. We just add them to
* the policy on top of the original rule.
*/
list<PolicyRule*>::iterator i1;
for (i1=transformed_rules.begin(); i1!=transformed_rules.end(); ++i1)
{
PolicyRule *r=PolicyRule::cast( *i1 );
tmp_queue.push_back(r);
}
tmp_queue.push_back(rule);
return true;
}
list<NATRule*> PolicyCompiler_pix::matchTranslatedAddresses::findMatchingNATRules(
Address*, Address*, Service*)
{
return list<NATRule*>();
}
void PolicyCompiler_pix::matchTranslatedAddresses::action(
PolicyRule* , NATRule* , Address*, Address*, Service*)
{
}
list<NATRule*> PolicyCompiler_pix::replaceTranslatedAddresses::findMatchingNATRules(
Address *src, Address *dst, Service *srv)
{
PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
return pix_comp->natcmp->findMatchingDNATRules(
src, dst, srv, RuleElementTDst::TYPENAME);
}
void PolicyCompiler_pix::replaceTranslatedAddresses::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address *src, Address*, Service *srv)
{
FWObject *rule_iface = compiler->dbcopy->findInIndex(
policy_rule->getInterfaceId());
RuleElement *re = nat_rule->getOSrc();
FWObject *o = FWReference::getObject(re->front());
Address *osrc = Address::cast(o); assert(osrc);
re = nat_rule->getODst();
o = FWReference::getObject(re->front());
Address *odst = Address::cast(o); assert(odst);
re = nat_rule->getOSrv();
o = FWReference::getObject(re->front());
Service *osrv = Service::cast(o); assert(osrv);
re = nat_rule->getTSrc();
o = FWReference::getObject(re->front());
Address *tsrc = Address::cast(o); assert(tsrc);
re = nat_rule->getTDst();
o = FWReference::getObject(re->front());
Address *tdst = Address::cast(o); assert(tdst);
re = nat_rule->getTSrv();
o = FWReference::getObject(re->front());
Service *tsrv = Service::cast(o); assert(tsrv);
FWObject *p = odst->getParent();
if (odst->getId() == rule_iface->getId() ||
p->getId() == rule_iface->getId())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(policy_rule);
RuleElementSrc *nsrc = r->getSrc();
nsrc->clearChildren();
nsrc->addRef( src );
RuleElementDst *ndst = r->getDst();
ndst->clearChildren();
ndst->addRef( odst );
RuleElementSrv *nsrv = r->getSrv();
nsrv->clearChildren();
if (osrv->isAny())
nsrv->addRef( srv );
else
nsrv->addRef( osrv );
transformed_rules.push_back(r);
}
}
list<NATRule*> PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::findMatchingNATRules(
Address *src, Address *dst, Service *srv)
{
PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
return pix_comp->natcmp->findMatchingDNATRules(
src, dst, srv, RuleElementODst::TYPENAME);
}
void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address*, Address *dst, Service*)
{
FWObject *rule_iface = compiler->dbcopy->findInIndex(
policy_rule->getInterfaceId());
string version = compiler->fw->getStr("version");
RuleElement *re;
FWObject *o;
re = nat_rule->getODst();
o = FWReference::getObject(re->front());
Address *odst = Address::cast(o); assert(odst);
FWObject *p = odst->getParent();
if (odst->getId() == rule_iface->getId() ||
p->getId() == rule_iface->getId())
{
QString err("Object %1 that represents translated address in a NAT rule %2 "
"is used in a policy rule of ASA v%3 firewall. "
"Starting with v8.3, ASA requires using real IP addresses "
"in the firewall policy rules. ");
compiler->warning(
policy_rule,
err.arg(QString::fromUtf8(dst->getName().c_str()))
.arg(nat_rule->getLabel().c_str())
.arg(version.c_str()).toStdString());
}
}

2
src/cisco_lib/cisco_lib.pro
View File

@ -23,6 +23,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
CompilerDriver_pix.cpp \
CompilerDriver_pix_run.cpp \
NATCompiler_pix.cpp \
NATCompiler_pix_find_translations.cpp \
NATCompiler_pix_writers.cpp \
OSConfigurator_pix_os.cpp \
OSConfigurator_pix_os_fixups.cpp \
@ -42,6 +43,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
PolicyCompiler_pix.cpp \
PolicyCompiler_pix_writers.cpp \
PolicyCompiler_pix_v6_acls.cpp \
PolicyCompiler_pix_replace_translations.cpp \
RoutingCompiler_pix.cpp \
RoutingCompiler_pix_writers.cpp

2
test/pix/cluster1-1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:48 2011 PST by vadim
! Generated Thu Jan 6 12:53:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1-1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:48 2011 PST by vadim
! Generated Thu Jan 6 12:53:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:48 2011 PST by vadim
! Generated Thu Jan 6 12:53:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/cluster1_pix2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:48 2011 PST by vadim
! Generated Thu Jan 6 12:53:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:30 2011 PST by vadim
! Generated Thu Jan 6 12:53:09 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:31 2011 PST by vadim
! Generated Thu Jan 6 12:53:10 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

2
test/pix/firewall10.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:31 2011 PST by vadim
! Generated Thu Jan 6 12:53:11 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall11.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:32 2011 PST by vadim
! Generated Thu Jan 6 12:53:11 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall12.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:32 2011 PST by vadim
! Generated Thu Jan 6 12:53:12 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall13.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:33 2011 PST by vadim
! Generated Thu Jan 6 12:53:13 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall14.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:34 2011 PST by vadim
! Generated Thu Jan 6 12:53:13 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:34 2011 PST by vadim
! Generated Thu Jan 6 12:53:14 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall20.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:35 2011 PST by vadim
! Generated Thu Jan 6 12:53:14 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21-1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:36 2011 PST by vadim
! Generated Thu Jan 6 12:53:16 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall21.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:36 2011 PST by vadim
! Generated Thu Jan 6 12:53:15 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall22.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:37 2011 PST by vadim
! Generated Thu Jan 6 12:53:16 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall3.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:37 2011 PST by vadim
! Generated Thu Jan 6 12:53:17 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

11
test/pix/firewall33.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:38 2011 PST by vadim
! Generated Thu Jan 6 12:53:18 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported
@ -74,10 +74,11 @@ object-group network outside.id43867C2418346.src.net.0
object-group network outside.id438728A918346.dst.net.0
network-object host 74.125.19.99
network-object host 74.125.19.103
network-object host 74.125.19.104
network-object host 74.125.19.147
network-object host 74.125.224.48
network-object host 74.125.224.49
network-object host 74.125.224.50
network-object host 74.125.224.51
network-object host 74.125.224.52
network-object host 157.166.224.25
network-object host 157.166.224.26
network-object host 157.166.226.25

2
test/pix/firewall34.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:39 2011 PST by vadim
! Generated Thu Jan 6 12:53:19 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/firewall4.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:40 2011 PST by vadim
! Generated Thu Jan 6 12:53:19 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall50.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:40 2011 PST by vadim
! Generated Thu Jan 6 12:53:20 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/firewall6.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:41 2011 PST by vadim
! Generated Thu Jan 6 12:53:21 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall8.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:42 2011 PST by vadim
! Generated Thu Jan 6 12:53:22 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

2
test/pix/firewall80.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:43 2011 PST by vadim
! Generated Thu Jan 6 12:53:22 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported

2
test/pix/firewall9.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:43 2011 PST by vadim
! Generated Thu Jan 6 12:53:23 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

2
test/pix/fwsm1.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:44 2011 PST by vadim
! Generated Thu Jan 6 12:53:24 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

2
test/pix/fwsm2.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:45 2011 PST by vadim
! Generated Thu Jan 6 12:53:25 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

2
test/pix/pix515.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:46 2011 PST by vadim
! Generated Thu Jan 6 12:53:26 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

2
test/pix/real.fw.orig
View File

@ -3,7 +3,7 @@
!
! Firewall Builder fwb_pix v4.2.0.3425
!
! Generated Tue Jan 4 19:05:46 2011 PST by vadim
! Generated Thu Jan 6 12:53:26 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported