diff --git a/src/cisco_lib/Helper.cpp b/src/cisco_lib/Helper.cpp index 05d9a5a3f..2f62eb647 100644 --- a/src/cisco_lib/Helper.cpp +++ b/src/cisco_lib/Helper.cpp @@ -440,21 +440,3 @@ list Helper::findInterfaceByNetzoneOrAll(RuleElement *re) } return intf_id_list; } - -string triplet::hash() -{ - ostringstream ostr; - string dst_str; - string src_str; - - Interface *intf = Interface::cast(src); - if (intf && intf->isDyn()) src_str = intf->getId(); - else src_str = src->getAddressPtr()->toString(); - - intf = Interface::cast(dst); - if (intf && intf->isDyn()) dst_str = intf->getId(); - else dst_str = dst->getAddressPtr()->toString(); - - ostr << src_str << "." << dst_str <<"." << srv->getId(); - return ostr.str(); -} diff --git a/src/cisco_lib/Helper.h b/src/cisco_lib/Helper.h index d291ad647..f2bc58f2e 100644 --- a/src/cisco_lib/Helper.h +++ b/src/cisco_lib/Helper.h @@ -78,19 +78,5 @@ namespace fwcompiler { }; -class triplet { - public: - libfwbuilder::Address *src; - libfwbuilder::Address *dst; - libfwbuilder::Service *srv; - triplet() {src=NULL; dst=NULL; srv=NULL;} - triplet(libfwbuilder::Address *s, - libfwbuilder::Address *d, - libfwbuilder::Service *v) {src=s; dst=d; srv=v;} - - std::string hash(); -}; - - #endif diff --git a/src/cisco_lib/NATCompiler_pix.cpp b/src/cisco_lib/NATCompiler_pix.cpp index bc922a3ac..ca6576413 100644 --- a/src/cisco_lib/NATCompiler_pix.cpp +++ b/src/cisco_lib/NATCompiler_pix.cpp @@ -291,60 +291,6 @@ bool NATCompiler_pix::storeProcessedRules::processNext() return true; } -list NATCompiler_pix::findDNATForAddress(Address *src, - Address *dst, - Service *srv) -{ - list res; - map res_dict; - - for (FWObject::iterator i=final_ruleset->begin(); - i!=final_ruleset->end(); ++i) - { - NATRule *rule=NATRule::cast(*i); - if (rule == NULL) continue; // skip RuleSetOptions object - - switch (rule->getRuleType()) - { - case NATRule::DNAT: - { - Address *osrc=getFirstOSrc(rule); assert(osrc); - Address *odst=getFirstODst(rule); assert(odst); - Service *osrv=getFirstOSrv(rule); assert(osrv); - - Address *tsrc=getFirstTSrc(rule); assert(tsrc); - Address *tdst=getFirstTDst(rule); assert(tdst); - Service *tsrv=getFirstTSrv(rule); assert(tsrv); - - if (*(src->getAddressPtr()) == *(osrc->getAddressPtr()) && - (osrv->isAny() || srv->getId()==tsrv->getId()) && - *(dst->getAddressPtr()) == *(tdst->getAddressPtr())) - { - if (osrv->isAny()) - { - triplet tr(src,odst,srv); - res_dict[tr.hash()] = tr; - } - else - { - triplet tr(src,odst,osrv); - res_dict[tr.hash()] = tr; - } - } - } - break; - default: ; // TODO: should actually be always_assert - } - } - for (map::iterator i=res_dict.begin(); - i!=res_dict.end(); ++i) - { - res.push_back(i->second); - } - return res; -} - - bool NATCompiler_pix::VerifyRules::processNext() { NATRule *rule=getNext(); if (rule==NULL) return false; diff --git a/src/cisco_lib/NATCompiler_pix.h b/src/cisco_lib/NATCompiler_pix.h index 04093a2a2..0b125e977 100644 --- a/src/cisco_lib/NATCompiler_pix.h +++ b/src/cisco_lib/NATCompiler_pix.h @@ -496,14 +496,17 @@ namespace fwcompiler { /** * scans all rules in combined_ruleset and finds rules (if * any) that define DNAT translation for a combination of - * src,dst and srv (that is, src is equival OSrc, srv is equal - * OSrv and dst is equal TDst). If such rule could be found, - * returns a list of triplets (src,odst,osrv) + * src,dst and srv where src matches OSrc, srv matches OSrv + * and dst matches rule element defined by argument + * nat_re_type_to_match_dst. If such rules could be found, returns + * a list of triplets (src,odst,osrv) */ - std::list findDNATForAddress( + std::list findMatchingDNATRules( libfwbuilder::Address *src, libfwbuilder::Address *dst, - libfwbuilder::Service *srv); + libfwbuilder::Service *srv, + const std::string &nat_re_type_to_match_dst); + // virtual string atomicRuleToString(libfwbuilder::Rule *r); diff --git a/src/cisco_lib/NATCompiler_pix_find_translations.cpp b/src/cisco_lib/NATCompiler_pix_find_translations.cpp new file mode 100644 index 000000000..03429fc5e --- /dev/null +++ b/src/cisco_lib/NATCompiler_pix_find_translations.cpp @@ -0,0 +1,132 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +#include "NATCompiler_pix.h" + +#include "fwbuilder/Interface.h" +#include "fwbuilder/IPv4.h" +#include "fwbuilder/InetAddr.h" +#include "fwbuilder/Address.h" +#include "fwbuilder/RuleSet.h" +#include "fwbuilder/Rule.h" +#include "fwbuilder/RuleElement.h" + +#include + +using namespace libfwbuilder; +using namespace fwcompiler; +using namespace std; + + +class triplet { + public: + libfwbuilder::Address *src; + libfwbuilder::Address *dst; + libfwbuilder::Service *srv; + triplet() {src=NULL; dst=NULL; srv=NULL;} + triplet(libfwbuilder::Address *s, + libfwbuilder::Address *d, + libfwbuilder::Service *v) {src=s; dst=d; srv=v;} + + std::string hash(); +}; + + + +std::string triplet::hash() +{ + ostringstream ostr; + string dst_str; + string src_str; + + Interface *intf = Interface::cast(src); + if (intf && intf->isDyn()) src_str = intf->getId(); + else src_str = src->getAddressPtr()->toString(); + + intf = Interface::cast(dst); + if (intf && intf->isDyn()) dst_str = intf->getId(); + else dst_str = dst->getAddressPtr()->toString(); + + ostr << src_str << "." << dst_str <<"." << srv->getId(); + return ostr.str(); +} + + +list NATCompiler_pix::findMatchingDNATRules( + Address *src, Address *dst, Service *srv, + const string &nat_re_type_to_match_dst) +{ + list res; + map res_dict; + + for (FWObject::iterator i=final_ruleset->begin(); + i!=final_ruleset->end(); ++i) + { + NATRule *rule = NATRule::cast(*i); + if (rule == NULL) continue; // skip RuleSetOptions object + + switch (rule->getRuleType()) + { + case NATRule::DNAT: + { + FWObject *re_to_compare = + rule->getFirstByType(nat_re_type_to_match_dst); + Address *dst_to_compare = Address::cast( + FWReference::getObject(re_to_compare->front())); + + Address *osrc = getFirstOSrc(rule); assert(osrc); + Address *odst = getFirstODst(rule); assert(odst); + Service *osrv = getFirstOSrv(rule); assert(osrv); + + Address *tsrc = getFirstTSrc(rule); assert(tsrc); + // Address *tdst = getFirstTDst(rule); assert(tdst); + Service *tsrv = getFirstTSrv(rule); assert(tsrv); + + if (*(src->getAddressPtr()) == *(osrc->getAddressPtr()) && + (osrv->isAny() || srv->getId()==tsrv->getId()) && + *(dst->getAddressPtr()) == *(dst_to_compare->getAddressPtr())) + { + if (osrv->isAny()) + { + triplet tr(src, odst, srv); + res_dict[tr.hash()] = rule; + } + else + { + triplet tr(src, odst, osrv); + res_dict[tr.hash()] = rule; + } + } + } + break; + default: ; // TODO: should actually be always_assert + } + } + for (map::iterator i=res_dict.begin(); i!=res_dict.end(); ++i) + { + res.push_back(i->second); + } + return res; +} + + diff --git a/src/cisco_lib/PolicyCompiler_pix.cpp b/src/cisco_lib/PolicyCompiler_pix.cpp index 6e314a13a..b682cd9d0 100644 --- a/src/cisco_lib/PolicyCompiler_pix.cpp +++ b/src/cisco_lib/PolicyCompiler_pix.cpp @@ -366,100 +366,6 @@ bool PolicyCompiler_pix::RejectAction::processNext() return true; } -bool PolicyCompiler_pix::replaceTranslatedAddresses::processNext() -{ - PolicyRule *rule=getNext(); if (rule==NULL) return false; - PolicyCompiler_pix *pix_comp=dynamic_cast(compiler); - FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId()); -// string rule_iface_id=rule->getInterfaceId(); - -// Address *src=compiler->getFirstSrc(rule); -// Service *srv=compiler->getFirstSrv(rule); - - RuleElementSrc *srcrel=rule->getSrc(); - RuleElementDst *dstrel=rule->getDst(); - RuleElementSrv *srvrel=rule->getSrv(); - - list t_rules; - list transformed_rules; - - for (list::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1) - { - for (list::iterator i2=dstrel->begin(); i2!=dstrel->end(); ++i2) - { - for (list::iterator i3=srvrel->begin(); i3!=srvrel->end(); ++i3) - { - FWObject *o1 = *i1; - FWObject *o2 = *i2; - FWObject *o3 = *i3; - FWObject *obj1 = NULL; - FWObject *obj2 = NULL; - FWObject *obj3 = NULL; - - if (FWReference::cast(o1)!=NULL) - obj1=FWReference::cast(o1)->getPointer(); - Address *src=Address::cast(obj1); - assert(src!=NULL); - - if (FWReference::cast(o2)!=NULL) - obj2=FWReference::cast(o2)->getPointer(); - Address *dst=Address::cast(obj2); - assert(dst!=NULL); - - if (FWReference::cast(o3)!=NULL) - obj3=FWReference::cast(o3)->getPointer(); - Service *srv=Service::cast(obj3); - assert(srv!=NULL); - - list tl = pix_comp->natcmp->findDNATForAddress( - src,dst,srv); - - for( list::iterator t=tl.begin(); t!=tl.end(); ++t) - { - FWObject *p = t->dst->getParent(); - if (t->dst->getId()==rule_iface->getId() || - p->getId()==rule_iface->getId()) - { - PolicyRule *r = compiler->dbcopy->createPolicyRule(); - compiler->temp_ruleset->add(r); - r->duplicate(rule); - - RuleElementSrc *nsrc=r->getSrc(); - nsrc->clearChildren(); - nsrc->addRef( src ); - - RuleElementDst *ndst=r->getDst(); - ndst->clearChildren(); - ndst->addRef( t->dst ); - - RuleElementSrv *nsrv=r->getSrv(); - nsrv->clearChildren(); - nsrv->addRef( t->srv ); - - t_rules.push_back(r); - } - } - } - } - } -/* list t_rules has all the atomic rules that have a - * matching NAT rule, with dst and srv already converted. We just add them to - * the policy on top of the original rule. - */ - for (list::iterator i1=t_rules.begin(); i1!=t_rules.end(); ++i1) - { - PolicyRule *r=PolicyRule::cast( *i1 ); - tmp_queue.push_back(r); - } - - tmp_queue.push_back(rule); - - return true; -} - - - - /* * processor splitIfDstMatchesFw should have made a firewall a single * object in dst diff --git a/src/cisco_lib/PolicyCompiler_pix.h b/src/cisco_lib/PolicyCompiler_pix.h index 51982198a..5c9c8ca76 100644 --- a/src/cisco_lib/PolicyCompiler_pix.h +++ b/src/cisco_lib/PolicyCompiler_pix.h @@ -180,20 +180,77 @@ namespace fwcompiler { DECLARE_POLICY_RULE_PROCESSOR( RejectAction ); friend class PolicyCompiler_pix::RejectAction; - + + /* + * Rule processors that inherit this class match objects used + * in policy rules to the nat rules and do something about + * them. + */ + class matchTranslatedAddresses : public PolicyRuleProcessor + { + protected: + std::list transformed_rules; + public: + matchTranslatedAddresses(const std::string &n):PolicyRuleProcessor(n) {} + virtual bool processNext(); + virtual std::list findMatchingNATRules( + libfwbuilder::Address *src, + libfwbuilder::Address *dst, + libfwbuilder::Service *srv); + virtual void action( + libfwbuilder::PolicyRule* policy_rule, + libfwbuilder::NATRule* nat_rule, + libfwbuilder::Address *src, + libfwbuilder::Address *dst, + libfwbuilder::Service *srv); + }; + /** * this processor replaces objects in dst for which we have * DNAT rule in a NAT policy. Call _after_ telnetToFirewall, * sshToFirewall and PrepareForICMPCmd */ - class replaceTranslatedAddresses : public PolicyRuleProcessor + class replaceTranslatedAddresses : public matchTranslatedAddresses { public: - replaceTranslatedAddresses(const std::string &n):PolicyRuleProcessor(n) {} - virtual bool processNext(); + replaceTranslatedAddresses(const std::string &n) : + matchTranslatedAddresses(n) {} + virtual std::list findMatchingNATRules( + libfwbuilder::Address *src, + libfwbuilder::Address *dst, + libfwbuilder::Service *srv); + virtual void action( + libfwbuilder::PolicyRule* policy_rule, + libfwbuilder::NATRule* nat_rule, + libfwbuilder::Address *src, + libfwbuilder::Address *dst, + libfwbuilder::Service *srv); }; friend class PolicyCompiler_pix::replaceTranslatedAddresses; + /** + * this processor issues warning when translated addresses are + * used in policy rules. Use for PIX 8.3 and later. + */ + class warnWhenTranslatedAddressesAreUsed : public matchTranslatedAddresses + { + public: + warnWhenTranslatedAddressesAreUsed(const std::string &n) : + matchTranslatedAddresses(n) {} + virtual std::list findMatchingNATRules( + libfwbuilder::Address *src, + libfwbuilder::Address *dst, + libfwbuilder::Service *srv); + virtual void action( + libfwbuilder::PolicyRule* policy_rule, + libfwbuilder::NATRule* nat_rule, + libfwbuilder::Address *src, + libfwbuilder::Address *dst, + libfwbuilder::Service *srv); + }; + friend class PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed; + + /** * can not use object-group in "icmp", "telnet" and "ssh" commands */ diff --git a/src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp b/src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp new file mode 100644 index 000000000..387420d39 --- /dev/null +++ b/src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp @@ -0,0 +1,236 @@ +/* + + Firewall Builder + + Copyright (C) 2002-2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +#include "config.h" + +#include "Helper.h" + +#include "PolicyCompiler_pix.h" +#include "NATCompiler_pix.h" + +#include "fwbuilder/FWObjectDatabase.h" +#include "fwbuilder/RuleSet.h" +#include "fwbuilder/Rule.h" +#include "fwbuilder/RuleElement.h" + +#include + +using namespace libfwbuilder; +using namespace fwcompiler; +using namespace std; + + +bool PolicyCompiler_pix::matchTranslatedAddresses::processNext() +{ + PolicyRule *rule = getNext(); if (rule==NULL) return false; + + string version = compiler->fw->getStr("version"); + bool v83_behavior = XMLTools::version_compare(version, "8.3")>=0; + + transformed_rules.clear(); + +// string rule_iface_id=rule->getInterfaceId(); + +// Address *src=compiler->getFirstSrc(rule); +// Service *srv=compiler->getFirstSrv(rule); + + RuleElementSrc *srcrel = rule->getSrc(); + RuleElementDst *dstrel = rule->getDst(); + RuleElementSrv *srvrel = rule->getSrv(); + + for (list::iterator i1=srcrel->begin(); i1!=srcrel->end(); ++i1) + { + for (list::iterator i2=dstrel->begin(); i2!=dstrel->end(); ++i2) + { + for (list::iterator i3=srvrel->begin(); i3!=srvrel->end(); ++i3) + { + FWObject *o1 = *i1; + FWObject *o2 = *i2; + FWObject *o3 = *i3; + FWObject *obj1 = NULL; + FWObject *obj2 = NULL; + FWObject *obj3 = NULL; + + obj1 = FWReference::getObject(o1); + Address *src = Address::cast(obj1); + assert(src!=NULL); + + obj2 = FWReference::getObject(o2); + Address *dst = Address::cast(obj2); + assert(dst!=NULL); + + obj3 = FWReference::getObject(o3); + Service *srv = Service::cast(obj3); + assert(srv!=NULL); + + list tl = findMatchingNATRules(src, dst, srv); + + for( list::iterator t=tl.begin(); t!=tl.end(); ++t) + action(rule, *t, src, dst, srv); + + } + } + } +/* + *list transformed_rules has all the atomic rules that have a matching + * NAT rule, with dst and srv already converted. We just add them to + * the policy on top of the original rule. + */ + list::iterator i1; + for (i1=transformed_rules.begin(); i1!=transformed_rules.end(); ++i1) + { + PolicyRule *r=PolicyRule::cast( *i1 ); + tmp_queue.push_back(r); + } + + tmp_queue.push_back(rule); + + return true; +} + + +list PolicyCompiler_pix::matchTranslatedAddresses::findMatchingNATRules( + Address*, Address*, Service*) +{ + return list(); +} + +void PolicyCompiler_pix::matchTranslatedAddresses::action( + PolicyRule* , NATRule* , Address*, Address*, Service*) +{ +} + + +list PolicyCompiler_pix::replaceTranslatedAddresses::findMatchingNATRules( + Address *src, Address *dst, Service *srv) +{ + PolicyCompiler_pix *pix_comp = dynamic_cast(compiler); + return pix_comp->natcmp->findMatchingDNATRules( + src, dst, srv, RuleElementTDst::TYPENAME); +} + +void PolicyCompiler_pix::replaceTranslatedAddresses::action( + PolicyRule* policy_rule, + NATRule* nat_rule, Address *src, Address*, Service *srv) +{ + FWObject *rule_iface = compiler->dbcopy->findInIndex( + policy_rule->getInterfaceId()); + + RuleElement *re = nat_rule->getOSrc(); + FWObject *o = FWReference::getObject(re->front()); + Address *osrc = Address::cast(o); assert(osrc); + + re = nat_rule->getODst(); + o = FWReference::getObject(re->front()); + Address *odst = Address::cast(o); assert(odst); + + re = nat_rule->getOSrv(); + o = FWReference::getObject(re->front()); + Service *osrv = Service::cast(o); assert(osrv); + + re = nat_rule->getTSrc(); + o = FWReference::getObject(re->front()); + Address *tsrc = Address::cast(o); assert(tsrc); + + re = nat_rule->getTDst(); + o = FWReference::getObject(re->front()); + Address *tdst = Address::cast(o); assert(tdst); + + re = nat_rule->getTSrv(); + o = FWReference::getObject(re->front()); + Service *tsrv = Service::cast(o); assert(tsrv); + + + FWObject *p = odst->getParent(); + + if (odst->getId() == rule_iface->getId() || + p->getId() == rule_iface->getId()) + { + + PolicyRule *r = compiler->dbcopy->createPolicyRule(); + compiler->temp_ruleset->add(r); + r->duplicate(policy_rule); + + RuleElementSrc *nsrc = r->getSrc(); + nsrc->clearChildren(); + nsrc->addRef( src ); + + RuleElementDst *ndst = r->getDst(); + ndst->clearChildren(); + ndst->addRef( odst ); + + RuleElementSrv *nsrv = r->getSrv(); + nsrv->clearChildren(); + + if (osrv->isAny()) + nsrv->addRef( srv ); + else + nsrv->addRef( osrv ); + + transformed_rules.push_back(r); + } + +} + + +list PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::findMatchingNATRules( + Address *src, Address *dst, Service *srv) +{ + PolicyCompiler_pix *pix_comp = dynamic_cast(compiler); + return pix_comp->natcmp->findMatchingDNATRules( + src, dst, srv, RuleElementODst::TYPENAME); +} + +void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action( + PolicyRule* policy_rule, + NATRule* nat_rule, Address*, Address *dst, Service*) +{ + FWObject *rule_iface = compiler->dbcopy->findInIndex( + policy_rule->getInterfaceId()); + string version = compiler->fw->getStr("version"); + + RuleElement *re; + FWObject *o; + + re = nat_rule->getODst(); + o = FWReference::getObject(re->front()); + Address *odst = Address::cast(o); assert(odst); + + FWObject *p = odst->getParent(); + + if (odst->getId() == rule_iface->getId() || + p->getId() == rule_iface->getId()) + { + QString err("Object %1 that represents translated address in a NAT rule %2 " + "is used in a policy rule of ASA v%3 firewall. " + "Starting with v8.3, ASA requires using real IP addresses " + "in the firewall policy rules. "); + + compiler->warning( + policy_rule, + err.arg(QString::fromUtf8(dst->getName().c_str())) + .arg(nat_rule->getLabel().c_str()) + .arg(version.c_str()).toStdString()); + } +} + diff --git a/src/cisco_lib/cisco_lib.pro b/src/cisco_lib/cisco_lib.pro index 1cc1e9875..2a6e108c8 100644 --- a/src/cisco_lib/cisco_lib.pro +++ b/src/cisco_lib/cisco_lib.pro @@ -23,6 +23,7 @@ SOURCES = PolicyCompiler_cisco.cpp \ CompilerDriver_pix.cpp \ CompilerDriver_pix_run.cpp \ NATCompiler_pix.cpp \ + NATCompiler_pix_find_translations.cpp \ NATCompiler_pix_writers.cpp \ OSConfigurator_pix_os.cpp \ OSConfigurator_pix_os_fixups.cpp \ @@ -42,6 +43,7 @@ SOURCES = PolicyCompiler_cisco.cpp \ PolicyCompiler_pix.cpp \ PolicyCompiler_pix_writers.cpp \ PolicyCompiler_pix_v6_acls.cpp \ + PolicyCompiler_pix_replace_translations.cpp \ RoutingCompiler_pix.cpp \ RoutingCompiler_pix_writers.cpp diff --git a/test/pix/cluster1-1_pix1.fw.orig b/test/pix/cluster1-1_pix1.fw.orig index bdb68c52e..7dfc0e15f 100755 --- a/test/pix/cluster1-1_pix1.fw.orig +++ b/test/pix/cluster1-1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:48 2011 PST by vadim +! Generated Thu Jan 6 12:53:28 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1-1_pix2.fw.orig b/test/pix/cluster1-1_pix2.fw.orig index 167378768..2edd59fca 100755 --- a/test/pix/cluster1-1_pix2.fw.orig +++ b/test/pix/cluster1-1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:48 2011 PST by vadim +! Generated Thu Jan 6 12:53:28 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix1.fw.orig b/test/pix/cluster1_pix1.fw.orig index bfe12aea6..d1e5f7c1e 100755 --- a/test/pix/cluster1_pix1.fw.orig +++ b/test/pix/cluster1_pix1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:48 2011 PST by vadim +! Generated Thu Jan 6 12:53:28 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/cluster1_pix2.fw.orig b/test/pix/cluster1_pix2.fw.orig index 929f40851..481237d4a 100755 --- a/test/pix/cluster1_pix2.fw.orig +++ b/test/pix/cluster1_pix2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:48 2011 PST by vadim +! Generated Thu Jan 6 12:53:28 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall.fw.orig b/test/pix/firewall.fw.orig index 3a4021100..9fdac088d 100755 --- a/test/pix/firewall.fw.orig +++ b/test/pix/firewall.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:30 2011 PST by vadim +! Generated Thu Jan 6 12:53:09 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall1.fw.orig b/test/pix/firewall1.fw.orig index 3d965a368..6d0012bb5 100755 --- a/test/pix/firewall1.fw.orig +++ b/test/pix/firewall1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:31 2011 PST by vadim +! Generated Thu Jan 6 12:53:10 2011 PST by vadim ! ! Compiled for pix 6.1 ! Outbound ACLs: not supported diff --git a/test/pix/firewall10.fw.orig b/test/pix/firewall10.fw.orig index 0a32446cf..1f187aa3f 100755 --- a/test/pix/firewall10.fw.orig +++ b/test/pix/firewall10.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:31 2011 PST by vadim +! Generated Thu Jan 6 12:53:11 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall11.fw.orig b/test/pix/firewall11.fw.orig index c87c3f532..ea3d4ab0d 100755 --- a/test/pix/firewall11.fw.orig +++ b/test/pix/firewall11.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:32 2011 PST by vadim +! Generated Thu Jan 6 12:53:11 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall12.fw.orig b/test/pix/firewall12.fw.orig index d271817df..d9bfc8b6e 100755 --- a/test/pix/firewall12.fw.orig +++ b/test/pix/firewall12.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:32 2011 PST by vadim +! Generated Thu Jan 6 12:53:12 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall13.fw.orig b/test/pix/firewall13.fw.orig index cc17db0ae..dd7345aef 100755 --- a/test/pix/firewall13.fw.orig +++ b/test/pix/firewall13.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:33 2011 PST by vadim +! Generated Thu Jan 6 12:53:13 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall14.fw.orig b/test/pix/firewall14.fw.orig index e69c7719c..69e1ff68e 100755 --- a/test/pix/firewall14.fw.orig +++ b/test/pix/firewall14.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:34 2011 PST by vadim +! Generated Thu Jan 6 12:53:13 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall2.fw.orig b/test/pix/firewall2.fw.orig index 03a9b4de5..269f99d5e 100755 --- a/test/pix/firewall2.fw.orig +++ b/test/pix/firewall2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:34 2011 PST by vadim +! Generated Thu Jan 6 12:53:14 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall20.fw.orig b/test/pix/firewall20.fw.orig index e643dc137..063e2df22 100755 --- a/test/pix/firewall20.fw.orig +++ b/test/pix/firewall20.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:35 2011 PST by vadim +! Generated Thu Jan 6 12:53:14 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21-1.fw.orig b/test/pix/firewall21-1.fw.orig index f026bd253..844d917eb 100755 --- a/test/pix/firewall21-1.fw.orig +++ b/test/pix/firewall21-1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:36 2011 PST by vadim +! Generated Thu Jan 6 12:53:16 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall21.fw.orig b/test/pix/firewall21.fw.orig index 04260847b..57af330ff 100755 --- a/test/pix/firewall21.fw.orig +++ b/test/pix/firewall21.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:36 2011 PST by vadim +! Generated Thu Jan 6 12:53:15 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall22.fw.orig b/test/pix/firewall22.fw.orig index ba7fb9fcc..4b22fd2a9 100755 --- a/test/pix/firewall22.fw.orig +++ b/test/pix/firewall22.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:37 2011 PST by vadim +! Generated Thu Jan 6 12:53:16 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall3.fw.orig b/test/pix/firewall3.fw.orig index 09292f1b4..64f54fa26 100755 --- a/test/pix/firewall3.fw.orig +++ b/test/pix/firewall3.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:37 2011 PST by vadim +! Generated Thu Jan 6 12:53:17 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall33.fw.orig b/test/pix/firewall33.fw.orig index d30e69302..b8a2dffe0 100755 --- a/test/pix/firewall33.fw.orig +++ b/test/pix/firewall33.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:38 2011 PST by vadim +! Generated Thu Jan 6 12:53:18 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported @@ -74,10 +74,11 @@ object-group network outside.id43867C2418346.src.net.0 object-group network outside.id438728A918346.dst.net.0 - network-object host 74.125.19.99 - network-object host 74.125.19.103 - network-object host 74.125.19.104 - network-object host 74.125.19.147 + network-object host 74.125.224.48 + network-object host 74.125.224.49 + network-object host 74.125.224.50 + network-object host 74.125.224.51 + network-object host 74.125.224.52 network-object host 157.166.224.25 network-object host 157.166.224.26 network-object host 157.166.226.25 diff --git a/test/pix/firewall34.fw.orig b/test/pix/firewall34.fw.orig index 138681d12..02d37b4f1 100755 --- a/test/pix/firewall34.fw.orig +++ b/test/pix/firewall34.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:39 2011 PST by vadim +! Generated Thu Jan 6 12:53:19 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/firewall4.fw.orig b/test/pix/firewall4.fw.orig index cd367fa42..2faa3f876 100755 --- a/test/pix/firewall4.fw.orig +++ b/test/pix/firewall4.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:40 2011 PST by vadim +! Generated Thu Jan 6 12:53:19 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall50.fw.orig b/test/pix/firewall50.fw.orig index 22d89a367..2157b6590 100755 --- a/test/pix/firewall50.fw.orig +++ b/test/pix/firewall50.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:40 2011 PST by vadim +! Generated Thu Jan 6 12:53:20 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/firewall6.fw.orig b/test/pix/firewall6.fw.orig index b3a2c96be..1bff9af9c 100755 --- a/test/pix/firewall6.fw.orig +++ b/test/pix/firewall6.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:41 2011 PST by vadim +! Generated Thu Jan 6 12:53:21 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall8.fw.orig b/test/pix/firewall8.fw.orig index b0cbcac97..32dcaef24 100755 --- a/test/pix/firewall8.fw.orig +++ b/test/pix/firewall8.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:42 2011 PST by vadim +! Generated Thu Jan 6 12:53:22 2011 PST by vadim ! ! Compiled for pix 6.2 ! Outbound ACLs: not supported diff --git a/test/pix/firewall80.fw.orig b/test/pix/firewall80.fw.orig index ca13eaccd..09da291b8 100755 --- a/test/pix/firewall80.fw.orig +++ b/test/pix/firewall80.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:43 2011 PST by vadim +! Generated Thu Jan 6 12:53:22 2011 PST by vadim ! ! Compiled for pix 8.2 ! Outbound ACLs: supported diff --git a/test/pix/firewall9.fw.orig b/test/pix/firewall9.fw.orig index 79b707940..650d08b18 100755 --- a/test/pix/firewall9.fw.orig +++ b/test/pix/firewall9.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:43 2011 PST by vadim +! Generated Thu Jan 6 12:53:23 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported diff --git a/test/pix/fwsm1.fw.orig b/test/pix/fwsm1.fw.orig index f69953bc2..7d2ccdff7 100755 --- a/test/pix/fwsm1.fw.orig +++ b/test/pix/fwsm1.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:44 2011 PST by vadim +! Generated Thu Jan 6 12:53:24 2011 PST by vadim ! ! Compiled for fwsm 2.3 ! Outbound ACLs: supported diff --git a/test/pix/fwsm2.fw.orig b/test/pix/fwsm2.fw.orig index 53a5794b0..3ec8356c8 100755 --- a/test/pix/fwsm2.fw.orig +++ b/test/pix/fwsm2.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:45 2011 PST by vadim +! Generated Thu Jan 6 12:53:25 2011 PST by vadim ! ! Compiled for fwsm 4.x ! Outbound ACLs: supported diff --git a/test/pix/pix515.fw.orig b/test/pix/pix515.fw.orig index ffad3fbb7..07f3195ca 100755 --- a/test/pix/pix515.fw.orig +++ b/test/pix/pix515.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:46 2011 PST by vadim +! Generated Thu Jan 6 12:53:26 2011 PST by vadim ! ! Compiled for pix 7.0 ! Outbound ACLs: supported diff --git a/test/pix/real.fw.orig b/test/pix/real.fw.orig index cd08f8a28..68fd0872b 100755 --- a/test/pix/real.fw.orig +++ b/test/pix/real.fw.orig @@ -3,7 +3,7 @@ ! ! Firewall Builder fwb_pix v4.2.0.3425 ! -! Generated Tue Jan 4 19:05:46 2011 PST by vadim +! Generated Thu Jan 6 12:53:26 2011 PST by vadim ! ! Compiled for pix 6.3 ! Outbound ACLs: not supported