onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-24 04:07:55 +01:00
Code Issues Releases Wiki Activity

merge from v3

Browse Source
This commit is contained in:
Vadim Kurland 2009-06-11 23:45:45 +00:00
commit d5b4cc92f1
22 changed files with 2931 additions and 490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1036
#define BUILD_NUM 1050

5
configure.in
View File

@ -437,6 +437,11 @@ AC_SUBST(ICONSDIR)
AC_PATH_PROG(CCACHE, ccache, , )
AC_SUBST(CCACHE)
if test -n "$CCACHE"
then
ccache -s
fi
dnl AC_CONFIG_FILES([ Main.make ])
AC_CONFIG_FILES([ qmake.inc ])

48
doc/ChangeLog
View File

@ -1,3 +1,51 @@
2009-06-11 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printRule):
implemented feature request #1778536: "IOSACL - remark command".
This adds support for the "remark" command in generated IOS
ACL configuration. Controlled by the checkbox "Add ACL remarks"
in the "Script" tab of the firewall object settings dialog.
2009-06-09 vadim <vadim@vk.crocodile.org>
* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): fixed bug
#2803702 "NAT rule with source port range in TSrv is broken for
PF". NAT rules matching source port ranges and translating source
port ranges should be possible.
* NATCompiler.cpp (classifyNATRule::processNext): (change in
libfwbuilder) fixed bug #2803689 "NAT rule matching dport but
chaning sport is broken". NAT rules that match destination port
but translate source port should be possible (and the opposite
too).
2009-06-08 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (splitSDNATRule::processNext): Improved
support for NAT rules that translate both source and destination:
now a rule like this can translate both source and destination
addresses and at the same time source and destination port ranges.
Compiler generates two iptables commands, one with SNAT and
another with DNAT translation for a rule like this.
* PolicyCompiler_ipt.cpp (checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces):
Using Compiler::abort() instead of throwing exception on all error
conditions in the compiler.
* NATCompiler_PrintRule.cpp (PrintRule::processNext): Added
support for SNAT rules that translate only source port of udp or
tcp packets. This rule generate "-j SNAT --to-source :<port>"
with no address part.
2009-06-06 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): fixed
bug (no #): compiler for PF did not remove rules using IPv4
objects while compiling policy set to be "combined IPv4 and IPv6"
for IPv6 and vice versa. As the result, it used to double some
rules because the would appear both in IPv4 and IPv6 sections of
generated .conf file.
2009-06-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): fixed bug

2
src/gui/RCSFilePreview.cpp
View File

@ -166,7 +166,7 @@ bool RCSFilePreview::showFileRLog( const QString &filename )
{
rcsComments[(*i).rev] = (*i).log;
RCSViewItem *itm;
RCSViewItem *itm = NULL;
if (st->getRCSFilePreviewStyle()==1)
{
// List style

16
src/gui/RuleSetView.cpp
View File

@ -1404,11 +1404,10 @@ QRect RuleSetView::calculateCellSize( int row, int col )
if (ruleP==NULL)
break ;
QString ac = ruleP->getDirectionAsString().c_str();
// FWObjectPropertiesFactory::getRuleActionProperties(
// PolicyRule::cast(rule));
QRect br=p.boundingRect(QRect(0, 0, 1000, 1000),
Qt::AlignLeft|Qt::AlignVCenter, ac );
if (ac == "Undefined") ac = "Both";
QRect br = p.boundingRect(QRect(0, 0, 1000, 1000),
Qt::AlignLeft|Qt::AlignVCenter, ac );
hc = item_h;
wc = RuleElementSpacing/2 + pixmap_w + RuleElementSpacing + br.width();
break;
@ -1785,11 +1784,10 @@ void RuleSetView::paintCell(QPainter *pntr,
{
PolicyRule *rule = PolicyRule::cast( ruleIndex[row] );
if (rule==NULL) return;
string dir = rule->getDirectionAsString();
QString dir_ = rule->getDirectionAsString().c_str();
if (dir.empty())
dir = "Both";
if (dir.empty() || dir == "Undefined")
dir = "Both";
//dir="Both-tree";
QString icn = chooseIcon((":/Icons/" + dir).c_str());

3
src/gui/iosaclAdvancedDialog.cpp
View File

@ -258,6 +258,9 @@ iosaclAdvancedDialog::iosaclAdvancedDialog(QWidget *parent,FWObject *o)
data.registerOption( m_dialog->iosacl_include_comments, fwoptions,
"iosacl_include_comments" );
data.registerOption( m_dialog->iosacl_use_acl_remarks, fwoptions,
"iosacl_use_acl_remarks" );
data.registerOption( m_dialog->iosacl_regroup_commands, fwoptions,
"iosacl_regroup_commands" );

17
src/gui/iosacladvanceddialog_q.ui
View File

@ -22,7 +22,7 @@
<item row="0" column="0" >
<widget class="QTabWidget" name="tabWidget" >
<property name="currentIndex" >
<number>0</number>
<number>1</number>
</property>
<widget class="QWidget" name="compiler_tab" >
<attribute name="title" >
@ -228,10 +228,7 @@ workstation with this address:</string>
<property name="title" >
<string/>
</property>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<layout class="QGridLayout" name="gridLayout_7" >
<item row="0" column="0" >
<widget class="QCheckBox" name="iosacl_include_comments" >
<property name="toolTip" >
@ -242,6 +239,16 @@ workstation with this address:</string>
</property>
</widget>
</item>
<item row="1" column="0" >
<widget class="QCheckBox" name="iosacl_use_acl_remarks" >
<property name="toolTip" >
<string>Insert comments into generated IOSACL configuration file</string>
</property>
<property name="text" >
<string>Use ACL remarks</string>
</property>
</widget>
</item>
<item row="2" column="0" >
<widget class="QCheckBox" name="iosacl_regroup_commands" >
<property name="toolTip" >

2
src/gui/ipfAdvancedDialog.cpp
View File

@ -86,8 +86,6 @@ ipfAdvancedDialog::ipfAdvancedDialog(QWidget *parent,FWObject *o)
data.registerOption( m_dialog->ipf_check_shadowing,fwopt, "check_shading" );
data.registerOption( m_dialog->ipf_eliminate_duplicates,fwopt, "eliminate_duplicates");
data.registerOption( m_dialog->ipf_accept_new_tcp_with_no_syn,fwopt, "accept_new_tcp_with_no_syn");
data.registerOption( m_dialog->ipf_in_out_code,fwopt, "in_out_code" );
data.registerOption( m_dialog->ipf_pass_all_out,fwopt, "pass_all_out" );
data.registerOption( m_dialog->ipf_ignore_empty_groups,fwopt, "ignore_empty_groups");
data.registerOption( m_dialog->ipf_return_icmp_as_dest,fwopt, "ipf_return_icmp_as_dest");
data.registerOption( m_dialog->ipf_nat_raudio_proxy,fwopt, "ipf_nat_raudio_proxy");

634
src/gui/ipfadvanceddialog_q.ui
View File

@ -6,7 +6,7 @@
<x>0</x>
<y>0</y>
<width>685</width>
<height>727</height>
<height>775</height>
</rect>
</property>
<property name="windowTitle" >
@ -71,8 +71,301 @@
<item row="0" column="0" >
<widget class="QTabWidget" name="tabWidget" >
<property name="currentIndex" >
<number>2</number>
<number>0</number>
</property>
<widget class="QWidget" name="tab1" >
<attribute name="title" >
<string>Compiler</string>
</attribute>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="0" column="0" colspan="2" >
<widget class="QLabel" name="compilerLabel" >
<property name="text" >
<string>Compiler:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="0" colspan="4" >
<widget class="QLabel" name="label571" >
<property name="text" >
<string>There are two ways compiler can generate code for rules in the Global Policy: it can either create two ipf rules to control both incoming and outgoing packets for each rule, or it can create only one ipf rule for incoming packets and permit all outgoing ones.You get more control over the packets crossing the firewall in the first mode, but generated script is going to be smaller if you choose the second.</string>
</property>
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="11" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_return_icmp_as_dest" >
<property name="text" >
<string>Masquerade returned icmp as being from original
packet's destination</string>
</property>
</widget>
</item>
<item row="6" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_accept_new_tcp_with_no_syn" >
<property name="text" >
<string>Accept TCP sessions opened prior to firewall restart</string>
</property>
</widget>
</item>
<item row="7" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_eliminate_duplicates" >
<property name="text" >
<string>Find and eliminate duplicate rules</string>
</property>
</widget>
</item>
<item row="8" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_check_shadowing" >
<property name="toolTip" >
<string>Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule.</string>
</property>
<property name="text" >
<string>Detect rule shadowing in policy</string>
</property>
</widget>
</item>
<item row="9" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_ignore_empty_groups" >
<property name="toolTip" >
<string>If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works!</string>
</property>
<property name="text" >
<string>Ignore empty groups in rules</string>
</property>
</widget>
</item>
<item row="13" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>30</height>
</size>
</property>
</spacer>
</item>
<item row="14" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>16</height>
</size>
</property>
</spacer>
</item>
<item row="13" column="1" colspan="2" >
<widget class="QCheckBox" name="mgmt_ssh" >
<property name="text" >
<string>Always permit ssh access from
the management workstation
with this address:</string>
</property>
</widget>
</item>
<item row="10" column="1" >
<widget class="QLabel" name="textLabel9" >
<property name="maximumSize" >
<size>
<width>400</width>
<height>32767</height>
</size>
</property>
<property name="text" >
<string>Default action on 'Reject':</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="10" column="2" colspan="2" >
<widget class="QComboBox" name="actionOnReject" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize" >
<size>
<width>400</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="12" column="0" colspan="4" >
<widget class="Line" name="line4" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="13" column="3" >
<widget class="QLineEdit" name="mgmt_addr" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item rowspan="5" row="7" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>130</height>
</size>
</property>
</spacer>
</item>
<item row="5" column="0" colspan="4" >
<widget class="Line" name="hseparator34" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="3" column="0" colspan="4" >
<widget class="Line" name="hseparator34_2" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2" >
<widget class="QLabel" name="compilerArgsLabel" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Command line options for the compiler:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2" >
<widget class="QLabel" name="textLabel1_5" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw")</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="2" colspan="2" >
<widget class="QLineEdit" name="compiler" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="1" column="2" colspan="2" >
<widget class="QLineEdit" name="compilerArgs" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="2" column="2" colspan="2" >
<widget class="QLineEdit" name="outputFileName" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab0" >
<attribute name="title" >
<string>Protocol Helpers</string>
@ -213,341 +506,6 @@
</item>
</layout>
</widget>
<widget class="QWidget" name="tab1" >
<attribute name="title" >
<string>Compiler</string>
</attribute>
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="0" column="0" colspan="2" >
<widget class="QLabel" name="compilerLabel" >
<property name="text" >
<string>Compiler:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="0" colspan="4" >
<widget class="QLabel" name="label571" >
<property name="text" >
<string>There are two ways compiler can generate code for rules in the Global Policy: it can either create two ipf rules to control both incoming and outgoing packets for each rule, or it can create only one ipf rule for incoming packets and permit all outgoing ones.You get more control over the packets crossing the firewall in the first mode, but generated script is going to be smaller if you choose the second.</string>
</property>
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="12" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_return_icmp_as_dest" >
<property name="text" >
<string>Masquerade returned icmp as being from original
packet's destination</string>
</property>
</widget>
</item>
<item row="5" column="1" colspan="3" >
<widget class="QGroupBox" name="buttonGroup1" >
<property name="title" >
<string/>
</property>
<layout class="QVBoxLayout" >
<property name="margin" >
<number>6</number>
</property>
<item>
<widget class="QRadioButton" name="ipf_in_out_code" >
<property name="text" >
<string>Generate both 'in' and 'out' rules</string>
</property>
</widget>
</item>
<item>
<widget class="QRadioButton" name="ipf_pass_all_out" >
<property name="text" >
<string>Pass all outgoing</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="7" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_accept_new_tcp_with_no_syn" >
<property name="text" >
<string>Accept TCP sessions opened prior to firewall restart</string>
</property>
</widget>
</item>
<item row="8" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_eliminate_duplicates" >
<property name="text" >
<string>Find and eliminate duplicate rules</string>
</property>
</widget>
</item>
<item row="9" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_check_shadowing" >
<property name="toolTip" >
<string>Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule.</string>
</property>
<property name="text" >
<string>Detect rule shadowing in policy</string>
</property>
</widget>
</item>
<item row="10" column="1" colspan="3" >
<widget class="QCheckBox" name="ipf_ignore_empty_groups" >
<property name="toolTip" >
<string>If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works!</string>
</property>
<property name="text" >
<string>Ignore empty groups in rules</string>
</property>
</widget>
</item>
<item row="5" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>30</height>
</size>
</property>
</spacer>
</item>
<item row="14" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>30</height>
</size>
</property>
</spacer>
</item>
<item row="15" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>16</height>
</size>
</property>
</spacer>
</item>
<item row="14" column="1" colspan="2" >
<widget class="QCheckBox" name="mgmt_ssh" >
<property name="text" >
<string>Always permit ssh access from
the management workstation
with this address:</string>
</property>
</widget>
</item>
<item row="11" column="1" >
<widget class="QLabel" name="textLabel9" >
<property name="maximumSize" >
<size>
<width>400</width>
<height>32767</height>
</size>
</property>
<property name="text" >
<string>Default action on 'Reject':</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="11" column="2" colspan="2" >
<widget class="QComboBox" name="actionOnReject" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize" >
<size>
<width>400</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="13" column="0" colspan="4" >
<widget class="Line" name="line4" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="14" column="3" >
<widget class="QLineEdit" name="mgmt_addr" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item rowspan="5" row="8" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType" >
<enum>QSizePolicy::Fixed</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>130</height>
</size>
</property>
</spacer>
</item>
<item row="6" column="0" colspan="4" >
<widget class="Line" name="hseparator34" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="3" column="0" colspan="4" >
<widget class="Line" name="hseparator34_2" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2" >
<widget class="QLabel" name="compilerArgsLabel" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Command line options for the compiler:</string>
</property>
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2" >
<widget class="QLabel" name="textLabel1_5" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text" >
<string>Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw")</string>
</property>
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="2" colspan="2" >
<widget class="QLineEdit" name="compiler" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="1" column="2" colspan="2" >
<widget class="QLineEdit" name="compilerArgs" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
<item row="2" column="2" colspan="2" >
<widget class="QLineEdit" name="outputFileName" >
<property name="maximumSize" >
<size>
<width>32767</width>
<height>32767</height>
</size>
</property>
</widget>
</item>
</layout>
</widget>
<widget class="QWidget" name="tab2" >
<attribute name="title" >
<string>Installer</string>
@ -1278,8 +1236,6 @@ with this address:</string>
<tabstop>compiler</tabstop>
<tabstop>compilerArgs</tabstop>
<tabstop>outputFileName</tabstop>
<tabstop>ipf_in_out_code</tabstop>
<tabstop>ipf_pass_all_out</tabstop>
<tabstop>ipf_accept_new_tcp_with_no_syn</tabstop>
<tabstop>ipf_eliminate_duplicates</tabstop>
<tabstop>ipf_check_shadowing</tabstop>

29
src/gui/ipfwadvanceddialog_q.ui
View File

@ -19,17 +19,8 @@
<property name="margin" >
<number>11</number>
</property>
<property name="spacing" >
<number>6</number>
</property>
<item row="1" column="0" >
<layout class="QHBoxLayout" >
<property name="spacing" >
<number>6</number>
</property>
<property name="margin" >
<number>0</number>
</property>
<item>
<spacer>
<property name="orientation" >
@ -80,7 +71,7 @@
<item row="0" column="0" >
<widget class="QTabWidget" name="tabWidget" >
<property name="currentIndex" >
<number>1</number>
<number>0</number>
</property>
<widget class="QWidget" name="tab" >
<attribute name="title" >
@ -394,12 +385,6 @@ with this address:</string>
</item>
<item row="4" column="0" colspan="2" >
<layout class="QHBoxLayout" >
<property name="spacing" >
<number>6</number>
</property>
<property name="margin" >
<number>0</number>
</property>
<item>
<widget class="QLabel" name="textLabel1_7" >
<property name="text" >
@ -574,9 +559,6 @@ with this address:</string>
<property name="margin" >
<number>6</number>
</property>
<property name="spacing" >
<number>6</number>
</property>
<item row="1" column="0" >
<widget class="QGroupBox" name="frame147" >
<property name="title" >
@ -586,9 +568,6 @@ with this address:</string>
<property name="margin" >
<number>6</number>
</property>
<property name="spacing" >
<number>6</number>
</property>
<item row="2" column="1" >
<widget class="QPushButton" name="edit_epilog_button" >
<property name="text" >
@ -640,9 +619,6 @@ with this address:</string>
<property name="margin" >
<number>6</number>
</property>
<property name="spacing" >
<number>6</number>
</property>
<item row="2" column="0" >
<spacer>
<property name="orientation" >
@ -695,9 +671,6 @@ with this address:</string>
<property name="margin" >
<number>6</number>
</property>
<property name="spacing" >
<number>6</number>
</property>
<item rowspan="3" row="2" column="0" >
<spacer>
<property name="orientation" >

3
src/iosacl/PolicyCompiler_iosacl_writers.cpp
View File

@ -279,6 +279,9 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
// aclstr << endl;
if (compiler->fw->getOptionsObject()->getBool("iosacl_use_acl_remarks"))
ruleout << acl->addRemark( rule->getLabel() );
ruleout << acl->addLine(aclstr.str());
return ruleout.str();

12
src/ipt/NATCompiler_PrintRule.cpp
View File

@ -652,8 +652,10 @@ bool NATCompiler_ipt::PrintRule::processNext()
if (rule->getStr("ipt_target")=="SNAT")
{
cmdout << "--to-source ";
cmdout << _printAddr(tsrc,false,true);
string ports=_printSNATPorts(tsrv);
// if TSrc is "any" and this is SNAT rule, then this rule only
// translates source port. Skip address part.
if (!tsrc->isAny()) cmdout << _printAddr(tsrc, false, true);
string ports = _printSNATPorts(tsrv);
if (!ports.empty()) cmdout << ":" << ports;
}
break;
@ -667,8 +669,10 @@ bool NATCompiler_ipt::PrintRule::processNext()
if (rule->getStr("ipt_target")=="DNAT")
{
cmdout << "--to-destination ";
if (!tdst->isAny()) cmdout << _printAddr(tdst,false,true);
string ports=_printDNATPorts(tsrv);
// if TDst is "any" and this is DNAT rule, then this rule only
// translates source port. Skip address part.
if (!tdst->isAny()) cmdout << _printAddr(tdst, false, true);
string ports = _printDNATPorts(tsrv);
if (!ports.empty()) cmdout << ":" << ports;
}
break;

76
src/ipt/NATCompiler_ipt.cpp
View File

@ -120,8 +120,8 @@ string NATCompiler_ipt::getAddressTableVarName(FWObject *at)
ostringstream ostr;
string name=at->getName();
string::size_type p1;
char *bad_shell_chars = " !#$&*()-+=\\|{}[]?<>,.";
for (char *cptr=bad_shell_chars; *cptr; cptr++)
const char *bad_shell_chars = " !#$&*()-+=\\|{}[]?<>,.";
for (const char *cptr=bad_shell_chars; *cptr; cptr++)
{
while ( (p1=name.find(*cptr))!=string::npos)
name=name.replace(p1,1,"_");
@ -201,7 +201,7 @@ int NATCompiler_ipt::prolog()
}
if (!found_ext)
throw FWException(_("At least one interface should be marked as external, can not configure NAT"));
abort(_("At least one interface should be marked as external, can not configure NAT"));
}
return n;
@ -386,10 +386,45 @@ bool NATCompiler_ipt::splitSDNATRule::processNext()
if ( ! rule->getTSrv()->isAny())
{
osrv=r->getOSrv();
osrv->clearChildren();
for (FWObject::iterator i=rule->getTSrv()->begin(); i!=rule->getTSrv()->end(); i++)
osrv->add( *i );
/*
* If the first rule in the pair translated service and
* changed destination port, we need to match it in the
* second rule to only trsnslate source in the packets
* that have been processed by the first rule. However
* this only applies to the case when destination port has
* been translated because the first rule uses DNAT which
* can only translate dest. port. So, if TSrv has zero
* dest. port range but non-zero source port range, we
* should not match it here because in this case no
* dest. port translation occurs. If TSrv translates both
* source and destination ports, we create new TCP(UDP)
* service object with only dest. port part and use it to
* match.
*/
Service *tsrv = compiler->getFirstTSrv(rule);
TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv);
if (tu_tsrv && tu_tsrv->getDstRangeStart() != 0)
{
TCPUDPService *match_service = NULL;
if (tu_tsrv->getSrcRangeStart() == 0)
{
// no source port tranlsation
match_service = tu_tsrv;
} else
{
// both source and dest port translation occurs
match_service = TCPUDPService::cast(
compiler->dbcopy->create(tsrv->getTypeName()));
match_service->setName(tsrv->getName() + "_dport");
compiler->dbcopy->add(match_service);
compiler->cacheObj(match_service); // to keep cache consistent
match_service->setDstRangeStart(tu_tsrv->getDstRangeStart());
match_service->setDstRangeEnd(tu_tsrv->getDstRangeEnd());
}
osrv = r->getOSrv();
osrv->clearChildren();
osrv->addRef(match_service);
}
}
tdst=r->getTDst();
@ -420,23 +455,23 @@ bool NATCompiler_ipt::VerifyRules::processNext()
RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv);
if (tsrc->getNeg())
throw FWException(_("Can not use negation in translated source. Rule ")+rule->getLabel());
compiler->abort(_("Can not use negation in translated source. Rule ")+rule->getLabel());
if (tdst->getNeg())
throw FWException(_("Can not use negation in translated destination. Rule ")+rule->getLabel());
compiler->abort(_("Can not use negation in translated destination. Rule ")+rule->getLabel());
if (tsrv->getNeg())
throw FWException(_("Can not use negation in translated service. Rule ")+rule->getLabel());
compiler->abort(_("Can not use negation in translated service. Rule ")+rule->getLabel());
if (tsrv->size()!=1)
throw FWException(_("Translated service should be 'Original' or should contain single object. Rule: ")+rule->getLabel());
compiler->abort(_("Translated service should be 'Original' or should contain single object. Rule: ")+rule->getLabel());
if ( Group::cast( compiler->getFirstTSrv(rule) )!=NULL)
throw FWException(_("Can not use group in translated service. Rule ")+rule->getLabel());
compiler->abort(_("Can not use group in translated service. Rule ")+rule->getLabel());
if (rule->getRuleType()==NATRule::LB)
throw FWException(_("Load balancing rules are not supported. Rule ")+rule->getLabel());
compiler->abort(_("Load balancing rules are not supported. Rule ")+rule->getLabel());
if (rule->getRuleType()==NATRule::DNAT)
@ -495,7 +530,7 @@ bool NATCompiler_ipt::VerifyRules::processNext()
Address* o1=compiler->getFirstTSrc(rule);
if ( ! tsrc->isAny() && Network::cast(o1)!=NULL)
throw FWException(_("Can not use network object in translated source. Rule ")+rule->getLabel());
compiler->abort(_("Can not use network object in translated source. Rule ")+rule->getLabel());
}
@ -505,7 +540,7 @@ bool NATCompiler_ipt::VerifyRules::processNext()
Network *a2=Network::cast(compiler->getFirstTSrc(rule));
if ( a1==NULL || a2==NULL ||
a1->getNetmaskPtr()->getLength() != a2->getNetmaskPtr()->getLength() )
throw FWException(_("Original and translated source should both be networks of the same size . Rule ")+rule->getLabel());
compiler->abort(_("Original and translated source should both be networks of the same size . Rule ")+rule->getLabel());
}
if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() )
@ -514,9 +549,12 @@ bool NATCompiler_ipt::VerifyRules::processNext()
Network *a2=Network::cast(compiler->getFirstTDst(rule));
if ( a1==NULL || a2==NULL ||
a1->getNetmaskPtr()->getLength() != a2->getNetmaskPtr()->getLength() )
throw FWException(_("Original and translated destination should both be networks of the same size . Rule ")+rule->getLabel());
compiler->abort(_("Original and translated destination should both be networks of the same size . Rule ")+rule->getLabel());
}
Service *osrv_obj = compiler->getFirstOSrv(rule);
Service *tsrv_obj = compiler->getFirstTSrv(rule);
return true;
}
@ -540,10 +578,10 @@ bool NATCompiler_ipt::VerifyRules2::processNext()
Service *s2=compiler->getFirstTSrv(rule);
if (osrv->isAny() && ! tsrv->isAny())
throw FWException(_("Can not use service object in Translated Service if Original Service is 'Any'. Rule ")+rule->getLabel());
compiler->abort(_("Can not use service object in Translated Service if Original Service is 'Any'. Rule ")+rule->getLabel());
if (!tsrv->isAny() && s1->getProtocolNumber()!=s2->getProtocolNumber())
throw FWException(_("Translated Service should be either 'Original' or should contain object of the same type as Original Service. Rule ")+rule->getLabel());
compiler->abort(_("Translated Service should be either 'Original' or should contain object of the same type as Original Service. Rule ")+rule->getLabel());
}
return true;
}
@ -1144,7 +1182,7 @@ void NATCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInterf
ifs->getParent()->getName().c_str(),
rule->getLabel().c_str() );
throw FWException(errstr);
compiler->abort(errstr);
}
}
}

32
src/ipt/PolicyCompiler_PrintRule.cpp
View File

@ -831,21 +831,25 @@ string PolicyCompiler_ipt::PrintRule::_printIP(IPService *srv, PolicyRule *rule)
str << " -m dscp --dscp " << dscp;
}
if (!ipt_comp->ipv6)
if (srv->getBool("lsrr") ||
srv->getBool("ssrr") ||
srv->getBool("rr") ||
srv->getBool("ts") )
{
if (srv->getBool("lsrr") ||
srv->getBool("ssrr") ||
srv->getBool("rr") ||
srv->getBool("ts") ) str << " -m ipv4options ";
if (srv->getBool("lsrr")) str << " --lsrr";
if (srv->getBool("ssrr")) str << " --ssrr";
if (srv->getBool("rr")) str << " --rr";
if (srv->getBool("ts")) str << " --ts";
} else
compiler->abort(
string("IP options match is not supported for IPv6. Rule ") +
rule->getLabel());
if (!ipt_comp->ipv6)
{
str << " -m ipv4options ";
if (srv->getBool("lsrr")) str << " --lsrr";
if (srv->getBool("ssrr")) str << " --ssrr";
if (srv->getBool("rr")) str << " --rr";
if (srv->getBool("ts")) str << " --ts";
} else
{
compiler->abort(
string("IP options match is not supported for IPv6. Rule ") +
rule->getLabel());
}
}
return str.str();
}

10
src/ipt/PolicyCompiler_ipt.cpp
View File

@ -206,8 +206,8 @@ string PolicyCompiler_ipt::getAddressTableVarName(FWObject *at)
ostringstream ostr;
string name=at->getName();
string::size_type p1;
char *bad_shell_chars = " !#$&*()-+=\\|{}[]?<>,.";
for (char *cptr=bad_shell_chars; *cptr; cptr++)
const char *bad_shell_chars = " !#$&*()-+=\\|{}[]?<>,.";
for (const char *cptr=bad_shell_chars; *cptr; cptr++)
{
while ( (p1=name.find(*cptr))!=string::npos)
name=name.replace(p1,1,"_");
@ -2432,7 +2432,7 @@ bool PolicyCompiler_ipt::checkSrcAndDst1::processNext()
if (src->getId()!=compiler->getFwId() &&
dst->getId()==compiler->getFwId() &&
rule->getDirection()==PolicyRule::Outbound )
throw FWException(_("direction can not be outbound when destination is firewall, in rule ")+rule->getLabel());
compiler->abort(_("direction can not be outbound when destination is firewall, in rule ")+rule->getLabel());
tmp_queue.push_back(rule);
return true;
@ -2450,7 +2450,7 @@ bool PolicyCompiler_ipt::checkSrcAndDst2::processNext()
if (src->getId()==compiler->getFwId() &&
dst->getId()!=compiler->getFwId() &&
rule->getDirection()==PolicyRule::Inbound )
throw FWException(_("direction can not be inbound when source is firewall, in rule ")+rule->getLabel());
compiler->abort(_("direction can not be inbound when source is firewall, in rule ")+rule->getLabel());
tmp_queue.push_back(rule);
return true;
@ -2621,7 +2621,7 @@ void PolicyCompiler_ipt::checkForDynamicInterfacesOfOtherObjects::findDynamicInt
ifs->getParent()->getName().c_str(),
rule->getLabel().c_str() );
throw FWException(errstr);
compiler->abort(errstr);
}
}
}

151
src/pflib/NATCompiler_pf.cpp
View File

@ -84,7 +84,7 @@ int NATCompiler_pf::prolog()
}
if (!found_ext)
throw FWException(
abort(
"At least one interface should be marked as external, "
"can not configure NAT");
}
@ -130,25 +130,60 @@ bool NATCompiler_pf::NATRuleType::processNext()
if (rule->getRuleType()!=NATRule::Unknown) return true;
RuleElementTDst *tdstre=rule->getTDst();
RuleElementTDst *tdstre = rule->getTDst();
//Address *osrc=compiler->getFirstOSrc(rule);
//Address *odst=compiler->getFirstODst(rule);
Service *osrv=compiler->getFirstOSrv(rule);
Address *tsrc=compiler->getFirstTSrc(rule);
Address *tdst=compiler->getFirstTDst(rule);
Address *tsrc = compiler->getFirstTSrc(rule);
Address *tdst = compiler->getFirstTDst(rule);
Service *tsrv=compiler->getFirstTSrv(rule);
if ( tsrc->isAny() && tdst->isAny() ) {
if (tsrc->isAny() && tdst->isAny() && tsrv->isAny())
{
rule->setRuleType(NATRule::NONAT);
return true;
}
if ( ! tsrc->isAny() && tdst->isAny() ) {
bool osrv_defines_src_port = false;
bool osrv_defines_dst_port = false;
bool tsrv_translates_src_port = false;
bool tsrv_translates_dst_port = false;
if (TCPUDPService::cast(osrv))
{
TCPUDPService *tu_osrv = TCPUDPService::cast(osrv);
osrv_defines_src_port = \
(tu_osrv->getSrcRangeStart() != 0 && tu_osrv->getDstRangeStart() == 0);
osrv_defines_dst_port = \
(tu_osrv->getSrcRangeStart() == 0 && tu_osrv->getDstRangeStart() != 0);
}
if (TCPUDPService::cast(tsrv))
{
TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv);
tsrv_translates_src_port = \
(tu_tsrv->getSrcRangeStart() != 0 && tu_tsrv->getDstRangeStart() == 0);
tsrv_translates_dst_port = \
(tu_tsrv->getSrcRangeStart() == 0 && tu_tsrv->getDstRangeStart() != 0);
}
if (
(! tsrc->isAny() && tdst->isAny()) ||
(tsrc->isAny() && tdst->isAny() && tsrv_translates_src_port)
)
{
rule->setRuleType(NATRule::SNAT);
return true;
}
if ( tsrc->isAny() && ! tdst->isAny() ) {
if (
(tsrc->isAny() && ! tdst->isAny()) ||
(tsrc->isAny() && tdst->isAny() && tsrv_translates_dst_port)
)
{
/* this is load balancing rule if there are multiple objects in TDst */
if ( tdstre->size()>1 ) rule->setRuleType(NATRule::LB);
else
@ -163,13 +198,17 @@ bool NATCompiler_pf::NATRuleType::processNext()
return true;
}
if ( ! tsrc->isAny() && ! tdst->isAny() )
if (
( ! tsrc->isAny() && ! tdst->isAny() ) ||
( ! tsrc->isAny() && tsrv_translates_dst_port) ||
( ! tdst->isAny() && tsrv_translates_src_port)
)
{
rule->setRuleType(NATRule::SDNAT);
return true;
}
throw FWException(_("Unsupported translation. Rule: ")+rule->getLabel());
compiler->abort(_("Unsupported translation. Rule: ")+rule->getLabel());
return false;
}
@ -223,10 +262,49 @@ bool NATCompiler_pf::splitSDNATRule::processNext()
if ( ! rule->getTSrv()->isAny())
{
osrv=r->getOSrv();
osrv->clearChildren();
for (FWObject::iterator i=rule->getTSrv()->begin(); i!=rule->getTSrv()->end(); i++)
osrv->add( *i );
/*
* See "pf flow diagram" at http://homepage.mac.com/quension/pf/flow.png
* rdr happens first, then nat. This means nat sees packet with
* translated destination address and port.
*
* If the first rule in the pair translated service and
* changed destination port, we need to match it in the
* second rule to only trsnslate source in the packets
* that have been processed by the first rule. However
* this only applies to the case when destination port has
* been translated because the first rule uses DNAT which
* can only translate dest. port. So, if TSrv has zero
* dest. port range but non-zero source port range, we
* should not match it here because in this case no
* dest. port translation occurs. If TSrv translates both
* source and destination ports, we create new TCP(UDP)
* service object with only dest. port part and use it to
* match.
*/
Service *tsrv = compiler->getFirstTSrv(rule);
TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv);
if (tu_tsrv && tu_tsrv->getDstRangeStart() != 0)
{
TCPUDPService *match_service = NULL;
if (tu_tsrv->getSrcRangeStart() == 0)
{
// no source port tranlsation
match_service = tu_tsrv;
} else
{
// both source and dest port translation occurs
match_service = TCPUDPService::cast(
compiler->dbcopy->create(tsrv->getTypeName()));
match_service->setName(tsrv->getName() + "_dport");
compiler->dbcopy->add(match_service);
compiler->cacheObj(match_service); // to keep cache consistent
match_service->setDstRangeStart(tu_tsrv->getDstRangeStart());
match_service->setDstRangeEnd(tu_tsrv->getDstRangeEnd());
}
osrv = r->getOSrv();
osrv->clearChildren();
osrv->addRef(match_service);
}
}
tdst=r->getTDst();
@ -256,62 +334,71 @@ bool NATCompiler_pf::VerifyRules::processNext()
RuleElementTSrv *tsrv=rule->getTSrv(); assert(tsrv);
// if (rule->getRuleType()==NATRule::LB)
// throw FWException(_("Load balancing rules are not supported. Rule ")+rule->getLabel());
// compiler->abort(_("Load balancing rules are not supported. Rule ")+rule->getLabel());
if (rule->getRuleType()==NATRule::DNAT && odst->size()!=1)
throw FWException(_("There should be no more than one object in original destination in the rule ")+rule->getLabel());
compiler->abort(_("There should be no more than one object in original destination in the rule ")+rule->getLabel());
// if (rule->getRuleType()==NATRule::SNAT && tsrc->size()!=1)
// throw FWException(_("There should be no more than one object in translated source in the rule ")+rule->getLabel());
// compiler->abort(_("There should be no more than one object in translated source in the rule ")+rule->getLabel());
if (osrv->getNeg())
throw FWException(_("Negation in original service is not supported. Rule ")+rule->getLabel());
compiler->abort(_("Negation in original service is not supported. Rule ")+rule->getLabel());
/* bug #1276083: "Destination NAT rules". this restriction is not
* true at least as of OpenBSD 3.5
*
if (rule->getRuleType()==NATRule::DNAT && osrv->isAny())
throw FWException(_("Service must be specified for destination translation rule. Rule ")+rule->getLabel());
compiler->abort(_("Service must be specified for destination translation rule. Rule ")+rule->getLabel());
*/
if (rule->getRuleType()==NATRule::DNAT && osrv->isAny() && !tsrv->isAny())
throw FWException(_("Can not translate 'any' into a specific service. Rule ")+rule->getLabel());
compiler->abort(_("Can not translate 'any' into a specific service. Rule ")+rule->getLabel());
if (tsrc->getNeg())
throw FWException(_("Can not use negation in translated source. Rule ")+rule->getLabel());
compiler->abort(_("Can not use negation in translated source. Rule ")+rule->getLabel());
if (tdst->getNeg())
throw FWException(_("Can not use negation in translated destination. Rule ")+rule->getLabel());
compiler->abort(_("Can not use negation in translated destination. Rule ")+rule->getLabel());
if (tsrv->getNeg())
throw FWException(_("Can not use negation in translated service. Rule ")+rule->getLabel());
compiler->abort(_("Can not use negation in translated service. Rule ")+rule->getLabel());
if (tsrv->size()!=1)
throw FWException(_("Translated service should be 'Original' or should contain single object. Rule: ")+rule->getLabel());
compiler->abort(_("Translated service should be 'Original' or should contain single object. Rule: ")+rule->getLabel());
FWObject *o=tsrv->front();
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
if ( Group::cast(o)!=NULL)
throw FWException(_("Can not use group in translated service. Rule ")+rule->getLabel());
compiler->abort(_("Can not use group in translated service. Rule ")+rule->getLabel());
#if 0
if (rule->getRuleType()==NATRule::SNAT )
{
Address* o1=compiler->getFirstTSrc(rule);
if ( Network::cast(o1)!=NULL || AddressRange::cast(o1)!=NULL )
throw FWException(_("Can not use network or address range object in translated source. Rule ")+rule->getLabel());
compiler->abort(_("Can not use network or address range object in translated source. Rule ")+rule->getLabel());
}
#endif
if (rule->getRuleType()==NATRule::SNAT )
{
if (tsrc->isAny())
compiler->abort("Source translation rule needs an address in Translated Source. Rule " + rule->getLabel());
}
if (rule->getRuleType()==NATRule::DNAT || rule->getRuleType()==NATRule::Redirect )
{
if (tdst->isAny())
compiler->abort("Destination translation rule needs an address in Translated Destination. Rule " + rule->getLabel());
if ( tdst->size()!=1)
throw FWException(_("There should be no more than one object in translated destination in the rule ")+rule->getLabel());
compiler->abort(_("There should be no more than one object in translated destination in the rule ")+rule->getLabel());
Address* o1=compiler->getFirstTDst(rule);
if ( Network::cast(o1)!=NULL || AddressRange::cast(o1)!=NULL )
throw FWException(_("Can not use network or address range object in translated destination. Rule ")+rule->getLabel());
compiler->abort(_("Can not use network or address range object in translated destination. Rule ")+rule->getLabel());
}
@ -321,7 +408,7 @@ bool NATCompiler_pf::VerifyRules::processNext()
Network *a2=Network::cast(compiler->getFirstTSrc(rule));
if ( a1==NULL || a2==NULL ||
a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() )
throw FWException(_("Original and translated source should both be networks of the same size . Rule ")+rule->getLabel());
compiler->abort(_("Original and translated source should both be networks of the same size . Rule ")+rule->getLabel());
}
if (rule->getRuleType()==NATRule::DNetnat && !tsrc->isAny() )
@ -330,7 +417,7 @@ bool NATCompiler_pf::VerifyRules::processNext()
Network *a2=Network::cast(compiler->getFirstTDst(rule));
if ( a1==NULL || a2==NULL ||
a1->getNetmaskPtr()->getLength()!=a2->getNetmaskPtr()->getLength() )
throw FWException(_("Original and translated destination should both be networks of the same size . Rule ")+rule->getLabel());
compiler->abort(_("Original and translated destination should both be networks of the same size . Rule ")+rule->getLabel());
}
return true;
@ -870,7 +957,7 @@ void NATCompiler_pf::checkForDynamicInterfacesOfOtherObjects::findDynamicInterfa
ifs->getParent()->getName().c_str(),
rule->getLabel().c_str() );
throw FWException(errstr);
compiler->abort(errstr);
}
}
}

4
src/pflib/NATCompiler_pf.h
View File

@ -343,8 +343,8 @@ namespace fwcompiler {
std::string current_rule_label;
virtual void _printProtocol(libfwbuilder::Service *srv);
virtual void _printPort(libfwbuilder::Service *srv,
bool lhs);
virtual void _printPort(libfwbuilder::Service *srv, bool lhs);
virtual void _printSrcPort(libfwbuilder::Service *srv);
virtual void _printAddrList(libfwbuilder::FWObject *o,bool negflag);
virtual void _printREAddr(libfwbuilder::RuleElement *o);

26
src/pflib/NATCompiler_pf_writers.cpp
View File

@ -179,12 +179,14 @@ bool NATCompiler_pf::PrintRule::processNext()
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
_printSrcPort(osrv);
compiler->output << "to ";
_printREAddr( odstrel );
_printPort( osrv, true );
compiler->output << "-> ";
_printREAddr( tsrcrel );
_printSrcPort(tsrv);
_printNATRuleOptions(rule);
compiler->output << endl;
@ -197,6 +199,7 @@ bool NATCompiler_pf::PrintRule::processNext()
_printProtocol(osrv);
compiler->output << "from ";
_printREAddr( osrcrel );
_printSrcPort(osrv);
compiler->output << "to ";
_printREAddr( odstrel );
_printPort(osrv, true);
@ -260,7 +263,7 @@ void NATCompiler_pf::PrintRule::_printProtocol(Service *srv)
*/
void NATCompiler_pf::PrintRule::_printPort(Service *srv, bool lhs)
{
if (TCPService::isA(srv) || UDPService::isA(srv))
if (TCPUDPService::cast(srv))
{
int drs = TCPUDPService::cast(srv)->getDstRangeStart();
int dre = TCPUDPService::cast(srv)->getDstRangeEnd();
@ -285,6 +288,27 @@ void NATCompiler_pf::PrintRule::_printPort(Service *srv, bool lhs)
}
}
/*
* Print port range spec using source ports of the given service object
*/
void NATCompiler_pf::PrintRule::_printSrcPort(libfwbuilder::Service *srv)
{
if (TCPUDPService::cast(srv))
{
int srs = TCPUDPService::cast(srv)->getSrcRangeStart();
int sre = TCPUDPService::cast(srv)->getSrcRangeEnd();
if (srs!=0)
{
compiler->output << "port " << srs;
if (sre != 0 && sre != srs)
{
compiler->output << ":" << sre;
}
}
compiler->output << " ";
}
}
void NATCompiler_pf::PrintRule::_printNegation(RuleElement *rel)
{
if (rel->getNeg())

7
src/pflib/PolicyCompiler_pf.cpp
View File

@ -347,7 +347,7 @@ bool PolicyCompiler_pf::fillDirection::processNext()
* as long as it misses interface - we need to determine direction
* again anyway.
*/
if (rule->getDirectionAsString()=="") // || rule->getInterfaceId()==-1 )
if (rule->getDirection() == PolicyRule::Undefined) // || rule->getInterfaceId()==-1 )
rule->setDirection( PolicyRule::Both );
/*
@ -1088,6 +1088,11 @@ void PolicyCompiler_pf::compile()
add( new separateTagged("split on TagService"));
add( new separateTOS("split on IPService with TOS"));
if (ipv6)
add( new DropIPv4Rules("drop ipv4 rules"));
else
add( new DropIPv6Rules("drop ipv6 rules"));
add( new verifyCustomServices(
"verify custom services for this platform"));
// add( new ProcessScrubOption( "process 'scrub' option" ));

12
test/iosacl/objects-for-regression-tests.fwb
View File

@ -1556,7 +1556,7 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id464359FE16989" host_OS="ios" inactive="False" lastCompiled="1230880328" lastInstalled="0" lastModified="1236918502" platform="iosacl" version="12.x" name="c3620" comment="" ro="False">
<Firewall id="id464359FE16989" host_OS="ios" inactive="False" lastCompiled="1244751217" lastInstalled="0" lastModified="1244750432" platform="iosacl" version="12.x" name="c3620" comment="" ro="False">
<NAT id="id46435A0216989" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id46435A0116989" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id464D2B0E24319" disabled="False" log="False" position="0" action="Accept" direction="Inbound" comment="interface eth 1/1 has only&#10;inbound access list">
@ -1855,7 +1855,7 @@
<Interface id="id46435A0C16989" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="True" name="Serial1/0" comment="" ro="False">
<IPv4 id="id46435A0D16989" name="c3620:Serial1/0:ip" comment="" ro="False" address="0.0.0.0" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.171.2">
<Management address="10.3.14.201">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
@ -1884,15 +1884,16 @@
<Option name="iosacl_generate_logging_commands">True</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">True</Option>
<Option name="iosacl_logging_buffered_level">4</Option>
<Option name="iosacl_logging_buffered_level">5</Option>
<Option name="iosacl_logging_console">True</Option>
<Option name="iosacl_logging_console_level">4</Option>
<Option name="iosacl_logging_console_level">5</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">1</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">True</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
@ -1927,6 +1928,7 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>

967
test/ipt/objects-for-regression-tests.fwb
View File

@ -811,7 +811,6 @@
<IPv6 id="id197751X48026" name="firewall-ipv6-5:eth0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
<IPv6 id="id178394X48026" name="firewall-ipv6-6:eth1:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
<IPv6 id="id42754X3791" name="ipv4-ipv6-host-1:eth0:ip6" comment="" ro="False" address="e80::21d:9ff:fe8b:8e94" netmask="64"/>
<ObjectRef ref="sysid0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
@ -847,6 +846,10 @@
<IPv6 id="id48416A7216880" name="6bone.net" comment="" ro="False" address="2001:5c0:0:2::24" netmask="128"/>
<IPv4 id="id40860X98946" name="internal gw" comment="" ro="False" address="192.168.1.254" netmask="0.0.0.0"/>
<IPv4 id="id118625X9876" name="ext gateway" comment="" ro="False" address="192.0.2.100" netmask="0.0.0.0"/>
<IPv4 id="id45813X95438" name="h-10.3.14.40" comment="Imported from &quot;c3620&quot; 10.3.14.40/255.255.255.255" ro="False" address="10.3.14.40" netmask="255.255.255.255"/>
<IPv4 id="id45817X95438" name="h-192.168.171.2" comment="Imported from &quot;c3620&quot; 192.168.171.2/255.255.255.255" ro="False" address="192.168.171.2" netmask="255.255.255.255"/>
<IPv4 id="id45847X95438" name="h-10.3.14.201" comment="Imported from &quot;c3620&quot; 10.3.14.201/255.255.255.255" ro="False" address="10.3.14.201" netmask="255.255.255.255"/>
<IPv4 id="id46523X95438" name="a-192.168.1.10" comment="" ro="False" address="192.168.1.10" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@ -1687,6 +1690,8 @@
<NetworkIPv6 id="id40507X82687" name="3ffff:ffff::/32" comment="" ro="False" address="3fff:ffff::" netmask="32"/>
<NetworkIPv6 id="id40508X82687" name="2001:db8::/32" comment="" ro="False" address="2001:db8::" netmask="32"/>
<NetworkIPv6 id="id169012X82687" name="3ffff:ffff::/16" comment="" ro="False" address="3fff:ffff::" netmask="16"/>
<Network id="id45876X95438" name="net-10.3.14.0/24" comment="Imported from &quot;c3620&quot; 10.3.14.0/255.255.255.0" ro="False" address="10.3.14.0" netmask="255.255.255.0"/>
<NetworkIPv6 id="id46155X95438" name="ipv6 net fe80::/64" comment="" ro="False" address="fe80::" netmask="64"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
@ -1819,6 +1824,7 @@
<IPService id="idAF4D18769" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="0x20" ts="False" name="tos 0x20" comment="" ro="False"/>
<IPService id="idAF4E18769" dscp="0x20" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="dscp 0x20" comment="" ro="False"/>
<IPService id="idAF4F18769" dscp="BE" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="dscp BE" comment="" ro="False"/>
<IPService id="id45790X95438" fragm="True" protocol_num="0" name="ip-0 fragm" comment="Imported from &quot;c3620&quot;&#10;protocol 0" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09_1" name="TCP" comment="" ro="False">
<TCPService id="id3C1A66EF" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="gopher" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="70" dst_range_end="70"/>
@ -1836,10 +1842,18 @@
<TCPService id="id3E3747AF" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="TCP no flags" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id40038E79" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="new AIM connection" comment="TCP packet with dest. port 5190 (AIM) and SYN flag set&#10;This is the opening of the new AIM session" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5190" dst_range_end="5190"/>
<TCPService id="id459E36F110170" ack_flag="True" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="ack" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id45821X95438" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0-0:22-22" comment="Imported from &quot;c3620&quot;&#10;0-0:22-22" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="id46355X95438" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="False" name="New TCP Service 1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1" dst_range_end="1"/>
</ServiceGroup>
<ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False">
<UDPService id="id3ED59BF0" name="udp-src-6767" comment="" ro="False" src_range_start="6767" src_range_end="6767" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id3ED59BF1" name="udp-src-67" comment="" ro="False" src_range_start="67" src_range_end="67" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id46447X95438" name="sport123" comment="" ro="False" src_range_start="123" src_range_end="123" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id46457X95438" name="sport5050" comment="" ro="False" src_range_start="5050" src_range_end="5050" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id46482X95438" name="dport53" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="id46492X95438" name="dport1053" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1053" dst_range_end="1053"/>
<UDPService id="id46617X95438" name="sdport53" comment="" ro="False" src_range_start="1024" src_range_end="65535" dst_range_start="53" dst_range_end="53"/>
<UDPService id="id46627X95438" name="sdport1053" comment="" ro="False" src_range_start="32767" src_range_end="65535" dst_range_start="1053" dst_range_end="1053"/>
</ServiceGroup>
<ServiceGroup id="stdid13_1" name="Custom" comment="" ro="False">
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False" protocol="any" address_family="ipv4">
@ -11408,7 +11422,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3DDDE6C3" host_OS="linux24" lastCompiled="1215360875" lastInstalled="1142003872" lastModified="0" platform="iptables" name="firewall12" comment="This firewall does not do NAT for addresses, but translates port for a server&#10;" ro="False">
<Firewall id="id3DDDE6C3" host_OS="linux24" lastCompiled="1244480616" lastInstalled="1142003872" lastModified="1244582487" platform="iptables" name="firewall12" comment="This firewall does not do NAT for addresses, but translates port for a server&#10;" ro="False">
<NAT id="id3DDDE6C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3DDDE6D6" disabled="False" position="0" comment="">
<OSrc neg="False">
@ -11557,7 +11571,7 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id3ED59B00" disabled="False" position="7" comment="">
<NATRule id="id3ED59B00" disabled="False" position="7" comment="port-only translation">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -11599,7 +11613,28 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id3ED59D48" disabled="False" position="9" comment="">
<NATRule id="id62195X80061" disabled="False" group="" position="9" comment="port-only translation">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id3DDDE4E4"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id3ED59D48" disabled="False" position="10" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -11620,6 +11655,132 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46723X95438" disabled="False" group="" position="11" comment="SDNAT ">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id45738X95438"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id45821X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id45738X95438"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id46523X95438"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46776X95438" disabled="False" group="" position="12" comment="SDNAT with source port">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id45738X95438"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46447X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id45738X95438"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id46523X95438"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46457X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46829X95438" disabled="False" group="" position="13" comment="SDNAT with dest port">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46482X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id45738X95438"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id46523X95438"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46492X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46882X95438" disabled="False" group="" position="14" comment="SDNAT&#10;translate src and dst addresses&#10;and src and dst ports">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46617X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id45738X95438"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id46523X95438"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46627X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46935X95438" disabled="False" group="" position="15" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46482X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46457X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46988X95438" disabled="False" group="" position="16" comment="invalid rule">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id45821X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46457X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id3DDDE6C6" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3DDDE701" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
@ -39767,6 +39928,804 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id45738X95438" host_OS="linux24" lastCompiled="1244482781" lastInstalled="0" lastModified="1244487383" platform="iptables" version="" name="fw1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id46392X95438" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id46393X95438" disabled="False" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False"/>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46425X95438" disabled="False" group="" position="1" comment="source port only">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46447X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46457X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46460X95438" disabled="False" group="" position="2" comment="dest port only">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46482X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46492X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46495X95438" disabled="False" group="" position="3" comment="SDNAT ">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id45738X95438"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id45821X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id45738X95438"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id46523X95438"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46529X95438" disabled="False" group="" position="4" comment="SDNAT with source port">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id45738X95438"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46447X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id45738X95438"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id46523X95438"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46457X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46562X95438" disabled="False" group="" position="5" comment="SDNAT with dest port">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46482X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id45738X95438"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id46523X95438"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46492X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46595X95438" disabled="False" group="" position="6" comment="SDNAT&#10;translate src and dst addresses&#10;and src and dst ports">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46617X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id45738X95438"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id46523X95438"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46627X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46630X95438" disabled="False" group="" position="7" comment="invalid rule">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id46482X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46457X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id46663X95438" disabled="False" group="" position="8" comment="invalid rule">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id45821X95438"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id46457X95438"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id45744X95438" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id45745X95438" disabled="False" group="New Group" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id45738X95438"/>
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id46203X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False"/>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46224X95438" disabled="False" group="New Group" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False"/>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46251X95438" disabled="False" group="New Group" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45738X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46279X95438" disabled="False" group="New Group" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id45738X95438"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id46307X95438" disabled="False" group="New Group" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45738X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46335X95438" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id46355X95438"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46364X95438" disabled="False" log="True" position="6" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id46696X95438" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id46697X95438" bridgeport="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id46698X95438" name="fw1:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id46699X95438" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id46700X95438" name="fw1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<IPv6 id="id46701X95438" name="fw1:eth1:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
</Interface>
<Interface id="id46702X95438" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id46703X95438" name="fw1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="check_shading">true</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="in_out_code">true</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_include_comments">true</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id45763X95438" host_OS="ios" inactive="False" lastCompiled="1221357477" lastInstalled="1223233524" lastModified="1243804646" platform="iosacl" version="12.x" name="c3620" comment="ff" ro="False">
<NAT id="id46197X95438" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id45769X95438" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id45770X95438" disabled="False" log="False" position="0" action="Deny" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45790X95438"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id45799X95438" disabled="False" log="True" position="1" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id45813X95438"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45817X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45821X95438"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id45830X95438" disabled="False" log="True" position="2" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id45813X95438"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45847X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45821X95438"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id45859X95438" disabled="False" log="True" position="3" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45876X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id45888X95438" disabled="False" log="True" position="4" action="Deny" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id45916X95438" disabled="False" log="True" position="5" action="Accept" direction="Outbound" comment="Imported from e1_0_acl_out&#10;">
<Src neg="False">
<ObjectRef ref="id45876X95438"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C08B5A</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id45944X95438" disabled="False" log="True" position="6" action="Deny" direction="Outbound" comment="Imported from e1_0_acl_out&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id45972X95438" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id45813X95438"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45817X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45821X95438"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46000X95438" disabled="False" log="True" position="8" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id45813X95438"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45847X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45821X95438"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46028X95438" disabled="False" log="True" position="9" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id45876X95438"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46056X95438" disabled="False" log="True" position="10" action="Deny" direction="Inbound" comment="Imported from fe0_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46084X95438" disabled="False" log="True" position="11" action="Accept" direction="Outbound" comment="Imported from fe0_0_acl_out&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id45876X95438"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id46112X95438" disabled="False" log="True" position="12" action="Deny" direction="Outbound" comment="Imported from fe0_0_acl_out&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id46140X95438" name="ipv6_rules" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
<PolicyRule id="id46141X95438" disabled="False" log="False" position="0" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id46155X95438"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id46170X95438" name="extra_acl" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id46171X95438" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False"/>
<Dst neg="False"/>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id46198X95438" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id46199X95438" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
<IPv4 id="id46200X95438" name="c3620:FastEthernet0/0:ip1" comment="" ro="False" address="192.168.100.100" netmask="255.255.255.0"/>
<IPv4 id="id46201X95438" name="c3620:FastEthernet0/0:ip2" comment="" ro="False" address="10.3.14.201" netmask="255.255.255.0"/>
<IPv6 id="id46202X95438" name="c3620:FastEthernet0/0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
</Interface>
<Interface id="id46203X95438" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Ethernet1/0" comment="" ro="False">
<IPv4 id="id46204X95438" name="c3620:Ethernet1/0:ip" comment="" ro="False" address="192.168.171.2" netmask="255.255.255.0"/>
</Interface>
<Interface id="id46205X95438" bridgeport="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Serial1/0" comment="" ro="False"/>
<Interface id="id46206X95438" bridgeport="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet1/1" comment="" ro="False"/>
<Interface id="id46207X95438" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Serial1/1" comment="" ro="False">
<IPv4 id="id46208X95438" name="c3620:Serial1/1:ip" comment="" ro="False" address="3.3.3.3" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.100.100">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">True</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level">0</Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level">0</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">0</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False">
<Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/>

1363
test/pf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1239317986" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1244584290" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<Library id="id40E233F3" color="#FFFFFF" name="West Coast" comment="" ro="False">
@ -406,6 +406,421 @@
<ObjectRef ref="host-hostB"/>
<ObjectRef ref="id3B022266"/>
<ObjectRef ref="id3B4572AF"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<ObjectRef ref="id79413X23273"/>
<Firewall id="id79413X23273" host_OS="linux24" lastCompiled="1244482781" lastInstalled="0" lastModified="1244584259" platform="iptables" version="" name="fw1" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id80067X23273" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id80068X23273" disabled="False" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80100X23273" disabled="False" group="" position="1" comment="source port only">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80122X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80132X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80135X23273" disabled="False" group="" position="2" comment="dest port only">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80157X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80167X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80170X23273" disabled="False" group="" position="3" comment="SDNAT ">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id79496X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id80198X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80204X23273" disabled="False" group="" position="4" comment="SDNAT with source port">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80122X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id80198X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80132X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80237X23273" disabled="False" group="" position="5" comment="SDNAT with dest port">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80157X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id80198X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80167X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80270X23273" disabled="False" group="" position="6" comment="SDNAT&#10;translate src and dst addresses&#10;and src and dst ports">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80292X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id80198X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80302X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80305X23273" disabled="False" group="" position="7" comment="invalid rule">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80157X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80132X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80338X23273" disabled="False" group="" position="8" comment="invalid rule">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id79496X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80132X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id79419X23273" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id79420X23273" disabled="False" group="New Group" log="True" position="0" action="Deny" direction="Inbound" comment="anti spoofing rule">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id79878X23273"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79899X23273" disabled="False" group="New Group" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79926X23273" disabled="False" group="New Group" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79954X23273" disabled="False" group="New Group" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id79982X23273" disabled="False" group="New Group" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id80010X23273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id80030X23273"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id80039X23273" disabled="False" log="True" position="6" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id80371X23273" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id80372X23273" bridgeport="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id80373X23273" name="fw1:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id80374X23273" bridgeport="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id80375X23273" name="fw1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<IPv6 id="id80376X23273" name="fw1:eth1:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
</Interface>
<Interface id="id80377X23273" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id80378X23273" name="fw1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="check_shading">true</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="in_out_code">true</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_include_comments">true</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
@ -423,6 +838,10 @@
<IPv4 id="id417B3641" name="net_address" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.255"/>
<IPv4 id="id20598X3490" name="routable server address 1" comment="" ro="False" address="222.222.222.22" netmask="0.0.0.0"/>
<IPv4 id="id20599X3490" name="routable server address 2" comment="" ro="False" address="222.222.222.23" netmask="0.0.0.0"/>
<IPv4 id="id79488X23273" name="h-10.3.14.40" comment="Imported from &quot;c3620&quot; 10.3.14.40/255.255.255.255" ro="False" address="10.3.14.40" netmask="255.255.255.255"/>
<IPv4 id="id79492X23273" name="h-192.168.171.2" comment="Imported from &quot;c3620&quot; 192.168.171.2/255.255.255.255" ro="False" address="192.168.171.2" netmask="255.255.255.255"/>
<IPv4 id="id79522X23273" name="h-10.3.14.201" comment="Imported from &quot;c3620&quot; 10.3.14.201/255.255.255.255" ro="False" address="10.3.14.201" netmask="255.255.255.255"/>
<IPv4 id="id80198X23273" name="a-192.168.1.10" comment="" ro="False" address="192.168.1.10" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@ -524,6 +943,11 @@
<Interface id="id3AFADBF9-i" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3AFADBF9-i-ipv4" name="address" comment="" ro="False" address="22.22.22.23" netmask="255.255.255.255"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
</HostOptions>
@ -815,6 +1239,8 @@
<NetworkIPv6 id="id48416A7016880" name="DIGITAL-CA-DEC" comment="" ro="False" address="3ffe:1200:2000::" netmask="36"/>
<Network id="id3CEBFDFC" name="n-192.168.1.0" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id4733FFE419714" name="n-192.168.2.0" comment="" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
<Network id="id79551X23273" name="net-10.3.14.0/24" comment="Imported from &quot;c3620&quot; 10.3.14.0/255.255.255.0" ro="False" address="10.3.14.0" netmask="255.255.255.0"/>
<NetworkIPv6 id="id79830X23273" name="ipv6 net fe80::/64" comment="" ro="False" address="fe80::" netmask="64"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
@ -901,6 +1327,7 @@
<IPService id="id3C6820443" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="0x20" ts="False" name="tos 0x20" comment="" ro="False"/>
<IPService id="id3C6920443" dscp="0x20" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="" ts="False" name="dscp 0x20" comment="" ro="False"/>
<IPService id="idC5F120443" dscp="" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="False" ssrr="False" tos="0x10" ts="False" name="tos 0x10" comment="" ro="False"/>
<IPService id="id79465X23273" fragm="True" protocol_num="0" name="ip-0 fragm" comment="Imported from &quot;c3620&quot;&#10;protocol 0" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09_1" name="TCP" comment="" ro="False">
<TCPService id="tcp-IRC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
@ -909,8 +1336,20 @@
<TCPService id="id3B58E3F1" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="xmas-tree" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id3C1A66EF" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="gopher" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="70" dst_range_end="70"/>
<TCPService id="id3E59AD29" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-1080" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
<TCPService id="id78996X23273" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp-8080" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="8080" dst_range_end="8080"/>
<TCPService id="id79496X23273" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0-0:22-22" comment="Imported from &quot;c3620&quot;&#10;0-0:22-22" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="id80030X23273" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="False" name="New TCP Service 1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1" dst_range_end="1"/>
</ServiceGroup>
<ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False">
<UDPService id="id78911X23273" name="udp-src-6767" comment="" ro="False" src_range_start="6767" src_range_end="6767" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id78921X23273" name="udp-src-67" comment="" ro="False" src_range_start="67" src_range_end="67" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id80122X23273" name="sport123" comment="" ro="False" src_range_start="123" src_range_end="123" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id80132X23273" name="sport5050" comment="" ro="False" src_range_start="5050" src_range_end="5050" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id80157X23273" name="dport53" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="id80167X23273" name="dport1053" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1053" dst_range_end="1053"/>
<UDPService id="id80292X23273" name="sdport53" comment="" ro="False" src_range_start="1024" src_range_end="65535" dst_range_start="53" dst_range_end="53"/>
<UDPService id="id80302X23273" name="sdport1053" comment="" ro="False" src_range_start="32767" src_range_end="65535" dst_range_start="1053" dst_range_end="1053"/>
</ServiceGroup>
<ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False"/>
<ServiceGroup id="stdid13_1" name="Custom" comment="" ro="False">
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
@ -2828,7 +3267,7 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3AFB66C6" host_OS="openbsd" inactive="False" lastCompiled="1230465811" lastInstalled="0" lastModified="1230466470" platform="pf" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
<Firewall id="id3AFB66C6" host_OS="openbsd" inactive="False" lastCompiled="1244583253" lastInstalled="0" lastModified="1244584206" platform="pf" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
<NAT id="id3AFB66C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3AFB66C8" disabled="False" position="0" comment="">
<OSrc neg="False">
@ -13387,7 +13826,7 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id33881X22329" host_OS="freebsd" inactive="False" lastCompiled="1228758356" lastInstalled="0" lastModified="1229404684" platform="pf" version="" name="firewall-ipv6-2" comment="Combined ipv4/ipv6 policy ruleset" ro="False">
<Firewall id="id33881X22329" host_OS="freebsd" inactive="False" lastCompiled="1228758356" lastInstalled="0" lastModified="1244319416" platform="pf" version="" name="firewall-ipv6-2" comment="Combined ipv4/ipv6 policy ruleset" ro="False">
<NAT id="id34057X22329" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id33912X22329" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
<PolicyRule id="id22170X16797" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
@ -13473,6 +13912,8 @@
<PolicyRule id="id22102X16797" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4834A2238571"/>
<ObjectRef ref="id20598X3490"/>
<ObjectRef ref="id20599X3490"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id34059X22329"/>
@ -13493,6 +13934,7 @@
<PolicyRule id="id22085X16797" disabled="False" group="" log="True" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4834A2278571"/>
<ObjectRef ref="id4387287918346"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id34059X22329"/>
@ -13630,6 +14072,27 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id16929X60595" disabled="False" group="" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="ipv6-icmp-ping_request"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id34058X22329" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id34059X22329" bridgeport="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
@ -13931,6 +14394,869 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id78969X23273" host_OS="openbsd" inactive="False" lastCompiled="1244584306" lastInstalled="1142003872" lastModified="1244586784" platform="pf" version="4.x" name="firewall12" comment="This firewall does not do NAT for addresses, but translates port for a server&#10;" ro="False">
<NAT id="id79033X23273" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id79034X23273" disabled="True" position="0" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79067X23273" disabled="True" position="1" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79099X23273" disabled="True" position="2" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79131X23273" disabled="True" position="3" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id78969X23273"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79164X23273" disabled="False" position="4" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id78969X23273"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id78969X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79197X23273" disabled="True" position="5" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id78969X23273"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79229X23273" disabled="True" position="6" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79295X23273" disabled="False" position="7" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id78911X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id78969X23273"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78921X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79328X23273" disabled="True" group="" position="8" comment="port-only translation">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79361X23273" disabled="False" position="9" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id78969X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id78996X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id79394X23273" disabled="False" group="" position="10" comment="SDNAT ">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id78969X23273"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id79496X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id78969X23273"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id80198X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80398X23273" disabled="False" group="" position="11" comment="SDNAT with source port">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id78969X23273"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80122X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id78969X23273"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id80198X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80132X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80431X23273" disabled="False" group="" position="12" comment="SDNAT with dest port">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80157X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id78969X23273"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id80198X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80167X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80464X23273" disabled="False" group="" position="13" comment="SDNAT&#10;translate src and dst addresses&#10;and src and dst ports">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80292X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id78969X23273"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id80198X23273"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80302X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80497X23273" disabled="False" group="" position="14" comment="Matches destination port, translates source port">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id80157X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id78969X23273"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80132X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id80530X23273" disabled="True" group="" position="15" comment="invalid rule">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id79496X23273"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id80132X23273"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id78975X23273" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id78976X23273" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3AFADBF9"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id78996X23273"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id79005X23273" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id80563X23273" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id80564X23273" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id80565X23273" name="firewall12:en0:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface id="id80566X23273" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
<IPv4 id="id80567X23273" name="firewall12:en1:ip" comment="" ro="False" address="22.22.23.22" netmask="255.255.255.0"/>
</Interface>
<Interface id="id176032X23273" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
<IPv4 id="id176033X23273" name="firewall12:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="22.22.22.22">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
<Option name="linux24_accept_source_route"></Option>
<Option name="linux24_icmp_echo_ignore_all"></Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward"></Option>
<Option name="linux24_log_martians"></Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter"></Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="no_optimisation">False</Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id79438X23273" host_OS="ios" inactive="False" lastCompiled="1221357477" lastInstalled="1223233524" lastModified="1243804646" platform="iosacl" version="12.x" name="c3620" comment="ff" ro="False">
<NAT id="id79872X23273" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id79444X23273" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id79445X23273" disabled="False" log="False" position="0" action="Deny" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id79465X23273"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79474X23273" disabled="False" log="True" position="1" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id79488X23273"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id79492X23273"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id79496X23273"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79505X23273" disabled="False" log="True" position="2" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id79488X23273"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id79522X23273"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id79496X23273"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79534X23273" disabled="False" log="True" position="3" action="Accept" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id79551X23273"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79563X23273" disabled="False" log="True" position="4" action="Deny" direction="Inbound" comment="Imported from e1_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79591X23273" disabled="False" log="True" position="5" action="Accept" direction="Outbound" comment="Imported from e1_0_acl_out&#10;">
<Src neg="False">
<ObjectRef ref="id79551X23273"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C08B5A</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79619X23273" disabled="False" log="True" position="6" action="Deny" direction="Outbound" comment="Imported from e1_0_acl_out&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79647X23273" disabled="False" log="True" position="7" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id79488X23273"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id79492X23273"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id79496X23273"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79675X23273" disabled="False" log="True" position="8" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id79488X23273"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id79522X23273"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id79496X23273"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79703X23273" disabled="False" log="True" position="9" action="Accept" direction="Inbound" comment="Imported from fe0_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="id79551X23273"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79731X23273" disabled="False" log="True" position="10" action="Deny" direction="Inbound" comment="Imported from fe0_0_acl_in&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79759X23273" disabled="False" log="True" position="11" action="Accept" direction="Outbound" comment="Imported from fe0_0_acl_out&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id79551X23273"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id79787X23273" disabled="False" log="True" position="12" action="Deny" direction="Outbound" comment="Imported from fe0_0_acl_out&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id79815X23273" name="ipv6_rules" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
<PolicyRule id="id79816X23273" disabled="False" log="False" position="0" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id79830X23273"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id79845X23273" name="extra_acl" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id79846X23273" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id79873X23273" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id79874X23273" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="FastEthernet0/0" comment="" ro="False">
<IPv4 id="id79875X23273" name="c3620:FastEthernet0/0:ip1" comment="" ro="False" address="192.168.100.100" netmask="255.255.255.0"/>
<IPv4 id="id79876X23273" name="c3620:FastEthernet0/0:ip2" comment="" ro="False" address="10.3.14.201" netmask="255.255.255.0"/>
<IPv6 id="id79877X23273" name="c3620:FastEthernet0/0:ipv6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
</Interface>
<Interface id="id79878X23273" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Ethernet1/0" comment="" ro="False">
<IPv4 id="id79879X23273" name="c3620:Ethernet1/0:ip" comment="" ro="False" address="192.168.171.2" netmask="255.255.255.0"/>
</Interface>
<Interface id="id79880X23273" bridgeport="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Serial1/0" comment="" ro="False"/>
<Interface id="id79881X23273" bridgeport="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="Ethernet1/1" comment="" ro="False"/>
<Interface id="id79882X23273" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="Serial1/1" comment="" ro="False">
<IPv4 id="id79883X23273" name="c3620:Serial1/1:ip" comment="" ro="False" address="3.3.3.3" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.100.100">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">True</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level">0</Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level">0</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">0</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
<ObjectRef ref="id483F5B7623190"/>
@ -16033,16 +17359,16 @@
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
<ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
<ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
<ICMP6Service id="ipv6-icmp-ping_request" code="0" type="128" name="ipv6 ping request" comment="IPv6 ping request" ro="False"/>
<ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
<ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
<ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
</ServiceGroup>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
@ -16053,24 +17379,25 @@
<ServiceRef ref="id3CB12797"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
</ServiceGroup>
</ServiceGroup>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<IntervalGroup id="stdid11" name="Time" comment="" ro="False">
<Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
<Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1" name="Sat" comment="" ro="False"/>
<Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="Sun" comment="" ro="False"/>
</IntervalGroup>
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
</ObjectGroup>
</ObjectGroup>
<IntervalGroup id="stdid11" name="Time" comment="" ro="False">
<Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
<Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1" name="Sat" comment="" ro="False"/>
<Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="Sun" comment="" ro="False"/>
</IntervalGroup>
</Library>
</FWObjectDatabase>