mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 02:07:23 +01:00
updated unit test for iptables importer
This commit is contained in:
Vadim Kurland
parent
f5e058fdd7
commit
d60b82b47b
File diff suppressed because it is too large
Load Diff
@ -10,25 +10,30 @@ Warning: Line 9: Rule matches states 'RELATED,ESTABLISHED'. Consider using autom
|
||||
Warning: Line 12: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
Warning: Line 13: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
Warning: Line 14: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
Network object: net-192.168.2.0/24
|
||||
TCP Service object: tcp 22-22
|
||||
Custom Service object: cust-0: iptables: -m state --state NEW,ESTABLISHED
|
||||
Created branch INPUT_state_match_0
|
||||
Warning: Line 18: Rule matches combination of states 'NEW,ESTABLISHED'. Iptables rules generated by fwbuilder can be stateless (match no state) or stateful (match state NEW). Fwbuilder also adds a rule at the top of the script to match states ESTABLISHED,RELATED. Combination of states 'NEW,ESTABLISHED' does not fit these standard cases and to match it, the program created new Custom Service object. This may require manual checking.
|
||||
Address object: h-21.21.21.21
|
||||
TCP Service object: tcp 22-22:
|
||||
Created branch OUTPUT_established_0
|
||||
Warning: Line 19: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
TCP Service object: tcp 23-23
|
||||
Created branch OUTPUT_established_1
|
||||
Warning: Line 24: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
Warning: Line 27: Using automatic rule controlled by option 'Drop packet that do not match any known connection' to match state INVALID
|
||||
Warning: Line 30: Using automatic rule controlled by option 'Drop packet that do not match any known connection' to match state INVALID
|
||||
Warning: Line 23: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
TCP Service object: tcp 23-23
|
||||
Created branch OUTPUT_established_2
|
||||
Warning: Line 28: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
Warning: Line 31: Using automatic rule controlled by option 'Drop packet that do not match any known connection' to match state INVALID
|
||||
Warning: Line 34: Using automatic rule controlled by option 'Drop packet that do not match any known connection' to match state INVALID
|
||||
New interface: lo
|
||||
UDP Service object: udp 1604-1604
|
||||
Created branch Policy_eth1
|
||||
New interface: eth1
|
||||
New interface: eth0
|
||||
Warning: Line 38: Creating branch ruleset 'Policy_eth1' to match inbound and outbound interfaces -i eth0 -o eth1
|
||||
Warning: Line 42: Creating branch ruleset 'Policy_eth1' to match inbound and outbound interfaces -i eth0 -o eth1
|
||||
TCP Service object: tcp 0-8000
|
||||
UDP Service object: udp 0-8000
|
||||
Warning: Line 65: Unknown parameter of target REJECT: icmp-foo-prohibited.
|
||||
Warning: Line 66: Unknown parameter of target REJECT: foo-prohib.
|
||||
Warning: Line 69: Unknown parameter of target REJECT: icmp-foo-prohibited.
|
||||
Warning: Line 70: Unknown parameter of target REJECT: foo-prohib.
|
||||
AddressRange object: range-10.212.66.2-10.212.66.3
|
||||
AddressRange object: range-192.11.1.11-192.11.1.63
|
||||
Address object: h-10.212.66.2
|
||||
@ -39,12 +44,11 @@ ICMP Service object: icmp -1/-1
|
||||
Address object: h-192.168.1.1
|
||||
IP Service object: ip-47
|
||||
Network object: net-1.1.0.0/16
|
||||
Warning: Line 99: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
Warning: Line 103: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
|
||||
Network object: net-192.168.19.0/24
|
||||
TCP Service object: tcp 5432-5432
|
||||
Address object: h-192.168.16.125
|
||||
TCP Service object: tcp 873-873
|
||||
TCP Service object: tcp 22-22
|
||||
Address object: h-192.0.34.166
|
||||
TCP Service object: tcp 137-139
|
||||
TCP Service object: tcp 0-1023
|
||||
@ -66,8 +70,8 @@ TCP Service object: tcp fsrpau/f
|
||||
TCP Service object: tcp sr/sr
|
||||
TCP Service object: tcp fs/fs
|
||||
TCP Service object: tcp fsrpau/N
|
||||
Parser error: Line 146: Port spec 'foo' unknown
|
||||
Parser error: Line 146: Port spec 'foo' unknown
|
||||
Parser error: Line 150: Port spec 'foo' unknown
|
||||
Parser error: Line 150: Port spec 'foo' unknown
|
||||
TCP Service object: tcp
|
||||
TCP Service object: tcp 427-427
|
||||
UDP Service object: udp 427-427
|
||||
@ -85,15 +89,15 @@ TCP Service object: tcp 206-206:
|
||||
TCP Service object: tcp 2222-2222:
|
||||
ICMP Service object: icmp 3/-1
|
||||
ICMP Service object: icmp 3/6
|
||||
Custom Service object: cust-0: iptables: -m length --length 400:65535
|
||||
Custom Service object: cust-1: iptables: -m recent --name badguy --rcheck --seconds 60
|
||||
Custom Service object: cust-1: iptables: -m length --length 400:65535
|
||||
Custom Service object: cust-2: iptables: -m recent --name badguy --rcheck --seconds 60
|
||||
Created branch user_chain_42_mod_match
|
||||
Custom Service object: cust-2: iptables: -m recent --name badguy --set
|
||||
Custom Service object: cust-3: iptables: -m recent --name badguy --set
|
||||
TCP Service object: tcp 5190-5190
|
||||
Created branch user_chain_43_mod_match
|
||||
Tag Service object: tag-0x11
|
||||
Created branch user_chain_44_mod_match
|
||||
Custom Service object: cust-3: iptables: -m length --length 400:1500
|
||||
Custom Service object: cust-4: iptables: -m length --length 400:1500
|
||||
Created branch user_chain_45_mod_match
|
||||
Tag Service object: tag-0x1
|
||||
TCP Service object: tcp fsrpau/s
|
||||
@ -102,16 +106,16 @@ Tag Service object: tag-0x4
|
||||
Created branch user_chain_47_mod_match
|
||||
TCP Service object: tcp 53-53:
|
||||
Created branch user_chain_48_mod_match
|
||||
Parser error: Line 202: Original rule combines match of tcp/udp/icmp
|
||||
Parser error: Line 206: Original rule combines match of tcp/udp/icmp
|
||||
protocols with two or more module matches, such as
|
||||
module 'mark', 'recent' or 'length'. Use additional
|
||||
branches to implement this complex match.
|
||||
Created branch user_chain_49_mod_match
|
||||
Parser error: Line 203: Original rule combines match of tcp/udp/icmp
|
||||
Parser error: Line 207: Original rule combines match of tcp/udp/icmp
|
||||
protocols with two or more module matches, such as
|
||||
module 'mark', 'recent' or 'length'. Use additional
|
||||
branches to implement this complex match.
|
||||
Custom Service object: cust-4: iptables: -m pkttype --pkt-type broadcast
|
||||
Custom Service object: cust-5: iptables: -m pkttype --pkt-type broadcast
|
||||
Ruleset: mangle / PREROUTING
|
||||
Default action: Accept
|
||||
Ruleset: mangle / INPUT
|
||||
@ -126,9 +130,9 @@ Tag Service object: tag-16
|
||||
TCP Service object: tcp 25-25
|
||||
Tag Service object: tag-0xa
|
||||
Tag Service object: tag-0xB
|
||||
Warning: Line 231: Skip command with '-j CONNMARK --restore-mark' This rule is generated automatically.
|
||||
Warning: Line 235: Skip command with '-j CONNMARK --restore-mark' This rule is generated automatically.
|
||||
TCP Service object: tcp 25-25:
|
||||
Warning: Line 235: Turned option on in previous rule with action Mark for '-j CONNMARK --save-mark'
|
||||
Warning: Line 239: Turned option on in previous rule with action Mark for '-j CONNMARK --save-mark'
|
||||
Tag Service object: tag-1
|
||||
New interface: eth2
|
||||
Tag Service object: tag-2
|
||||
@ -140,23 +144,13 @@ Ruleset: nat / OUTPUT
|
||||
Default action: Accept
|
||||
Network object: net-192.168.1.0/24
|
||||
Address object: h-222.222.222.222
|
||||
Parser error: Line 253: Original rule defines outbound interface 'eth1'.
|
||||
Replace address in TSrc with matching interface of the firewall.
|
||||
Parser error: Line 254: Original rule defines outbound interface 'eth0'.
|
||||
Replace address in TSrc with matching interface of the firewall.
|
||||
Network object: net-192.168.1.32/27
|
||||
Address object: h-222.222.222.100
|
||||
Parser error: Line 255: Original rule defines outbound interface 'eth+'.
|
||||
Replace address in TSrc with matching interface of the firewall.
|
||||
AddressRange object: range-222.222.222.10-222.222.222.100
|
||||
New interface: eth+
|
||||
Address object: h-192.168.1.20
|
||||
Parser error: Line 256: Original rule defines outbound interface 'eth+'.
|
||||
Replace address in TSrc with matching interface of the firewall.
|
||||
AddressRange object: range-192.168.1.1-192.168.1.10
|
||||
Address object: h-192.168.1.10
|
||||
Parser error: Line 257: Original rule defines outbound interface 'eth+'.
|
||||
Replace address in TSrc with matching interface of the firewall.
|
||||
TCP Service object: tcp 1000-1010:
|
||||
Parser error: Line 258: Original rule defines outbound interface 'eth1'.
|
||||
Replace address in TSrc with matching interface of the firewall.
|
||||
Network object: net-222.222.222.0/24
|
||||
TCP Service object: tcp 25-50
|
||||
ICMP Service object: icmp 8/0
|
||||
@ -173,18 +167,15 @@ TCP Service object: tcp 13-13
|
||||
TCP Service object: tcp 2105-2105
|
||||
Address object: h-192.168.3.145
|
||||
Address object: h-1.1.1.1
|
||||
Parser error: Line 272: Original rule defines inbound interface 'eth0'.
|
||||
Replace address in ODst with matching interface of the firewall.
|
||||
Network object: net-192.168.2.0/24
|
||||
Address object: h-192.168.1.22
|
||||
Address object: h-192.168.2.10
|
||||
Address object: h-22.22.22.23
|
||||
ICMP Service object: icmp 11/0
|
||||
Warning: Line 282: Added rule to reproduce default policy ACCEPT in filter/OUTPUT
|
||||
Warning: Line 282: Can not reproduce default action in table 'mangle' chain 'FORWARD'.
|
||||
Warning: Line 282: Added rule to reproduce default policy ACCEPT in mangle/FORWARD
|
||||
Warning: Line 282: Can not reproduce default action in table 'mangle' chain 'INPUT'.
|
||||
Warning: Line 282: Added rule to reproduce default policy ACCEPT in mangle/INPUT
|
||||
Warning: Line 282: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT
|
||||
Warning: Line 282: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING
|
||||
Warning: Line 282: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING
|
||||
Warning: Line 286: Added rule to reproduce default policy ACCEPT in filter/OUTPUT
|
||||
Warning: Line 286: Can not reproduce default action in table 'mangle' chain 'FORWARD'.
|
||||
Warning: Line 286: Added rule to reproduce default policy ACCEPT in mangle/FORWARD
|
||||
Warning: Line 286: Can not reproduce default action in table 'mangle' chain 'INPUT'.
|
||||
Warning: Line 286: Added rule to reproduce default policy ACCEPT in mangle/INPUT
|
||||
Warning: Line 286: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT
|
||||
Warning: Line 286: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING
|
||||
Warning: Line 286: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING
|
||||
|
||||
@ -13,6 +13,10 @@
|
||||
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# unusual combination of states, creates custom service object. Also, since the same rule
|
||||
# matches tcp service and custom service, branch will be created
|
||||
-A INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
|
||||
# this creates a branch, matching service in the main policy and
|
||||
# ESTABLISHED,RELATE states in the branch
|
||||
#
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user