see #1983 "ASA multiple interfaces have the same security level". Algorithm that guesses security level recognizes interface labels that contain word "dmz". Interfaces that could not be recognized by their label and that have ip addresses not in RFC1918 ranges still get security level 0

2026-03-19 17:57:22 +01:00 · 2011-01-28 12:13:01 -08:00 · 2011-01-28 12:13:01 -08:00 · e66f654a8a
commit e66f654a8a
parent 5ec0e428dd
2 changed files with 20 additions and 15 deletions
--- a/src/libfwbuilder/src/fwbuilder/InterfaceData.cpp
+++ b/src/libfwbuilder/src/fwbuilder/InterfaceData.cpp
@ -158,22 +158,21 @@ void InterfaceData::guessSecurityLevel(const string&)
    for (string::size_type i=0; i<llbl.length(); i++)
        llbl[i] = tolower( llbl[i] );

-    if ( llbl=="outside" ||
-         llbl=="out" ||
-         llbl=="external" ||
-         llbl=="external net" ||
+    if ( llbl=="out" ||
         llbl=="ext" ||
         llbl=="internet" ||
         llbl=="wan" ||
         llbl=="dsl" ||
-         llbl=="cable") securityLevel = 0;
+         llbl=="cable" ||
+         llbl.find("outside")!=string::npos ||
+         llbl.find("external")!=string::npos) securityLevel = 0;

-    if ( llbl=="inside" ||
-         llbl=="lan" ||
+    if ( llbl=="lan" ||
         llbl=="in" ||
-         llbl=="internal" ||
-         llbl=="internal_net" ||
-         llbl=="internal net" ) securityLevel = 100;
+         llbl.find("inside")!=string::npos ||
+         llbl.find("internal")!=string::npos ) securityLevel = 100;
+
+    if ( llbl.find("dmz")!=string::npos ) securityLevel = 50;

    if ( (*(addr_mask.front()->getAddressPtr()))==InetAddr::getLoopbackAddr())
        securityLevel = 100; 
--- a/src/libgui/newFirewallDialog.cpp
+++ b/src/libgui/newFirewallDialog.cpp
@ -702,10 +702,14 @@ void newFirewallDialog::fillInterfaceSLList()
        {
            if (!gotIPv4) address = iface.addresses.values().first();
            if ( address.ipv4 )
-                iam = new InetAddrMask(InetAddr(address.address.toStdString()), InetAddr(address.netmask.toStdString()));
+                iam = new InetAddrMask(
+                    InetAddr(address.address.toStdString()),
+                    InetAddr(address.netmask.toStdString()));
            else
            {
-                iam = new InetAddrMask(InetAddr(AF_INET6, address.address.toStdString()), InetAddr(AF_INET6, address.netmask.toStdString()));
+                iam = new InetAddrMask(
+                    InetAddr(AF_INET6, address.address.toStdString()),
+                    InetAddr(AF_INET6, address.netmask.toStdString()));
            }
            idata.addr_mask.push_back(iam);
        }
@ -714,12 +718,14 @@ void newFirewallDialog::fillInterfaceSLList()
        {
            try
            {
-                idata.guessSecurityLevel( readPlatform(m_dialog->platform).toStdString() );
+                idata.guessSecurityLevel(
+                    readPlatform(m_dialog->platform).toStdString() );
            }
            catch (FWException &ex)
            {
-                QMessageBox::warning( this,"Firewall Builder", ex.toString().c_str(),
-                                      "&Continue", QString::null, QString::null, 0, 1 );
+                QMessageBox::warning(
+                    this,"Firewall Builder", ex.toString().c_str(),
+                    "&Continue", QString::null, QString::null, 0, 1 );
                showPage( 2 );
                return;
            }