onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-06-25 02:19:37 +02:00
Code Issues Releases Wiki Activity

compilers for iptables and pf find branch rulesets even if they belong to a different fw

Browse Source
This commit is contained in:
Vadim Kurland
2008-06-05 20:41:25 +00:00
parent c81ee87507
commit ece0df1e07
8 changed files with 2268 additions and 19627 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
doc/ChangeLog
View File

@@ -1,5 +1,23 @@
2008-06-05 Vadim Kurland <vadim@vk.crocodile.org>
* IPv4Dialog, NetworkDialog, newHostDialog, newFirewallDialog:
netmask can be entered as bit length, in addition to the bit mask
format supported before. Both formats are recognized. FR #995452,
1617297, 1666016
* IPv6 suport implemented in the GUI and compilers for iptables
and pf: FR #1517015, 1705261, 1706246, 1826325
* Rules with action Tag reference TagService objects. User drags
and drops TagService object into a drop area in the rule action
dialog. FR #1696841: "Mark action and TagService"
2008-06-05 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp, pf.cpp: Compilers for iptables and pf recognize branch
rule sets that belong to different firewall objects. FR #737132:
"Linkable Rules", #1224898 "Rule Link"
* PolicyCompiler_ipt.cpp (dropTerminatingTargets::processNext):
bugfix in the shadowing detection for non-terminating rules in the
mangle table.
@@ -70,13 +88,13 @@
mangle table in addition to the filter table" and correctly places
referenced rule set in both filter and mangle tables.
* ObjectManipulator.cpp: Policy rules can now be arranged in
multiple rule sets with names. These rule sets are shown in the
tree under the firewall object (next to its interfaces). Each rule
set is independent from others, user can add as many as they
want. Rules with action "Branch" refer to existing rule sets, user
associates them by dragging rule set object into action parameters
dialog of the branching rule.
* ObjectManipulator.cpp: new feature v3: Policy rules can now be
arranged in multiple rule sets with names. These rule sets are
shown in the tree under the firewall object (next to its
interfaces). Each rule set is independent from others, user can
add as many as they want. Rules with action "Branch" refer to
existing rule sets, user associates them by dragging rule set
object into action parameters dialog of the branching rule.
2008-05-23 Vadim Kurland <vadim@vk.crocodile.org>
@@ -198,7 +216,15 @@
* v3 feature: Firewall Builder v3 GUI redesigned as MDI
interfaces. Several data files can be opened simultaneously and
objects dragged and dropped from one file to another.
objects dragged and dropped from one file to another. FR # 984979
"split window view of tabs".
* v3 feature: the GUI allows the user to change font used for the
UI, object tree and rules (separately). FR #1621799: "main window
font_size & column resizing" (although column width is not saved).
* v3 feature: The user can switch between icons 25x25 and 16x16 in
rules. FR #1844437 "25x25 Icons to 16x16"
2008-03-05 vadim <vadim@vk.crocodile.org>

2
src/gui/RuleSetDialog.cpp
View File

@@ -124,7 +124,7 @@ void RuleSetDialog::validate(bool *res)
{
*res=false ;
QMessageBox::critical(this, "Firewall Builder",
tr("Not valid name '%1'. Only '[a-z][A-Z][0-9]_-+=@%^' characters.").arg( m_dialog->obj_name->text() ),
tr("Rule set name '%1' is invalid. Only '[a-z][A-Z][0-9]_-+=@%^' characters are allowed.").arg( m_dialog->obj_name->text() ),
tr("&Continue"), 0, 0,
0 );

7
src/ipt/PolicyCompiler_ipt.cpp
View File

@@ -2925,8 +2925,11 @@ bool PolicyCompiler_ipt::decideOnTarget::processNext()
case PolicyRule::Route: rule->setStr("ipt_target","ROUTE"); break;
case PolicyRule::Branch:
{
FWOptions *ropt = rule->getOptionsObject();
rule->setStr("ipt_target", ropt->getStr("branch_name"));
RuleSet *ruleset = rule->getBranch();
if (ruleset==NULL)
compiler->abort(string("Branching rule ") + rule->getLabel() +
" refers ruleset that does not exist");
rule->setStr("ipt_target", ruleset->getName());
break;
}
default: ;

28
src/ipt/ipt.cpp
View File

@@ -188,6 +188,33 @@ void findBranchesInMangleTable(Firewall *fw, list<FWObject*> &all_policies)
}
}
/* Find rulesets that belong to other firewall objects but are
* referenced by rules of this firewall using action Branch
*/
void findImportedRuleSets(Firewall *fw, list<FWObject*> &all_policies)
{
list<FWObject*> imported_policies;
for (list<FWObject*>::iterator i=all_policies.begin();
i!=all_policies.end(); ++i)
{
for (list<FWObject*>::iterator r=(*i)->begin();
r!=(*i)->end(); ++r)
{
PolicyRule *rule = PolicyRule::cast(*r);
RuleSet *ruleset = NULL;
if (rule->getAction() == PolicyRule::Branch &&
(ruleset = rule->getBranch())!=NULL &&
!ruleset->isChildOf(fw))
{
imported_policies.push_back(ruleset);
}
}
}
if (imported_policies.size() > 0)
all_policies.insert(all_policies.end(),
imported_policies.begin(), imported_policies.end());
}
string dumpScript(bool nocomm, Firewall *fw,
const string& reset_script,
const string& nat_script,
@@ -528,6 +555,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
vector<bool> ipv4_6_runs;
string generated_script;
findImportedRuleSets(fw, all_policies);
findBranchesInMangleTable(fw, all_policies);
// command line options -4 and -6 control address family for which

32
src/pf/pf.cpp
View File

@@ -169,6 +169,36 @@ string getConfFileName(const string &ruleset_name,
return conf_file_name;
}
/* Find rulesets that belong to other firewall objects but are
* referenced by rules of this firewall using action Branch
*/
void findImportedRuleSets(Firewall *fw, list<FWObject*> &all_policies)
{
list<FWObject*> imported_policies;
for (list<FWObject*>::iterator i=all_policies.begin();
i!=all_policies.end(); ++i)
{
for (list<FWObject*>::iterator r=(*i)->begin();
r!=(*i)->end(); ++r)
{
PolicyRule *rule = PolicyRule::cast(*r);
RuleSet *ruleset = NULL;
if (rule->getAction() == PolicyRule::Branch &&
(ruleset = rule->getBranch())!=NULL &&
!ruleset->isChildOf(fw))
{
imported_policies.push_back(ruleset);
}
}
}
if (imported_policies.size() > 0)
all_policies.insert(all_policies.end(),
imported_policies.begin(), imported_policies.end());
}
void usage(const char *name)
{
cout << _("Firewall Builder: policy compiler for OpenBSD PF") << endl;
@@ -639,6 +669,8 @@ int main(int argc, char * const *argv)
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
list<FWObject*> all_nat = fw->getByType(NAT::TYPENAME);
findImportedRuleSets(fw, all_policies);
vector<bool> ipv4_6_runs;
bool have_nat = false;
bool have_pf = false;

8
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@@ -117,8 +117,14 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule)
compiler->output << ruleopt->getStr("custom_str") << " ";
break;
case PolicyRule::Branch:
compiler->output << "anchor " << ruleopt->getStr("branch_name") << " ";
{
RuleSet *ruleset = rule->getBranch();
if (ruleset==NULL)
compiler->abort(string("Branching rule ") + rule->getLabel() +
" refers ruleset that does not exist");
compiler->output << "anchor " << ruleset->getName() << " ";
break;
}
default:
compiler->abort(
string("Unknown action '") + rule->getActionAsString()

592
test/ipt/objects-for-regression-tests.fwb
View File

@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="9" lastModified="1212620367" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="9" lastModified="1212696652" id="root">
<Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User">
<ObjectGroup id="stdid01_1" name="Objects">
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
@@ -25085,6 +25085,590 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this firewall is used to test a rule in the global policy of object &quot;firewall&quot;&#10;" host_OS="linux24" id="id4848A4294626" inactive="False" lastCompiled="1188097225" lastInstalled="1142003872" lastModified="1212696562" name="firewall-base-rulesets" platform="iptables" ro="False" version="">
<NAT id="id4848A4304626" name="NAT"/>
<Policy id="id4848A42F4626" name="Policy"/>
<Policy comment="Basic rules for web servers.&#10;" id="id4848A4414626" name="web_server_inbound">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id4848A4424626" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id4848A44F4626" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy comment="Basic rules for mail servers" id="id48493B6E4626" name="mail_server_inbound">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id48493B6F4626" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SMTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id48493B7B4626" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy comment="Basic rules for mail servers" id="id484B0A134626" name="mail_server_outbound">
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id484B0A2D4626" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
<ServiceRef ref="tcp-SMTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" group="" id="id484B0A3A4626" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy comment="Basic rules for web servers.&#10;" id="id484B3D324626" name="web_server_outbound">
<PolicyRule action="Accept" direction="Outbound" disabled="False" id="id484B3D3F4626" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="icmp-Unreachables"/>
<ServiceRef ref="icmp-ping_request"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Outbound" disabled="False" id="id484B3D4C4626" log="False" position="1">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3F530CC8"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id4848A4314626" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id4848A4324626" label="" mgmt="False" name="eth0" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id4848A4344626" name="firewall-base-rulesets:eth0:ip" address="33.33.33.33" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4848A4354626" label="" mgmt="False" name="eth1" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4848A4374626" name="firewall-base-rulesets:eth1:ip" address="172.16.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4848A4384626" label="" mgmt="True" name="eth2" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id4848A43A4626" name="firewall-base-rulesets:eth2:ip" address="192.168.100.1" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.100.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP host prohibited</Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
<Option name="linux24_accept_source_route"></Option>
<Option name="linux24_icmp_echo_ignore_all"></Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward"></Option>
<Option name="linux24_log_martians"></Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter"></Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="no_optimisation">False</Option>
<Option name="script_env_path"></Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing branching rules that point&#10;at rule sets defined in object&#10;firewall-base-rulesets" host_OS="linux24" id="id484A05C44626" inactive="False" lastCompiled="1188097218" lastInstalled="1142003872" lastModified="1212694117" name="firewall51" platform="iptables" ro="False" version="">
<NAT id="id484A06174626" name="NAT"/>
<Policy id="id484A05CA4626" name="Policy">
<PolicyRule action="Branch" direction="Both" disabled="False" id="id484A05CB4626" log="False" position="0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostA"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id48493B6E4626</Option>
<Option name="branch_name">rule0_branch</Option>
<Option name="classify_str"></Option>
<Option name="color">#8BC065</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Branch" comment="" direction="Both" disabled="False" group="" id="id484B704C4626" log="False" position="1">
<Src neg="False">
<ObjectRef ref="host-hostA"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id484B0A134626</Option>
<Option name="branch_name">rule0_branch</Option>
<Option name="classify_str"></Option>
<Option name="color">#8BC065</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_reply_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_reply_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Branch" direction="Both" disabled="False" id="id484A05D84626" log="False" position="2">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="host-hostB"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id4848A4414626</Option>
<Option name="branch_name">rule1_branch</Option>
<Option name="classify_str"></Option>
<Option name="color">#8BC065</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Branch" comment="" direction="Both" disabled="False" group="" id="id484B705F4626" log="False" position="3">
<Src neg="False">
<ObjectRef ref="host-hostB"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id484B3D324626</Option>
<Option name="branch_name">rule1_branch</Option>
<Option name="classify_str"></Option>
<Option name="color">#8BC065</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_reply_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_reply_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Branch" direction="Both" disabled="False" id="id484A05E44626" log="False" position="4">
<Src neg="False">
<ObjectRef ref="id3CEBFDFC"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_name">rule2_branch</Option>
<Option name="color">#7694C0</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id484A06094626" name="rule2_branch">
<PolicyRule action="Deny" comment="" direction="Both" disabled="False" id="id484A060A4626" log="True" position="0">
<Src neg="True">
<ObjectRef ref="id3CEBFDFC"/>
<ObjectRef ref="id4733FFE419714"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id484A06184626" name="Routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id484A06194626" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id484A061B4626" name="firewall51:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id484A061C4626" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id484A061E4626" name="firewall51:eth1:ip" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id484A061F4626" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id484A06224626" name="firewall51:lo:ip1" address="127.0.0.1" netmask="255.0.0.0"/>
<IPv4 comment="" id="id484A06234626" name="firewall51:lo:ip2" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir"></Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="install_script"></Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
<Option name="linux24_accept_source_route"></Option>
<Option name="linux24_icmp_echo_ignore_all"></Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses"></Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward"></Option>
<Option name="linux24_log_martians"></Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter"></Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">False</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix"></Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">False</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="output_file"></Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="proxy_arp">False</Option>
<Option name="script_env_path"></Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_ip_tool">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time">
<Interval comment="" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" id="id3D6864D0" name="test time 1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1"/>
@@ -25675,6 +26259,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IPv4 id="id46EFBE5531183" name="firewall42:eth3:ip" address="22.22.23.23" netmask="255.255.255.0"/>
</Interface>
<IPv4 id="id46EFBE4931183" name="firewall42:eth0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface bridgeport="False" comment="" dyn="True" id="id4848A43B4626" label="" mgmt="False" name="ppp0" security_level="0" unnum="False" unprotected="False"/>
</Library>
<Library color="#FFFFFF" comment="" id="id4387B43718346" name="transfer" ro="False">
<ObjectGroup id="id4387B43818346" name="Objects">
@@ -25745,6 +26330,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<TCPService ack_flag="False" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="True" id="tcp-TCP-SYN" name="tcp-syn" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS" name="domain" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP">
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
@@ -25768,6 +26354,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<ServiceRef ref="id3CB12797"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
<ServiceGroup id="id3F530CC8" name="DNS">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP">
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>

21184
test/pf/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff