onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-10 11:05:06 +02:00
Code Issues Releases Wiki Activity

see #1949 ASA NAT - split objects if OSrc contains objects that are in more than one network zone

Browse Source
This commit is contained in:
Vadim Kurland
2011-01-17 12:12:54 -08:00
parent 800205df51
commit f104cb6a11
46 changed files with 573 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
doc/ChangeLog
View File

@@ -1,3 +1,9 @@
2011-01-17 vadim <vadim@netcitadel.com>
* NATCompiler_asa8.h (fwcompiler): see #1949 "ASA NAT - split
objects if OSrc contains objects that are in more than one network
zone".
2011-01-16 vadim <vadim@netcitadel.com>
* NamedObjectsAndGroupsSupport.cpp (processNext): Added support for

2
src/cisco_lib/NATCompiler_asa8.cpp
View File

@@ -337,6 +337,8 @@ void NATCompiler_asa8::compile()
add( new checkForUnnumbered("check for unnumbered interfaces"));
add( new splitByNetworkZonesForOSrc("split by netzone for OSrc"));
add( new ConvertToAtomicForOSrv("convert to atomic for OSrv"));
add( new ConvertToAtomicForTDst("convert to atomic for TDst"));
add( new ConvertToAtomicForTSrv("convert to atomic for TSrv"));

15
src/cisco_lib/NATCompiler_asa8.h
View File

@@ -64,6 +64,21 @@ namespace fwcompiler {
*/
DECLARE_NAT_RULE_PROCESSOR(VerifyValidityOfDNSOption);
/**
* Split rule to make sure objects in OSrc match network zones
* of interfaces. We only need to do this for ASA 8.3 where we
* support object-groups in "nat" rules. Older versions did
* not support groups and so required all nat rules to be
* atomic which achieved the same effect.
*/
class splitByNetworkZonesForOSrc : public splitByNetworkZonesForRE
{
public:
splitByNetworkZonesForOSrc(const std::string &n) :
splitByNetworkZonesForRE(n, libfwbuilder::RuleElementOSrc::TYPENAME)
{}
};
/**
* this processor accumulates all rules fed to it by previous
* processors, then prints PIX commands to clear

1
src/cisco_lib/NATCompiler_pix.h
View File

@@ -30,6 +30,7 @@
#include "Helper.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "splitByNetworkZonesForRE.h"
#include <map>
#include <deque>

81
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@@ -662,87 +662,6 @@ bool PolicyCompiler_cisco::replaceFWinDSTPolicy::processNext()
return true;
}
void PolicyCompiler_cisco::splitByNetworkZonesForRE::AddToInterface(
int interface_id, Address *addr, PolicyRule *rule)
{
PolicyRule *new_rule;
RuleElement *new_re;
new_rule = rules[interface_id];
if (new_rule==NULL)
{
new_rule = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(new_rule);
new_rule->duplicate(rule);
rules[interface_id]=new_rule;
new_re=RuleElement::cast(new_rule->getFirstByType(re_type));
new_re->clearChildren();
new_re->setAnyElement();
}
new_re=RuleElement::cast(new_rule->getFirstByType(re_type));
new_re->addRef( addr );
}
bool PolicyCompiler_cisco::splitByNetworkZonesForRE::processNext()
{
Helper helper(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElement *re=RuleElement::cast(rule->getFirstByType(re_type));
if (re->size()==1)
{
tmp_queue.push_back(rule);
return true;
}
rules.clear();
std::list<FWObject*> cl;
for (list<FWObject*>::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Address *a=Address::cast(obj);
assert(a!=NULL);
// InetAddr obj_addr=a->getAddress();
try
{
int interface_id = helper.findInterfaceByNetzone(a);
AddToInterface(interface_id, a, rule);
} catch (string err)
{
// could not find interface with netzone to match address 'a'
// will assign rule to all interfaces. Act as if all interfaces
// had network zone 'any' and each matches this address.
// issue warning only if platform uses netwrk zones.
bool supports_network_zones =
Resources::getTargetCapabilityBool(
compiler->fw->getStr("platform"), "network_zones");
if (supports_network_zones)
compiler->warning(rule, err);
FWObjectTypedChildIterator i =
compiler->fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i)
{
Interface *ifs = Interface::cast(*i);
AddToInterface(ifs->getId(), a, rule);
}
}
}
for (std::map<int,PolicyRule*>::iterator i=rules.begin();
i!=rules.end(); ++i)
{
tmp_queue.push_back((*i).second);
}
return true;
}
bool PolicyCompiler_cisco::equalObjCISCO::operator()(FWObject *o)
{
if (ICMPService::cast(obj)!=NULL && ICMPService::cast(o)!=NULL)

20
src/cisco_lib/PolicyCompiler_cisco.h
View File

@@ -35,6 +35,8 @@
#include "ACL.h"
#include "BaseObjectGroup.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "splitByNetworkZonesForRE.h"
namespace libfwbuilder {
class IPService;
@@ -331,24 +333,6 @@ protected:
DECLARE_POLICY_RULE_PROCESSOR( replaceFWinDSTPolicy );
/**
* this processor splits rules if objects in rule element
* re_type belong to different network zones
*/
class splitByNetworkZonesForRE : public PolicyRuleProcessor
{
std::string re_type;
std::map<int,libfwbuilder::PolicyRule*> rules;
void AddToInterface(int interface_id,
libfwbuilder::Address *addr,
libfwbuilder::PolicyRule *rule);
public:
splitByNetworkZonesForRE(const std::string &name,const std::string &_type) :
PolicyRuleProcessor(name) {re_type=_type; }
virtual bool processNext();
};
class splitByNetworkZonesForSrc : public splitByNetworkZonesForRE
{
public:

2
src/cisco_lib/cisco_lib.pro
View File

@@ -9,6 +9,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
NamedObjectsAndGroupsSupport.cpp \
RoutingCompiler_cisco.cpp \
RoutingCompiler_cisco_writers.cpp \
splitByNetworkZonesForRE.cpp \
ACL.cpp \
NamedObject.cpp \
ASA8TwiceNatLogic.cpp \
@@ -52,6 +53,7 @@ SOURCES = PolicyCompiler_cisco.cpp \
RoutingCompiler_pix_writers.cpp
HEADERS = ../../config.h \
splitByNetworkZonesForRE.h \
ACL.h \
Helper.h \
NamedObject.h \

121
src/cisco_lib/splitByNetworkZonesForRE.cpp Normal file
View File

@@ -0,0 +1,121 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "splitByNetworkZonesForRE.h"
#include "Helper.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleSet.h"
#include "fwbuilder/Interface.h"
#include "fwcompiler/Compiler.h"
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
/*
* create new rule and associate it with given interface. If we
* already have a rule associated with it, then just add Address to
* the rule element of that existing rule.
*/
void splitByNetworkZonesForRE::AddToInterface(
int interface_id, Address *addr, Rule *rule)
{
Rule *new_rule;
RuleElement *new_re;
new_rule = rules[interface_id];
if (new_rule==NULL)
{
new_rule = Rule::cast(compiler->dbcopy->create(rule->getTypeName()));
compiler->temp_ruleset->add(new_rule);
new_rule->duplicate(rule);
rules[interface_id] = new_rule;
new_re = RuleElement::cast(new_rule->getFirstByType(re_type));
new_re->clearChildren();
new_re->setAnyElement();
}
new_re = RuleElement::cast(new_rule->getFirstByType(re_type));
new_re->addRef( addr );
}
bool splitByNetworkZonesForRE::processNext()
{
Helper helper(compiler);
Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false;
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size()==1)
{
tmp_queue.push_back(rule);
return true;
}
rules.clear();
std::list<FWObject*> cl;
for (list<FWObject*>::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
Address *a = Address::cast(FWReference::getObject(*i1));
assert(a!=NULL);
try
{
int interface_id = helper.findInterfaceByNetzone(a);
AddToInterface(interface_id, a, rule);
} catch (string err)
{
// could not find interface with netzone to match address 'a'
// will assign rule to all interfaces. Act as if all interfaces
// had network zone 'any' and each matches this address.
// issue warning only if platform uses netwrk zones.
bool supports_network_zones =
Resources::getTargetCapabilityBool(
compiler->fw->getStr("platform"), "network_zones");
if (supports_network_zones)
compiler->warning(rule, err);
FWObjectTypedChildIterator i =
compiler->fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i)
{
Interface *ifs = Interface::cast(*i);
AddToInterface(ifs->getId(), a, rule);
}
}
}
for (std::map<int,Rule*>::iterator i=rules.begin();
i!=rules.end(); ++i)
{
tmp_queue.push_back((*i).second);
}
return true;
}

58
src/cisco_lib/splitByNetworkZonesForRE.h Normal file
View File

@@ -0,0 +1,58 @@
/*
Firewall Builder
Copyright (C) 2002-2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __SPLIT_BY_NETWORK_ZONES_FOR_RE_HH
#define __SPLIT_BY_NETWORK_ZONES_FOR_RE_HH
#include "fwbuilder/RuleElement.h"
#include "fwcompiler/RuleProcessor.h"
namespace libfwbuilder {
class Address;
class Rule;
};
namespace fwcompiler
{
/**
* this processor splits rules if objects in rule element
* re_type belong to different network zones
*/
class splitByNetworkZonesForRE : public BasicRuleProcessor
{
std::string re_type;
std::map<int,libfwbuilder::Rule*> rules;
void AddToInterface(int interface_id,
libfwbuilder::Address *addr,
libfwbuilder::Rule *rule);
public:
splitByNetworkZonesForRE(const std::string &name,const std::string &_type) :
BasicRuleProcessor(name) {re_type=_type; }
virtual bool processNext();
};
}
#endif

4
test/pix/cluster1-1_pix1.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:33 2011 PST by vadim
! Generated Mon Jan 17 12:06:46 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/cluster1-1_pix2.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:33 2011 PST by vadim
! Generated Mon Jan 17 12:06:46 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/cluster1_pix1.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:32 2011 PST by vadim
! Generated Mon Jan 17 12:06:45 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/cluster1_pix2.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:33 2011 PST by vadim
! Generated Mon Jan 17 12:06:45 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/firewall.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:07 2011 PST by vadim
! Generated Mon Jan 17 12:06:20 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall1.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:08 2011 PST by vadim
! Generated Mon Jan 17 12:06:20 2011 PST by vadim
!
! Compiled for pix 6.1
! Outbound ACLs: not supported

4
test/pix/firewall10.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:09 2011 PST by vadim
! Generated Mon Jan 17 12:06:21 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall11.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:10 2011 PST by vadim
! Generated Mon Jan 17 12:06:22 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall12.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:10 2011 PST by vadim
! Generated Mon Jan 17 12:06:23 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall13.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:11 2011 PST by vadim
! Generated Mon Jan 17 12:06:23 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall14.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:12 2011 PST by vadim
! Generated Mon Jan 17 12:06:24 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall2.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:12 2011 PST by vadim
! Generated Mon Jan 17 12:06:25 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall20.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:13 2011 PST by vadim
! Generated Mon Jan 17 12:06:25 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall21-1.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:15 2011 PST by vadim
! Generated Mon Jan 17 12:06:27 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall21.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:14 2011 PST by vadim
! Generated Mon Jan 17 12:06:26 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/firewall22.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:15 2011 PST by vadim
! Generated Mon Jan 17 12:06:28 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/firewall3.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:16 2011 PST by vadim
! Generated Mon Jan 17 12:06:28 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall33.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:17 2011 PST by vadim
! Generated Mon Jan 17 12:06:29 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall34.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:18 2011 PST by vadim
! Generated Mon Jan 17 12:06:30 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall4.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:19 2011 PST by vadim
! Generated Mon Jan 17 12:06:31 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall50.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:20 2011 PST by vadim
! Generated Mon Jan 17 12:06:32 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/firewall6.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:20 2011 PST by vadim
! Generated Mon Jan 17 12:06:32 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall8.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:21 2011 PST by vadim
! Generated Mon Jan 17 12:06:33 2011 PST by vadim
!
! Compiled for pix 6.2
! Outbound ACLs: not supported

4
test/pix/firewall80.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:22 2011 PST by vadim
! Generated Mon Jan 17 12:06:34 2011 PST by vadim
!
! Compiled for pix 8.2
! Outbound ACLs: supported

4
test/pix/firewall81.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:23 2011 PST by vadim
! Generated Mon Jan 17 12:06:35 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall82.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:23 2011 PST by vadim
! Generated Mon Jan 17 12:06:35 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall83.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:24 2011 PST by vadim
! Generated Mon Jan 17 12:06:36 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall9.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:25 2011 PST by vadim
! Generated Mon Jan 17 12:06:37 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported

4
test/pix/firewall90.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:25 2011 PST by vadim
! Generated Mon Jan 17 12:06:38 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall91.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:26 2011 PST by vadim
! Generated Mon Jan 17 12:06:38 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

4
test/pix/firewall92.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:27 2011 PST by vadim
! Generated Mon Jan 17 12:06:39 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported

115
test/pix/firewall93.fw.orig Executable file
View File

@@ -0,0 +1,115 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Mon Jan 17 12:06:40 2011 PST by vadim
!
! Compiled for pix 8.3
! Outbound ACLs: supported
! Emulate outbound ACLs: yes
! Generating outbound ACLs: no
! Assume firewall is part of any: yes
!
!# files: * firewall93.fw
!
! test for #1949
! split NAT rule by OSrc to make sure objects in OSrc match network zones of
! inetrfaces
!
! Prolog script:
!
!
! End of prolog script:
!
interface Ethernet0/0
nameif outside
security-level 0
exit
interface Ethernet0/1
nameif inside
security-level 100
exit
interface Ethernet0/2
nameif dmz
security-level 10
exit
no logging buffered
no logging console
no logging timestamp
no logging on
timeout xlate 0:0:0
timeout conn 0:0:0
timeout udp 0:0:0
timeout sunrpc 0:0:0
timeout h323 0:0:0
timeout sip 0:0:0
timeout sip_media 0:0:0
timeout half-closed 0:0:0
timeout uauth 0:0:0
clear config ssh
aaa authentication ssh console LOCAL
clear config snmp-server
no snmp-server enable traps
clear config ntp
no service resetinbound
no service resetoutside
no sysopt connection timewait
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
service-policy global_policy global
!################
clear xlate
clear config nat
clear config object
object network inside-range-1
range 10.0.0.1 10.0.0.5
quit
object network dmz-range-1
range 172.16.0.10 172.16.0.15
quit
!
! Rule 0 (NAT)
nat (inside,outside) source dynamic inside-range-1 interface description "0 (NAT)"
nat (dmz,outside) source dynamic dmz-range-1 interface description "0 (NAT)"
!
! Epilog script:
!
! End of epilog script:
!

4
test/pix/fwsm1.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:28 2011 PST by vadim
! Generated Mon Jan 17 12:06:41 2011 PST by vadim
!
! Compiled for fwsm 2.3
! Outbound ACLs: supported

4
test/pix/fwsm2.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:29 2011 PST by vadim
! Generated Mon Jan 17 12:06:41 2011 PST by vadim
!
! Compiled for fwsm 4.x
! Outbound ACLs: supported

181
test/pix/objects-for-regression-tests.fwb
View File

@@ -546,6 +546,15 @@
<ObjectGroup id="id21304X4994" name="inside_group_2" comment="" ro="False">
<ObjectRef ref="net-Internal_net"/>
</ObjectGroup>
<ObjectGroup id="id26247X5313" name="inside-group-1" comment="" ro="False">
<ObjectRef ref="id26248X5313"/>
<ObjectRef ref="id26250X5313"/>
<ObjectRef ref="id26252X5313"/>
</ObjectGroup>
<ObjectGroup id="id26286X5313" name="dmz-and-inside-group" comment="" ro="False">
<ObjectRef ref="id26287X5313"/>
<ObjectRef ref="id26289X5313"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="stdid02_1" name="Hosts" comment="" ro="False">
<Host id="id3F8F9622" name="DMZhost1" comment="" ro="False">
@@ -1247,12 +1256,17 @@
<Network id="id178241X29963" name="internal_subnet_1" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.192"/>
<Network id="id178250X29963" name="internal_subnet_2" comment="" ro="False" address="192.168.1.64" netmask="255.255.255.192"/>
<Network id="id21130X3720" name="ext_subnet" comment="" ro="False" address="22.22.22.128" netmask="255.255.255.224"/>
<Network id="id26248X5313" name="Network-0" comment="" ro="False" address="10.0.0.0" netmask="255.255.255.0"/>
<Network id="id26250X5313" name="Network-1" comment="" ro="False" address="10.1.0.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
<AddressRange id="id3D0F7F89" name="test_range_2" comment="" ro="False" start_address="192.168.1.250" end_address="192.168.1.255"/>
<AddressRange id="id3D196750" name="outside_range" comment="" ro="False" start_address="22.22.22.21" end_address="22.22.22.25"/>
<AddressRange id="id622710X3710" name="outside_range-1" comment="" ro="False" start_address="22.22.22.30" end_address="22.22.22.40"/>
<AddressRange id="id26252X5313" name="inside-range-3" comment="" ro="False" start_address="172.16.0.1" end_address="172.16.0.2"/>
<AddressRange id="id26287X5313" name="dmz-range-1" comment="" ro="False" start_address="172.16.0.10" end_address="172.16.0.15"/>
<AddressRange id="id26289X5313" name="inside-range-1" comment="" ro="False" start_address="10.0.0.1" end_address="10.0.0.5"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05_1" name="Services" comment="" ro="False">
@@ -20114,6 +20128,173 @@ no sysopt nodnsalias outbound
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id26236X5313" host_OS="pix_os" inactive="False" lastCompiled="1294794902" lastInstalled="0" lastModified="1295294751" platform="pix" version="8.3" name="firewall93" comment="test for #1949&#10;split NAT rule by OSrc to make sure objects in OSrc match network zones of&#10;inetrfaces&#10;" ro="False">
<NAT id="id26268X5313" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id26270X5313" disabled="False" group="" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id26286X5313"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id26244X5313"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id26265X5313" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Policy>
<Routing id="id26309X5313" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id26244X5313" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
<IPv4 id="id26245X5313" name="firewall93:Ethernet0/0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id26254X5313" dedicated_failover="False" dyn="False" label="inside" mgmt="False" network_zone="id26247X5313" security_level="100" unnum="False" unprotected="False" name="Ethernet0/1" comment="" ro="False">
<IPv4 id="id26255X5313" name="firewall93:Ethernet0/1:ip" comment="" ro="False" address="10.0.0.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id26257X5313" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" network_zone="id3DC75CE7" security_level="10" unnum="False" unprotected="False" name="Ethernet0/2" comment="" ro="False">
<IPv4 id="id26258X5313" name="firewall93:Ethernet0/2:ip" comment="" ro="False" address="172.16.0.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="conn_hh">0</Option>
<Option name="conn_mm">0</Option>
<Option name="conn_ss">0</Option>
<Option name="ctiqbe_fixup">2 2748 0 nil 0</Option>
<Option name="dns_fixup">2 65535 0 nil 0</Option>
<Option name="espike_fixup">2 0 0 nil 0</Option>
<Option name="filesystem"></Option>
<Option name="firewall_dir"></Option>
<Option name="ftp_fixup">2 21 0 strict 0</Option>
<Option name="h323_h225_fixup">2 1720 1720 nil 0</Option>
<Option name="h323_hh">0</Option>
<Option name="h323_mm">0</Option>
<Option name="h323_ras_fixup">2 1718 1719 nil 0</Option>
<Option name="h323_ss">0</Option>
<Option name="half-closed_hh">0</Option>
<Option name="half-closed_mm">0</Option>
<Option name="half-closed_ss">0</Option>
<Option name="http_fixup">2 80 80 nil 0</Option>
<Option name="icmp_error_fixup">2 0 0 nil 0</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ils_fixup">2 389 389 nil 0</Option>
<Option name="ip_options_eool_fixup">2 0 0 nil 0</Option>
<Option name="ip_options_nop_fixup">2 0 0 nil 0</Option>
<Option name="ip_options_rtralt_fixup">2 0 0 nil 0</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="mgcp_fixup">2 2427 2727 nil 0</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="output_file"></Option>
<Option name="pix_acl_basic">True</Option>
<Option name="pix_acl_no_clear">False</Option>
<Option name="pix_acl_substitution">False</Option>
<Option name="pix_acl_temp_addr"></Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">True</Option>
<Option name="pix_check_duplicate_nat">False</Option>
<Option name="pix_check_overlapping_global_pools">False</Option>
<Option name="pix_check_overlapping_global_statics">False</Option>
<Option name="pix_check_overlapping_statics">False</Option>
<Option name="pix_connection_timewait">False</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emb_limit">0</Option>
<Option name="pix_emblem_log_format">False</Option>
<Option name="pix_emulate_out_acl">True</Option>
<Option name="pix_epilog_script"></Option>
<Option name="pix_floodguard">True</Option>
<Option name="pix_fragguard">False</Option>
<Option name="pix_generate_out_acl">False</Option>
<Option name="pix_include_comments">True</Option>
<Option name="pix_logging_buffered">False</Option>
<Option name="pix_logging_buffered_level">0</Option>
<Option name="pix_logging_console">False</Option>
<Option name="pix_logging_console_level">0</Option>
<Option name="pix_logging_timestamp">False</Option>
<Option name="pix_logging_trap_level">0</Option>
<Option name="pix_max_conns">0</Option>
<Option name="pix_nodnsalias_inbound">False</Option>
<Option name="pix_nodnsalias_outbound">False</Option>
<Option name="pix_optimize_default_nat">False</Option>
<Option name="pix_prolog_script"></Option>
<Option name="pix_regroup_commands">False</Option>
<Option name="pix_replace_natted_objects">False</Option>
<Option name="pix_resetinbound">False</Option>
<Option name="pix_resetoutside">False</Option>
<Option name="pix_route_dnat">False</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_ssh_timeout">0</Option>
<Option name="pix_syslog_device_id_opt"></Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_syslog_device_id_val"></Option>
<Option name="pix_syslog_facility"></Option>
<Option name="pix_syslog_host"></Option>
<Option name="pix_syslog_queue_size">0</Option>
<Option name="pix_telnet_timeout">0</Option>
<Option name="pix_use_acl_remarks">True</Option>
<Option name="pix_use_manual_commit">False</Option>
<Option name="pptp_fixup">2 1723 0 nil 0</Option>
<Option name="rpc_hh">0</Option>
<Option name="rpc_mm">0</Option>
<Option name="rpc_ss">0</Option>
<Option name="rsh_fixup">2 514 0 nil 0</Option>
<Option name="rtsp_fixup">2 554 0 nil 0</Option>
<Option name="scpArgs"></Option>
<Option name="short_script">False</Option>
<Option name="sip_fixup">2 5060 5060 nil 0</Option>
<Option name="sip_hh">0</Option>
<Option name="sip_media_hh">0</Option>
<Option name="sip_media_mm">0</Option>
<Option name="sip_media_ss">0</Option>
<Option name="sip_mm">0</Option>
<Option name="sip_ss">0</Option>
<Option name="sip_udp_fixup">2 5060 0 nil 0</Option>
<Option name="skinny_fixup">2 2000 2000 nil 0</Option>
<Option name="smtp_fixup">2 25 25 nil 0</Option>
<Option name="sqlnet_fixup">2 1521 1521 nil 0</Option>
<Option name="sshArgs"></Option>
<Option name="tftp_fixup">2 69 0 nil 0</Option>
<Option name="uauth_abs">False</Option>
<Option name="uauth_hh">0</Option>
<Option name="uauth_inact">False</Option>
<Option name="uauth_mm">0</Option>
<Option name="uauth_ss">0</Option>
<Option name="udp_hh">0</Option>
<Option name="udp_mm">0</Option>
<Option name="udp_ss">0</Option>
<Option name="use_scp">False</Option>
<Option name="xlate_hh">0</Option>
<Option name="xlate_mm">0</Option>
<Option name="xlate_ss">0</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"/>
</Library>

4
test/pix/pix515.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:30 2011 PST by vadim
! Generated Mon Jan 17 12:06:43 2011 PST by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported

4
test/pix/real.fw.orig
View File

@@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3435
! Firewall Builder fwb_pix v4.2.0.3436
!
! Generated Sun Jan 16 22:59:31 2011 PST by vadim
! Generated Mon Jan 17 12:06:43 2011 PST by vadim
!
! Compiled for pix 6.3
! Outbound ACLs: not supported