mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 02:07:23 +01:00
merge -r62:HEAD from branch inet-addr-changes
This commit is contained in:
Vadim Kurland
parent
907e272926
commit
f5cebe98e2
@ -167,7 +167,9 @@ string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string)
|
||||
res_id=findInterfaceByAddress( addr );
|
||||
|
||||
if (res_id.empty())
|
||||
throw( string("Can not find interface with network zone that includes address ") + addr.toString());
|
||||
throw(
|
||||
string("Can not find interface with network zone that includes "
|
||||
"address ") + addr.toString());
|
||||
return res_id;
|
||||
}
|
||||
|
||||
@ -201,7 +203,11 @@ list<string> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
|
||||
if (a==NULL)
|
||||
{
|
||||
Rule *rule = Rule::cast(re->getParent());
|
||||
compiler->abort(string("findInterfaceByNetzoneOrAll failed to retrieve first object from the rule element; is argument not of the type RuleElementSrc or RuleElementDst ? Rule ") + rule->getLabel());
|
||||
compiler->abort(
|
||||
string("findInterfaceByNetzoneOrAll failed to retrieve first "
|
||||
"object from the rule element; is argument not of "
|
||||
"the type RuleElementSrc or RuleElementDst ? Rule ") +
|
||||
rule->getLabel());
|
||||
}
|
||||
try
|
||||
{
|
||||
@ -220,7 +226,8 @@ list<string> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
|
||||
|
||||
if (supports_network_zones) compiler->warning(err);
|
||||
|
||||
FWObjectTypedChildIterator i = compiler->fw->findByType(Interface::TYPENAME);
|
||||
FWObjectTypedChildIterator i = compiler->fw->findByType(
|
||||
Interface::TYPENAME);
|
||||
for ( ; i!=i.end(); ++i)
|
||||
{
|
||||
Interface *ifs = Interface::cast(*i);
|
||||
|
||||
@ -112,8 +112,11 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
|
||||
dbcopy->add(ssh,false);
|
||||
cacheObj(ssh); // to keep cache consistent
|
||||
|
||||
Network *mgmt_workstation = Network::cast(dbcopy->create(Network::TYPENAME));
|
||||
*mgmt_workstation = getCachedFwOpt()->getStr("mgmt_addr");
|
||||
Network *mgmt_workstation = Network::cast(
|
||||
dbcopy->create(Network::TYPENAME));
|
||||
mgmt_workstation->setAddressNetmask(
|
||||
getCachedFwOpt()->getStr("mgmt_addr"));
|
||||
|
||||
dbcopy->add(mgmt_workstation, false);
|
||||
cacheObj(mgmt_workstation); // to keep cache consistent
|
||||
|
||||
|
||||
@ -724,7 +724,7 @@ int main(int argc, char * const *argv)
|
||||
Network *o=Network::cast(nobj);
|
||||
o->setName(name);
|
||||
o->setAddress(InetAddr(addr1));
|
||||
o->setNetmask(InetNetmask(addr2));
|
||||
o->setNetmask(InetAddr(addr2));
|
||||
}
|
||||
else if (objtype==Firewall::TYPENAME)
|
||||
{
|
||||
|
||||
@ -24,8 +24,6 @@
|
||||
|
||||
*/
|
||||
|
||||
#include "fwbuilder_ph.h"
|
||||
|
||||
#include "config.h"
|
||||
#include "global.h"
|
||||
#include "utils.h"
|
||||
@ -935,7 +933,7 @@ void DiscoveryDruid::startSNMPScan()
|
||||
{
|
||||
InetAddrMask in(
|
||||
InetAddr(m_dialog->snmpinaddr->text().toLatin1().constData()),
|
||||
InetNetmask(m_dialog->snmpinmask->text().toLatin1().constData())
|
||||
InetAddr(m_dialog->snmpinmask->text().toLatin1().constData())
|
||||
);
|
||||
include_networks.push_back(in);
|
||||
}
|
||||
@ -1896,7 +1894,7 @@ void DiscoveryDruid::changedInclNet()
|
||||
{
|
||||
|
||||
InetAddr a(m_dialog->snmpinaddr->text().toLatin1().constData());
|
||||
InetNetmask n(m_dialog->snmpinmask->text().toLatin1().constData());
|
||||
InetAddr n(m_dialog->snmpinmask->text().toLatin1().constData());
|
||||
InetAddrMask(a,n);
|
||||
|
||||
m_dialog->confineerror_message->setText(" ");
|
||||
@ -2081,7 +2079,7 @@ void DiscoveryDruid::createRealObjects()
|
||||
assert(net!=NULL);
|
||||
net->setName(name);
|
||||
net->setAddress(InetAddr(a));
|
||||
net->setNetmask(InetNetmask(InetAddr(a)));
|
||||
net->setNetmask(InetAddr(InetAddr(a)));
|
||||
mw->moveObject(m_dialog->libs->currentText(), net);
|
||||
}
|
||||
}
|
||||
@ -2116,7 +2114,7 @@ void DiscoveryDruid::createRealObjects()
|
||||
|
||||
|
||||
ipv4->setAddress(InetAddr(a));
|
||||
ipv4->setNetmask(InetNetmask());
|
||||
ipv4->setNetmask(InetAddr());
|
||||
} else
|
||||
{
|
||||
map<int,Interface>::const_iterator i;
|
||||
@ -2164,7 +2162,7 @@ void DiscoveryDruid::createRealObjects()
|
||||
assert(net!=NULL);
|
||||
net->setName(name);
|
||||
net->setAddress(InetAddr(a));
|
||||
net->setNetmask(InetNetmask(InetAddr(a)));
|
||||
net->setNetmask(InetAddr(InetAddr(a)));
|
||||
mw->moveObject(m_dialog->libs->currentText(), net);
|
||||
}else if (type==IPv4::TYPENAME)
|
||||
{
|
||||
@ -2174,7 +2172,7 @@ void DiscoveryDruid::createRealObjects()
|
||||
assert(obj!=NULL);
|
||||
obj->setName(name);
|
||||
obj->setAddress(InetAddr(a));
|
||||
obj->setNetmask(InetNetmask(InetAddr::getAllOnes()));
|
||||
obj->setNetmask(InetAddr(InetAddr::getAllOnes()));
|
||||
mw->moveObject(m_dialog->libs->currentText(), obj);
|
||||
}
|
||||
}
|
||||
|
||||
@ -70,7 +70,7 @@ class ObjectDescriptor
|
||||
string MAC_addr ;
|
||||
libfwbuilder::HostEnt dns_info ;
|
||||
libfwbuilder::InetAddr addr ;
|
||||
libfwbuilder::InetNetmask netmask ;
|
||||
libfwbuilder::InetAddr netmask ;
|
||||
|
||||
|
||||
ObjectDescriptor();
|
||||
|
||||
@ -23,8 +23,6 @@
|
||||
|
||||
*/
|
||||
|
||||
#include "fwbuilder_ph.h"
|
||||
|
||||
#include "config.h"
|
||||
#include "global.h"
|
||||
#include "utils_no_qt.h"
|
||||
@ -88,13 +86,13 @@ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj)
|
||||
QString res;
|
||||
QTextStream str(&res, QIODevice::WriteOnly);
|
||||
|
||||
try {
|
||||
|
||||
try
|
||||
{
|
||||
if (IPv4::isA(obj))
|
||||
{
|
||||
str << Address::cast(obj)->getAddress().toString().c_str();
|
||||
str << IPv4::cast(obj)->getAddress().toString().c_str();
|
||||
str << "/";
|
||||
str << Address::cast(obj)->getNetmask().toString().c_str();
|
||||
str << IPv4::cast(obj)->getNetmask().toString().c_str();
|
||||
|
||||
} else if (physAddress::isA(obj))
|
||||
{
|
||||
@ -163,12 +161,18 @@ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj)
|
||||
|
||||
} else if (Interface::isA(obj))
|
||||
{
|
||||
physAddress *paddr=(Interface::cast(obj))->getPhysicalAddress();
|
||||
if (paddr!=NULL)
|
||||
Interface *intf = Interface::cast(obj);
|
||||
FWObjectTypedChildIterator j = obj->findByType(IPv4::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j)
|
||||
{
|
||||
str << " ";
|
||||
str << paddr->getPhysAddress().c_str();
|
||||
IPv4 *intf = IPv4::cast(*j);
|
||||
str << getObjectProperties(*j);
|
||||
str << "<br>";
|
||||
}
|
||||
str << " MAC: ";
|
||||
physAddress *paddr = intf->getPhysicalAddress();
|
||||
if (paddr!=NULL)
|
||||
str << paddr->getPhysAddress().c_str();
|
||||
|
||||
} else if (IPService::isA(obj))
|
||||
{
|
||||
@ -257,14 +261,14 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
|
||||
if (accentName) str += "</font>";
|
||||
str += "<br>\n";
|
||||
|
||||
try {
|
||||
|
||||
try
|
||||
{
|
||||
if (IPv4::isA(obj))
|
||||
{
|
||||
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
|
||||
str += Address::cast(obj)->getAddress().toString().c_str();
|
||||
str += IPv4::cast(obj)->getAddress().toString().c_str();
|
||||
str += "/";
|
||||
str += Address::cast(obj)->getNetmask().toString().c_str();
|
||||
str += IPv4::cast(obj)->getNetmask().toString().c_str();
|
||||
|
||||
} else if (physAddress::isA(obj))
|
||||
{
|
||||
@ -297,16 +301,16 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
|
||||
{
|
||||
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
|
||||
|
||||
str += Address::cast(obj)->getAddress().toString().c_str() ;
|
||||
|
||||
FWObject *co=obj->getFirstByType("Interface");
|
||||
if (co!=NULL)
|
||||
FWObjectTypedChildIterator j = obj->findByType(
|
||||
Interface::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j)
|
||||
{
|
||||
physAddress *paddr=(Interface::cast(co))->getPhysicalAddress();
|
||||
if (paddr!=NULL)
|
||||
str += QString(" ") + paddr->getPhysAddress().c_str() ;
|
||||
Interface *intf = Interface::cast(*j);
|
||||
str += (*j)->getName().c_str();
|
||||
str += ": ";
|
||||
str += getObjectProperties(*j);
|
||||
str += "<br>";
|
||||
}
|
||||
|
||||
} else if (Network::isA(obj))
|
||||
{
|
||||
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
|
||||
@ -385,6 +389,22 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
|
||||
} else if (Interface::isA(obj))
|
||||
{
|
||||
str += QObject::tr("<b>Path:</b> ")+ path +"<br>\n";
|
||||
|
||||
FWObjectTypedChildIterator j = obj->findByType(IPv4::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j)
|
||||
{
|
||||
IPv4 *intf = IPv4::cast(*j);
|
||||
str += getObjectProperties(*j);
|
||||
str += "<br>";
|
||||
}
|
||||
physAddress *paddr=(Interface::cast(obj))->getPhysicalAddress();
|
||||
if (paddr!=NULL)
|
||||
{
|
||||
str += "MAC: ";
|
||||
str += paddr->getPhysAddress().c_str() ;
|
||||
str += "<br>";
|
||||
}
|
||||
|
||||
QString q;
|
||||
if (Interface::constcast(obj)->isDyn()) q=" dyn";
|
||||
if (Interface::constcast(obj)->isUnnumbered()) q=" unnum";
|
||||
@ -407,14 +427,6 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
|
||||
str += "<br>\n";
|
||||
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
|
||||
|
||||
physAddress *paddr=(Interface::cast(obj))->getPhysicalAddress();
|
||||
if (paddr!=NULL)
|
||||
{
|
||||
str += " ";
|
||||
str += paddr->getPhysAddress().c_str() ;
|
||||
}
|
||||
|
||||
|
||||
} else if (CustomService::isA(obj))
|
||||
{
|
||||
|
||||
|
||||
@ -169,7 +169,7 @@ void IPv4Dialog::validate(bool *res)
|
||||
{
|
||||
try
|
||||
{
|
||||
InetNetmask( m_dialog->netmask->text().toLatin1().constData() );
|
||||
InetAddr( m_dialog->netmask->text().toLatin1().constData() );
|
||||
} catch (FWException &ex)
|
||||
{
|
||||
*res=false;
|
||||
@ -212,10 +212,10 @@ void IPv4Dialog::applyChanges()
|
||||
try
|
||||
{
|
||||
s->setNetmask(
|
||||
InetNetmask(m_dialog->netmask->text().toLatin1().constData()) );
|
||||
InetAddr(m_dialog->netmask->text().toLatin1().constData()) );
|
||||
} catch (FWException &ex) { }
|
||||
} else
|
||||
s->setNetmask(InetNetmask());
|
||||
s->setNetmask(InetAddr());
|
||||
|
||||
mw->updateObjName(obj,QString::fromUtf8(oldname.c_str()));
|
||||
|
||||
|
||||
@ -247,7 +247,7 @@ void Importer::addInterfaceAddress(const std::string &a,
|
||||
aname);
|
||||
current_interface->setUnnumbered(false);
|
||||
IPv4::cast(nobj)->setAddress( InetAddr(a) );
|
||||
IPv4::cast(nobj)->setNetmask( InetNetmask(nm) );
|
||||
IPv4::cast(nobj)->setNetmask( InetAddr(nm) );
|
||||
|
||||
*logger << "Interface address: " << a << "/" << nm << "\n";
|
||||
}
|
||||
@ -826,7 +826,7 @@ FWObject* Importer::createAddress(const std::string &addr,
|
||||
std::string name = std::string("h-") + addr;
|
||||
a = Address::cast(createObject(IPv4::TYPENAME, name));
|
||||
a->setAddress(InetAddr(addr));
|
||||
a->setNetmask(InetNetmask(InetAddr::getAllOnes()));
|
||||
a->setNetmask(InetAddr(InetAddr::getAllOnes()));
|
||||
a->setComment(comment);
|
||||
all_objects[sig] = a;
|
||||
*logger << "Address object: " << name << "\n";
|
||||
@ -847,7 +847,7 @@ FWObject* Importer::createAddress(const std::string &addr,
|
||||
|
||||
try
|
||||
{
|
||||
net->setNetmask( InetNetmask(netmask) );
|
||||
net->setNetmask( InetAddr(netmask) );
|
||||
} catch (FWException &ex)
|
||||
{
|
||||
if (netmask.find('.')!=std::string::npos)
|
||||
@ -866,7 +866,7 @@ FWObject* Importer::createAddress(const std::string &addr,
|
||||
try
|
||||
{
|
||||
str >> nm_len;
|
||||
net->setNetmask( InetNetmask(nm_len) );
|
||||
net->setNetmask( InetAddr(nm_len) );
|
||||
} catch (std::exception& e)
|
||||
{
|
||||
// could not convert netmask as simple integer
|
||||
|
||||
@ -62,9 +62,9 @@ void InterfaceData::guessLabel(const string &platform)
|
||||
|
||||
void InterfaceData::guessSecurityLevel(const string &platform)
|
||||
{
|
||||
InetAddrMask n10(InetAddr("10.0.0.0"), InetNetmask("255.0.0.0"));
|
||||
InetAddrMask n172(InetAddr("172.16.0.0"), InetNetmask("255.240.0.0"));
|
||||
InetAddrMask n192(InetAddr("192.168.0.0"), InetNetmask("255.255.0.0"));
|
||||
InetAddrMask n10(InetAddr("10.0.0.0"), InetAddr("255.0.0.0"));
|
||||
InetAddrMask n172(InetAddr("172.16.0.0"), InetAddr("255.240.0.0"));
|
||||
InetAddrMask n192(InetAddr("192.168.0.0"), InetAddr("255.255.0.0"));
|
||||
|
||||
securityLevel=-1;
|
||||
|
||||
|
||||
@ -125,7 +125,7 @@ void NetworkDialog::validate(bool *res)
|
||||
}
|
||||
try
|
||||
{
|
||||
InetNetmask( m_dialog->netmask->text().toLatin1().constData() );
|
||||
InetAddr( m_dialog->netmask->text().toLatin1().constData() );
|
||||
} catch (FWException &ex)
|
||||
{
|
||||
*res=false;
|
||||
@ -159,7 +159,7 @@ void NetworkDialog::applyChanges()
|
||||
s->setAddress(
|
||||
InetAddr(m_dialog->address->text().toLatin1().constData()) );
|
||||
s->setNetmask(
|
||||
InetNetmask(m_dialog->netmask->text().toLatin1().constData()) );
|
||||
InetAddr(m_dialog->netmask->text().toLatin1().constData()) );
|
||||
} catch (FWException &ex)
|
||||
{
|
||||
/* exception thrown if user types illegal m_dialog->address or m_dialog->netmask */
|
||||
|
||||
@ -595,7 +595,7 @@ void newFirewallDialog::addInterface()
|
||||
try
|
||||
{
|
||||
InetAddr(addr.toLatin1().constData());
|
||||
InetNetmask(netm.toLatin1().constData());
|
||||
InetAddr(netm.toLatin1().constData());
|
||||
}
|
||||
catch (FWException &ex)
|
||||
{
|
||||
@ -812,7 +812,7 @@ void newFirewallDialog::finishClicked()
|
||||
QString addrname=QString("%1:%2:ip").arg(m_dialog->obj_name->text()).arg(name);
|
||||
IPv4 *oa = IPv4::cast(mw->createObject(oi, IPv4::TYPENAME,addrname));
|
||||
oa->setAddress( InetAddr(addr.toLatin1().constData()) );
|
||||
oa->setNetmask( InetNetmask(netmask.toLatin1().constData()) );
|
||||
oa->setNetmask( InetAddr(netmask.toLatin1().constData()) );
|
||||
}
|
||||
// updateObjName has a side effect: it causes redraw of the ruleset
|
||||
// views in the main window
|
||||
|
||||
@ -503,7 +503,7 @@ void newHostDialog::addInterface()
|
||||
try
|
||||
{
|
||||
InetAddr(addr.toLatin1().constData());
|
||||
InetNetmask(netm.toLatin1().constData());
|
||||
InetAddr(netm.toLatin1().constData());
|
||||
}
|
||||
catch (FWException &ex)
|
||||
{
|
||||
@ -632,7 +632,7 @@ void newHostDialog::finishClicked()
|
||||
mw->createObject(oi, IPv4::TYPENAME,addrname)
|
||||
);
|
||||
oa->setAddress( InetAddr(addr.toLatin1().constData()) );
|
||||
oa->setNetmask( InetNetmask(netmask.toLatin1().constData()) );
|
||||
oa->setNetmask( InetAddr(netmask.toLatin1().constData()) );
|
||||
}
|
||||
|
||||
mw->updateObjName(oi,"","",false);
|
||||
|
||||
@ -109,14 +109,14 @@ int PolicyCompiler_iosacl::prolog()
|
||||
{
|
||||
if (netmask.find(".")!=string::npos)
|
||||
{
|
||||
InetNetmask nm(netmask);
|
||||
InetAddr nm(netmask);
|
||||
nm.getLength(); // to avoid warning abt unused var
|
||||
} else
|
||||
{
|
||||
int nm_length;
|
||||
istringstream str(netmask);
|
||||
str >> nm_length;
|
||||
InetNetmask nm(nm_length);
|
||||
InetAddr nm(nm_length);
|
||||
netmask = nm.toString();
|
||||
}
|
||||
} catch(FWException &ex)
|
||||
@ -143,10 +143,10 @@ int PolicyCompiler_iosacl::prolog()
|
||||
|
||||
// cisco uses "wildcards" instead of netmasks
|
||||
|
||||
//long nm = InetNetmask(netmask).to32BitInt();
|
||||
//long nm = InetAddr(netmask).to32BitInt();
|
||||
//struct in_addr na;
|
||||
//na.s_addr = ~nm;
|
||||
InetAddr nnm( ~(InetNetmask(netmask)) );
|
||||
InetAddr nnm( ~(InetAddr(netmask)) );
|
||||
|
||||
output << clearACLcmd << " " << temp_acl << endl;
|
||||
output << "ip access-list extended " << temp_acl << endl;
|
||||
|
||||
@ -372,7 +372,7 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o)
|
||||
ostringstream str;
|
||||
|
||||
InetAddr srcaddr=o->getAddress();
|
||||
InetNetmask srcmask=o->getNetmask();
|
||||
InetAddr srcmask=o->getNetmask();
|
||||
|
||||
if (Interface::cast(o)!=NULL)
|
||||
{
|
||||
@ -382,11 +382,11 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o)
|
||||
return string("interface ") + interface_->getLabel() + " ";
|
||||
}
|
||||
|
||||
srcmask=InetNetmask(InetAddr::getAllOnes());
|
||||
srcmask=InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
if (IPv4::cast(o)!=NULL)
|
||||
srcmask=InetNetmask(InetAddr::getAllOnes());
|
||||
srcmask=InetAddr(InetAddr::getAllOnes());
|
||||
|
||||
|
||||
if (srcaddr.isAny() && srcmask.isAny())
|
||||
|
||||
@ -461,15 +461,10 @@ string NATCompiler_ipt::PrintRule::_printAddr(Address *o,bool print_mask,bool p
|
||||
} else
|
||||
{
|
||||
const InetAddr& addr = o->getAddress();
|
||||
const InetNetmask& mask=o->getNetmask();
|
||||
const InetAddr& mask = o->getNetmask();
|
||||
|
||||
if (addr == InetAddr::getAny() && mask == InetAddr::getAny())
|
||||
{
|
||||
ostr << "0/0";
|
||||
} else
|
||||
{
|
||||
Interface *iface;
|
||||
if ( (iface=Interface::cast(o))!=NULL )
|
||||
Interface *iface = Interface::cast(o);
|
||||
if (iface!=NULL)
|
||||
{
|
||||
if (iface->isDyn() && iface->getBool("use_var_address"))
|
||||
{
|
||||
@ -480,10 +475,15 @@ string NATCompiler_ipt::PrintRule::_printAddr(Address *o,bool print_mask,bool p
|
||||
return ostr.str();
|
||||
}
|
||||
|
||||
if (addr == InetAddr::getAny() && mask == InetAddr::getAny())
|
||||
{
|
||||
ostr << "0/0";
|
||||
} else
|
||||
{
|
||||
ostr << addr.toString();
|
||||
|
||||
if (print_mask &&
|
||||
dynamic_cast<InetAddrMask*>(o)->dimension()!=1 &&
|
||||
Address::cast(o)->dimension()!=1 &&
|
||||
!mask.isHostMask())
|
||||
{
|
||||
ostr << "/" << mask.getLength();
|
||||
|
||||
@ -189,7 +189,7 @@ void NATCompiler_ipt::_expandInterface(Interface *iface,
|
||||
{
|
||||
if (physAddress::cast(*j)!=NULL) continue;
|
||||
|
||||
InetAddrMask *ipv4 = dynamic_cast<InetAddrMask*>(*j);
|
||||
const InetAddrMask *ipv4 = Address::cast(*j)->getAddressObjectInetAddrMask();
|
||||
if (ipv4!=NULL && use_mac && pa!=NULL)
|
||||
{
|
||||
combinedAddress *ca=new combinedAddress(dbcopy,true);
|
||||
@ -234,7 +234,7 @@ bool NATCompiler_ipt::ConvertLoadBalancingRules::processNext()
|
||||
FWObject *obj = NULL;
|
||||
if (FWReference::cast(o)!=NULL)
|
||||
obj=FWReference::cast(o)->getPointer();
|
||||
InetAddrMask *a = dynamic_cast<InetAddrMask*>(obj);
|
||||
const InetAddrMask *a = Address::cast(obj)->getAddressObjectInetAddrMask();
|
||||
al.push_back( a->getAddressPtr() );
|
||||
}
|
||||
|
||||
|
||||
@ -261,7 +261,8 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
|
||||
Interface *iface = Interface::cast(vaddr->getParent());
|
||||
assert(iface!=NULL);
|
||||
|
||||
InetAddrMask *vaddr_addr = dynamic_cast<InetAddrMask*>(vaddr);
|
||||
const InetAddrMask *vaddr_addr = Address::cast(
|
||||
vaddr)->getAddressObjectInetAddrMask();
|
||||
assert(vaddr_addr!=NULL);
|
||||
|
||||
ostr << "add_addr " << addr->getAddress().toString() << " "
|
||||
@ -361,7 +362,7 @@ void OSConfigurator_linux24::configureInterfaces()
|
||||
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j )
|
||||
{
|
||||
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
|
||||
const InetAddrMask *iaddr = Address::cast(*j)->getAddressObjectInetAddrMask();
|
||||
|
||||
output << "add_addr " << iaddr->getAddress().toString() << " "
|
||||
<< iaddr->getNetmask().getLength() << " "
|
||||
|
||||
@ -907,7 +907,7 @@ string PolicyCompiler_ipt::PrintRule::_printAddr(Address *o)
|
||||
}
|
||||
|
||||
const InetAddr& addr = o->getAddress();
|
||||
const InetNetmask& mask = o->getNetmask();
|
||||
const InetAddr& mask = o->getNetmask();
|
||||
|
||||
if (addr.isAny() && mask.isAny())
|
||||
{
|
||||
@ -917,7 +917,7 @@ string PolicyCompiler_ipt::PrintRule::_printAddr(Address *o)
|
||||
ostr << addr.toString();
|
||||
|
||||
if (Interface::cast(o)==NULL &&
|
||||
dynamic_cast<InetAddrMask*>(o)->dimension() > 1 &&
|
||||
Address::cast(o)->dimension() > 1 &&
|
||||
!mask.isHostMask())
|
||||
{
|
||||
ostr << "/" << mask.getLength();
|
||||
@ -1107,27 +1107,52 @@ string PolicyCompiler_ipt::PrintRule::PolicyRuleToString(PolicyRule *rule)
|
||||
command_line << _printMultiport(rule);
|
||||
|
||||
if (!src->isAny())
|
||||
{
|
||||
if (physAddress::isA(src) || combinedAddress::isA(src))
|
||||
{
|
||||
string physaddress = "";
|
||||
|
||||
if (physAddress::isA(src))
|
||||
{
|
||||
physaddress = physAddress::cast(src)->getPhysAddress();
|
||||
if (physaddress.empty())
|
||||
{
|
||||
compiler->warning("Empty MAC address in rule " +
|
||||
rule->getLabel());
|
||||
physaddress = "00:00:00:00:00:00";
|
||||
}
|
||||
}
|
||||
|
||||
if (combinedAddress::isA(src))
|
||||
physaddress = combinedAddress::cast(src)->getPhysAddress();
|
||||
|
||||
/* physAddress component of combinedAddress can be empty. For example
|
||||
* this happens when an object with both IP and MAC addresses is found
|
||||
* in "source" and rule is determined to go into OUTPUT chain. On the
|
||||
* other hand, if physAddress object has no MAC address, it is always
|
||||
* an error.
|
||||
*/
|
||||
if (!physaddress.empty())
|
||||
{
|
||||
command_line << " -m mac --mac-source " << _printSingleObjectNegation(srcrel);
|
||||
command_line << " -m mac --mac-source "
|
||||
<< _printSingleObjectNegation(srcrel);
|
||||
command_line << physaddress;
|
||||
}
|
||||
|
||||
/*
|
||||
* fool-proof: this is last resort check for situation when user created IPv4 object
|
||||
* for the interface but left it with empty address ( 0.0.0.0 ).
|
||||
* fool-proof: this is last resort check for situation when user
|
||||
* created IPv4 object for the interface but left it with empty
|
||||
* address ( 0.0.0.0 ).
|
||||
*
|
||||
* note that combinedAddress inherits IPv4 and therefore
|
||||
* combinedAddress::hasInetAddress returns true;
|
||||
*
|
||||
*/
|
||||
if ( ! physaddress.empty() && src->getAddress()==InetAddr())
|
||||
if (src->hasInetAddress() && !src->getAddress().isAny())
|
||||
{
|
||||
;
|
||||
command_line << " -s " << _printSingleObjectNegation(srcrel);
|
||||
command_line << _printAddr(src);
|
||||
}
|
||||
} else
|
||||
{
|
||||
command_line << " -s " << _printSingleObjectNegation(srcrel);
|
||||
|
||||
@ -229,7 +229,7 @@ void PolicyCompiler_ipt::_expandInterface(Interface *iface,
|
||||
std::list<FWObject*>::iterator j=lipaddr.begin();
|
||||
for ( ; j!=lipaddr.end(); j++)
|
||||
{
|
||||
InetAddrMask *ipv4 = dynamic_cast<InetAddrMask*>(*j);
|
||||
const InetAddrMask *ipv4 = Address::cast(*j)->getAddressObjectInetAddrMask();
|
||||
if (use_mac)
|
||||
{
|
||||
combinedAddress *ca = new combinedAddress();
|
||||
@ -239,6 +239,7 @@ void PolicyCompiler_ipt::_expandInterface(Interface *iface,
|
||||
ca->setAddress( ipv4->getAddress() );
|
||||
ca->setNetmask( ipv4->getNetmask() );
|
||||
ca->setPhysAddress( pa->getPhysAddress() );
|
||||
|
||||
ol.push_back(ca);
|
||||
} else
|
||||
ol.push_back(*j);
|
||||
@ -338,7 +339,7 @@ int PolicyCompiler_ipt::prolog()
|
||||
bcast255->setId(BCAST_255_OBJ_ID);
|
||||
bcast255->setName("Broadcast_addr");
|
||||
bcast255->setAddress(InetAddr::getAllOnes());
|
||||
bcast255->setNetmask(InetNetmask(InetAddr::getAllOnes()));
|
||||
bcast255->setNetmask(InetAddr(InetAddr::getAllOnes()));
|
||||
dbcopy->add(bcast255);
|
||||
cacheObj(bcast255);
|
||||
|
||||
@ -1722,7 +1723,7 @@ bool PolicyCompiler_ipt::bridgingFw::checkForMatchingBroadcastAndMulticast(
|
||||
FWObjectTypedChildIterator k = iface->findByType(IPv4::TYPENAME);
|
||||
for ( ; k!=k.end(); ++k )
|
||||
{
|
||||
InetAddrMask *ipv4 = dynamic_cast<InetAddrMask*>(*k);
|
||||
const InetAddrMask *ipv4 = Address::cast(*k)->getAddressObjectInetAddrMask();
|
||||
|
||||
/*
|
||||
* bug #780345: if interface has netmask 255.255.255.255, its own
|
||||
@ -2999,11 +3000,17 @@ bool PolicyCompiler_ipt::checkMACinOUTPUTChain::processNext()
|
||||
Address *src =compiler->getFirstSrc(rule); assert(src);
|
||||
|
||||
if (physAddress::isA(src))
|
||||
compiler->abort(_("Can not match on MAC address of the firewall in rule ")+rule->getLabel());
|
||||
compiler->abort("Can not match on MAC address of the firewall "
|
||||
"in rule " + rule->getLabel());
|
||||
|
||||
if (combinedAddress::isA(src))
|
||||
{
|
||||
compiler->warning("Can not match on MAC address of the firewall "
|
||||
"(chain OUTPUT) "
|
||||
"in rule " + rule->getLabel());
|
||||
combinedAddress::cast(src)->setPhysAddress("");
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -79,7 +79,7 @@ string RoutingCompiler_ipt::PrintRule::_printAddr(Address *o)
|
||||
}
|
||||
|
||||
InetAddr addr;
|
||||
InetNetmask mask;
|
||||
InetAddr mask;
|
||||
try {
|
||||
addr=o->getAddress();
|
||||
mask = o->getNetmask();
|
||||
@ -111,7 +111,7 @@ string RoutingCompiler_ipt::PrintRule::_printAddr(Address *o)
|
||||
ostr << addr.toString();
|
||||
|
||||
if (Interface::cast(o)==NULL &&
|
||||
dynamic_cast<InetAddrMask*>(o)->dimension() > 1 &&
|
||||
Address::cast(o)->dimension() > 1 &&
|
||||
!mask.isHostMask())
|
||||
{
|
||||
ostr << "/" << mask.getLength();
|
||||
|
||||
@ -23,6 +23,9 @@
|
||||
|
||||
*/
|
||||
|
||||
#include <assert.h>
|
||||
#include <iostream>
|
||||
|
||||
#include <fwbuilder/libfwbuilder-config.h>
|
||||
|
||||
#include <combinedAddress.h>
|
||||
@ -54,3 +57,10 @@ bool combinedAddress::isAny() const
|
||||
return (IPv4::isAny() && physAddress=="");
|
||||
}
|
||||
|
||||
FWObject& combinedAddress::shallowDuplicate(const FWObject *other,
|
||||
bool preserve_id) throw(FWException)
|
||||
{
|
||||
physAddress = dynamic_cast<const combinedAddress*>(other)->physAddress;
|
||||
return IPv4::shallowDuplicate(other, preserve_id);
|
||||
}
|
||||
|
||||
|
||||
@ -48,6 +48,10 @@ class combinedAddress : public IPv4
|
||||
combinedAddress(const FWObject *root,bool prepopulate);
|
||||
virtual ~combinedAddress();
|
||||
|
||||
virtual FWObject& shallowDuplicate(const FWObject *obj,
|
||||
bool preserve_id = true)
|
||||
throw(FWException);
|
||||
|
||||
std::string getPhysAddress() const;
|
||||
void setPhysAddress(const std::string &s);
|
||||
|
||||
|
||||
@ -360,7 +360,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
|
||||
|
||||
for (list<FWObject*>::iterator j=la.begin(); j!=la.end(); ++j)
|
||||
{
|
||||
InetAddrMask *ipv4 = dynamic_cast<InetAddrMask*>(*j);
|
||||
const InetAddrMask *ipv4 = IPv4::cast(*j)->getAddressObjectInetAddrMask();
|
||||
|
||||
if ( ipv4->getAddress().isAny())
|
||||
{
|
||||
|
||||
@ -313,20 +313,26 @@ int main(int argc, char * const *argv)
|
||||
if (l3.size()>0)
|
||||
{
|
||||
char errstr[256];
|
||||
for (list<FWObject*>::iterator j=l3.begin(); j!=l3.end(); ++j)
|
||||
for (list<FWObject*>::iterator j=l3.begin();
|
||||
j!=l3.end(); ++j)
|
||||
{
|
||||
if ( objdb->findAllReferences(*j).size()!=0 )
|
||||
{
|
||||
sprintf(errstr,
|
||||
_("Dynamic interface %s has an IP address that is used in the firewall policy rule.\n"),
|
||||
"Dynamic interface %s has an IP address that"
|
||||
"is used in the firewall policy rule.\n",
|
||||
iface->getName().c_str() );
|
||||
throw FWException(errstr);
|
||||
}
|
||||
|
||||
}
|
||||
sprintf(errstr,
|
||||
_("Dynamic interface %s should not have an IP address object attached to it. This IP address object will be ignored.\n"),
|
||||
"Dynamic interface %s should not have an IP address"
|
||||
" object attached to it. This IP address object "
|
||||
"will be ignored.\n",
|
||||
iface->getName().c_str() );
|
||||
cerr << errstr;
|
||||
for (list<FWObject*>::iterator j=l3.begin(); j!=l3.end(); ++j)
|
||||
for (list<FWObject*>::iterator j=l3.begin();
|
||||
j!=l3.end(); ++j)
|
||||
iface->remove(*j);
|
||||
}
|
||||
} else
|
||||
@ -357,9 +363,6 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
FWOptions* options = fw->getOptionsObject();
|
||||
string s;
|
||||
|
||||
@ -385,19 +388,24 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
|
||||
* Process firewall options, build OS network configuration script
|
||||
*/
|
||||
OSConfigurator *oscnf=NULL;
|
||||
string family=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceStr("/FWBuilderResources/Target/family");
|
||||
string family = Resources::os_res[fw->getStr("host_OS")
|
||||
]->Resources::getResourceStr("/FWBuilderResources/Target/family");
|
||||
|
||||
if (family=="solaris")
|
||||
oscnf=new OSConfigurator_solaris(objdb , fwobjectname);
|
||||
|
||||
if (family=="openbsd")
|
||||
{
|
||||
cerr << "Calling OSConfigurator_openbsd" << endl;
|
||||
oscnf=new OSConfigurator_openbsd(objdb , fwobjectname);
|
||||
}
|
||||
|
||||
if (family=="freebsd")
|
||||
oscnf=new OSConfigurator_freebsd(objdb , fwobjectname);
|
||||
|
||||
if (oscnf==NULL)
|
||||
throw FWException(_("Unrecognized host OS ")+fw->getStr("host_OS")+" (family "+family+")");
|
||||
throw FWException(_("Unrecognized host OS ") +
|
||||
fw->getStr("host_OS")+" (family "+family+")");
|
||||
|
||||
oscnf->prolog();
|
||||
|
||||
|
||||
@ -38,6 +38,7 @@
|
||||
#include "fwbuilder/Interface.h"
|
||||
#include "fwbuilder/IPv4.h"
|
||||
#include "fwbuilder/Firewall.h"
|
||||
#include "fwbuilder/DNSName.h"
|
||||
|
||||
|
||||
#include <iostream>
|
||||
@ -73,8 +74,24 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
|
||||
{
|
||||
FWOptions* options=compiler->fw->getOptionsObject();
|
||||
|
||||
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
|
||||
if (atrt!=NULL)
|
||||
{
|
||||
if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME)
|
||||
{
|
||||
compiler->output << atrt->getSourceName() << " ";
|
||||
return;
|
||||
}
|
||||
// at this time we only support two types of MultiAddress
|
||||
// objects: AddressTable and DNSName. Both should be converted
|
||||
// to MultiAddressRunTime at this point. If we get some other
|
||||
// kind of MultiAddressRunTime object, we do not know what to do
|
||||
// with it so we stop.
|
||||
assert(atrt==NULL);
|
||||
}
|
||||
|
||||
InetAddr addr=o->getAddress();
|
||||
InetNetmask mask=o->getNetmask();
|
||||
InetAddr mask=o->getNetmask();
|
||||
|
||||
if (Interface::cast(o)!=NULL && Interface::cast(o)->isDyn())
|
||||
{
|
||||
@ -87,10 +104,10 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
|
||||
}
|
||||
|
||||
if (Interface::cast(o)!=NULL && ! Interface::cast(o)->isDyn())
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
|
||||
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
if (o->dimension()==1)
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
|
||||
if (addr.isAny() && mask.isAny())
|
||||
{
|
||||
@ -109,13 +126,13 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
|
||||
void NATCompiler_ipf::PrintRule::_printAddr_R(Address *o, bool print_netmask)
|
||||
{
|
||||
InetAddr addr = o->getAddress();
|
||||
InetNetmask mask = o->getNetmask();
|
||||
InetAddr mask = o->getNetmask();
|
||||
|
||||
if (Interface::cast(o) != NULL)
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
|
||||
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
if (o->dimension()==1)
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
|
||||
if (addr.isAny() && print_netmask && mask.isHostMask())
|
||||
{
|
||||
|
||||
@ -97,8 +97,7 @@ int NATCompiler_pf::prolog()
|
||||
loopback_address->setName("__loopback_address__");
|
||||
loopback_address->setId("__loopback_address_id__");
|
||||
|
||||
dynamic_cast<InetAddrMask*>(loopback_address)->setAddress(
|
||||
InetAddr::getLoopbackAddr());
|
||||
IPv4::cast(loopback_address)->setAddress(InetAddr::getLoopbackAddr());
|
||||
|
||||
dbcopy->add(loopback_address,false);
|
||||
cacheObj(loopback_address);
|
||||
@ -390,8 +389,8 @@ bool NATCompiler_pf::addVirtualAddress::processNext()
|
||||
else return true;
|
||||
assert(a!=NULL);
|
||||
|
||||
if ( ! a->isAny() && a->getId()!=compiler->getFwId() ) {
|
||||
|
||||
if ( ! a->isAny() && a->getId()!=compiler->getFwId() )
|
||||
{
|
||||
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
|
||||
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
|
||||
{
|
||||
@ -973,11 +972,11 @@ void NATCompiler_pf::compile()
|
||||
"replace references to the firewall in TSrc" ) );
|
||||
add( new ReplaceObjectsTDst( "replace objects in TDst" ) );
|
||||
|
||||
if ( manage_virtual_addr ) {
|
||||
add( new addVirtualAddress("add virtual addresses for NAT rules"));
|
||||
}
|
||||
|
||||
add( new ExpandMultipleAddresses( "expand multiple addresses" ) );
|
||||
|
||||
if ( manage_virtual_addr )
|
||||
add( new addVirtualAddress("add virtual addresses for NAT rules"));
|
||||
|
||||
add( new checkForUnnumbered("check for unnumbered interfaces" ) );
|
||||
add( new checkForDynamicInterfacesOfOtherObjects(
|
||||
"check for dynamic interfaces of other hosts and firewalls"));
|
||||
|
||||
@ -326,7 +326,7 @@ void NATCompiler_pf::PrintRule::_printAddr(FWObject *o)
|
||||
|
||||
Address *a = Address::cast(o);
|
||||
InetAddr addr=a->getAddress();
|
||||
InetNetmask mask=a->getNetmask();
|
||||
InetAddr mask=a->getNetmask();
|
||||
|
||||
if (Interface::cast(o)!=NULL)
|
||||
{
|
||||
@ -337,12 +337,12 @@ void NATCompiler_pf::PrintRule::_printAddr(FWObject *o)
|
||||
return;
|
||||
}
|
||||
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
|
||||
if (Address::cast(o)->dimension()==1)
|
||||
{
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
if (addr.isAny() && mask.isAny())
|
||||
|
||||
@ -90,7 +90,7 @@ void OSConfigurator_freebsd::addVirtualAddressForNAT(const Address *addr)
|
||||
FWObject *iaddr = findAddressFor(addr, fw );
|
||||
if (iaddr!=NULL)
|
||||
{
|
||||
InetAddrMask *iaddr_addr = dynamic_cast<InetAddrMask*>(iaddr);
|
||||
Address *iaddr_addr = Address::cast(iaddr);
|
||||
assert(iaddr_addr!=NULL);
|
||||
Interface *iface = Interface::cast(iaddr->getParent());
|
||||
assert(iface!=NULL);
|
||||
@ -241,7 +241,7 @@ void OSConfigurator_freebsd::configureInterfaces()
|
||||
FWObjectTypedChildIterator j = iface->findByType(IPv4::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j )
|
||||
{
|
||||
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
|
||||
Address *iaddr = Address::cast(*j);
|
||||
output << "add_addr " << iaddr->getAddress().toString() << " "
|
||||
<< iaddr->getNetmask().toString() << " "
|
||||
<< iface->getName() << endl;
|
||||
|
||||
@ -84,7 +84,7 @@ void OSConfigurator_macosx::addVirtualAddressForNAT(const Address *addr)
|
||||
FWObject *iaddr = findAddressFor(addr, fw );
|
||||
if (iaddr!=NULL)
|
||||
{
|
||||
InetAddrMask *iaddr_addr = dynamic_cast<InetAddrMask*>(iaddr);
|
||||
Address *iaddr_addr = Address::cast(iaddr);
|
||||
assert(iaddr_addr!=NULL);
|
||||
Interface *iface = Interface::cast(iaddr->getParent());
|
||||
assert(iface!=NULL);
|
||||
@ -176,7 +176,7 @@ void OSConfigurator_macosx::configureInterfaces()
|
||||
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j )
|
||||
{
|
||||
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
|
||||
Address *iaddr = Address::cast(*j);
|
||||
output << "add_addr " << iaddr->getAddress().toString() << " "
|
||||
<< iaddr->getNetmask().toString() << " "
|
||||
<< iface->getName() << endl;
|
||||
|
||||
@ -87,12 +87,14 @@ void OSConfigurator_openbsd::addVirtualAddressForNAT(const Network *nw)
|
||||
void OSConfigurator_openbsd::addVirtualAddressForNAT(const Address *addr)
|
||||
{
|
||||
if (virtual_addresses.empty() ||
|
||||
find(virtual_addresses.begin(),virtual_addresses.end(),addr->getAddress())==virtual_addresses.end())
|
||||
find(virtual_addresses.begin(),
|
||||
virtual_addresses.end(),
|
||||
addr->getAddress()) == virtual_addresses.end())
|
||||
{
|
||||
FWObject *iaddr = findAddressFor(addr, fw );
|
||||
if (iaddr!=NULL)
|
||||
{
|
||||
InetAddrMask *iaddr_addr = dynamic_cast<InetAddrMask*>(iaddr);
|
||||
Address *iaddr_addr = Address::cast(iaddr);
|
||||
assert(iaddr_addr!=NULL);
|
||||
Interface *iface = Interface::cast(iaddr->getParent());
|
||||
assert(iface!=NULL);
|
||||
@ -103,7 +105,8 @@ void OSConfigurator_openbsd::addVirtualAddressForNAT(const Address *addr)
|
||||
|
||||
virtual_addresses.push_back(addr->getAddress());
|
||||
} else
|
||||
warning(_("Can not add virtual address ") + addr->getAddress().toString() );
|
||||
warning(_("Can not add virtual address ") +
|
||||
addr->getAddress().toString() );
|
||||
}
|
||||
}
|
||||
|
||||
@ -119,7 +122,7 @@ void OSConfigurator_openbsd::addVirtualAddressForNAT(const Address *addr)
|
||||
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j )
|
||||
{
|
||||
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
|
||||
Address *iaddr = Address::cast(*j);
|
||||
if ( ipv4->belongs( addr->getAddress() ) )
|
||||
{
|
||||
output << "ifconfig "
|
||||
@ -213,7 +216,7 @@ void OSConfigurator_openbsd::configureInterfaces()
|
||||
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j )
|
||||
{
|
||||
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
|
||||
Address *iaddr = Address::cast(*j);
|
||||
output << "add_addr " << iaddr->getAddress().toString() << " "
|
||||
<< iaddr->getNetmask().toString() << " "
|
||||
<< iface->getName() << endl;
|
||||
|
||||
@ -101,7 +101,7 @@ void OSConfigurator_solaris::addVirtualAddressForNAT(const Address *addr)
|
||||
FWObject *iaddr = findAddressFor(addr, fw );
|
||||
if (iaddr!=NULL)
|
||||
{
|
||||
InetAddrMask *iaddr_addr = dynamic_cast<InetAddrMask*>(iaddr);
|
||||
Address *iaddr_addr = Address::cast(iaddr);
|
||||
assert(iaddr_addr!=NULL);
|
||||
Interface *iface=Interface::cast(iaddr->getParent());
|
||||
assert(iface!=NULL);
|
||||
@ -192,7 +192,7 @@ void OSConfigurator_solaris::configureInterfaces()
|
||||
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
|
||||
for ( ; j!=j.end(); ++j )
|
||||
{
|
||||
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
|
||||
Address *iaddr = Address::cast(*j);
|
||||
output << "add_addr " << iaddr->getAddress().toString() << " "
|
||||
<< iaddr->getNetmask().toString() << " "
|
||||
<< iface->getName() << endl;
|
||||
|
||||
@ -268,7 +268,7 @@ void PolicyCompiler_ipf::PrintRule::_printAddr(Address *o,bool neg)
|
||||
}
|
||||
|
||||
InetAddr addr=o->getAddress();
|
||||
InetNetmask mask=o->getNetmask();
|
||||
InetAddr mask=o->getNetmask();
|
||||
|
||||
if (options->getBool("dynAddr") &&
|
||||
Interface::cast(o)!=NULL && Interface::cast(o)->isDyn())
|
||||
@ -279,12 +279,12 @@ void PolicyCompiler_ipf::PrintRule::_printAddr(Address *o,bool neg)
|
||||
}
|
||||
|
||||
if (Interface::cast(o)!=NULL) {
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
|
||||
if (o->dimension()==1)
|
||||
{
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
if (addr.isAny() && mask.isAny())
|
||||
|
||||
@ -291,13 +291,13 @@ void PolicyCompiler_ipfw::PrintRule::_printAddr(Address *o,bool neg)
|
||||
}
|
||||
|
||||
InetAddr addr=o->getAddress();
|
||||
InetNetmask mask=o->getNetmask();
|
||||
InetAddr mask=o->getNetmask();
|
||||
|
||||
if (Interface::cast(o)!=NULL)
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
|
||||
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
if (o->dimension()==1)
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
|
||||
if (addr.isAny() && mask.isAny())
|
||||
{
|
||||
|
||||
@ -389,7 +389,7 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
|
||||
|
||||
string mgmt_addr = getCachedFwOpt()->getStr("mgmt_addr");
|
||||
InetAddr addr;
|
||||
InetNetmask netmask(InetAddr::getAllOnes());
|
||||
InetAddr netmask(InetAddr::getAllOnes());
|
||||
try
|
||||
{
|
||||
addr = InetAddr(mgmt_addr);
|
||||
@ -401,11 +401,11 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
|
||||
int o1,o2,o3,o4;
|
||||
if(sscanf(nm.c_str(), "%3u.%3u.%3u.%3u", &o1, &o2, &o3, &o4)==4)
|
||||
{
|
||||
netmask = InetNetmask(nm);
|
||||
netmask = InetAddr(nm);
|
||||
} else
|
||||
{
|
||||
sscanf(nm.c_str(),"%u",&o1);
|
||||
netmask = InetNetmask(o1);
|
||||
netmask = InetAddr(o1);
|
||||
}
|
||||
}
|
||||
} catch(FWException &ex)
|
||||
|
||||
@ -195,14 +195,14 @@ void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule)
|
||||
}
|
||||
try
|
||||
{
|
||||
InetNetmask roaddr_netmask;
|
||||
InetAddr roaddr_netmask;
|
||||
string n = roaddr.substr(sp+1);
|
||||
if (n.find('.')!=std::string::npos)
|
||||
{
|
||||
roaddr_netmask = InetNetmask(n);
|
||||
roaddr_netmask = InetAddr(n);
|
||||
} else
|
||||
{
|
||||
roaddr_netmask = InetNetmask(
|
||||
roaddr_netmask = InetAddr(
|
||||
atoi(n.c_str()));
|
||||
}
|
||||
if (roaddr_netmask.getLength()==32)
|
||||
@ -597,7 +597,7 @@ void PolicyCompiler_pf::PrintRule::_printAddr(Address *o,bool neg)
|
||||
}
|
||||
|
||||
InetAddr addr=o->getAddress();
|
||||
InetNetmask mask=o->getNetmask();
|
||||
InetAddr mask=o->getNetmask();
|
||||
|
||||
if (Interface::cast(o)!=NULL)
|
||||
{
|
||||
@ -608,12 +608,12 @@ void PolicyCompiler_pf::PrintRule::_printAddr(Address *o,bool neg)
|
||||
return;
|
||||
}
|
||||
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
|
||||
if (o->dimension()==1)
|
||||
{
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
if (addr.isAny() && mask.isAny())
|
||||
|
||||
@ -213,11 +213,11 @@ string TableFactory::PrintTables()
|
||||
throw(FWException("table object must be an address: '"+o->getTypeName()+"'"));
|
||||
|
||||
InetAddr addr=A->getAddress();
|
||||
InetNetmask mask=A->getNetmask();
|
||||
InetAddr mask=A->getNetmask();
|
||||
|
||||
if (dynamic_cast<InetAddrMask*>(A)->dimension()==1)
|
||||
if (A->dimension()==1)
|
||||
{
|
||||
mask = InetNetmask(InetAddr::getAllOnes());
|
||||
mask = InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
output << addr.toString();
|
||||
|
||||
@ -421,8 +421,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
|
||||
|
||||
if (Network::isA(odst) && Network::isA(tdst))
|
||||
{
|
||||
InetNetmask n1=(Interface::cast(odst))?InetNetmask(InetAddr::getAllOnes()):odst->getNetmask();
|
||||
InetNetmask n2=(Interface::cast(tdst))?InetNetmask(InetAddr::getAllOnes()):tdst->getNetmask();
|
||||
InetAddr n1=(Interface::cast(odst))?InetAddr(InetAddr::getAllOnes()):odst->getNetmask();
|
||||
InetAddr n2=(Interface::cast(tdst))?InetAddr(InetAddr::getAllOnes()):tdst->getNetmask();
|
||||
|
||||
if ( !(n1==n2) )
|
||||
compiler->abort(
|
||||
@ -1269,7 +1269,7 @@ bool NATCompiler_pix::DetectOverlappingGlobalPoolsAndStaticRules::processNext()
|
||||
|
||||
if (natcmd->type== INTERFACE)
|
||||
{
|
||||
addr.setNetmask(InetNetmask(InetAddr::getAllOnes()));
|
||||
addr.setNetmask(InetAddr(InetAddr::getAllOnes()));
|
||||
}
|
||||
|
||||
if ( checkOverlapping( addr, outa->getAddress()) ||
|
||||
@ -1313,8 +1313,8 @@ bool NATCompiler_pix::DetectDuplicateNAT::processNext()
|
||||
// InetAddr a1=natcmd->o_addr->getAddress();
|
||||
// InetAddr a2=nc->o_addr->getAddress();
|
||||
//
|
||||
// InetNetmask m1=natcmd->o_addr->getInetNetmask();
|
||||
// InetNetmask m2=nc->o_addr->getNetmask();
|
||||
// InetAddr m1=natcmd->o_addr->getInetAddr();
|
||||
// InetAddr m2=nc->o_addr->getNetmask();
|
||||
|
||||
if ( int1->getId()==int2->getId() &&
|
||||
natcmd->o_src==nc->o_src &&
|
||||
@ -1379,9 +1379,20 @@ bool NATCompiler_pix::DetectOverlappingStatics::processNext()
|
||||
{
|
||||
if ( *(sc->osrv) == *(scmd->osrv) &&
|
||||
*(sc->tsrv) == *(scmd->tsrv) &&
|
||||
*(sc->osrc) == *(scmd->osrc) &&
|
||||
( ! getOverlap(*(scmd->iaddr), *(sc->iaddr)).empty() ||
|
||||
! getOverlap(*(scmd->oaddr), *(sc->oaddr)).empty() ) )
|
||||
*(sc->osrc) == *(scmd->osrc))
|
||||
{
|
||||
const InetAddrMask *ia1 =
|
||||
scmd->iaddr->getAddressObjectInetAddrMask();
|
||||
const InetAddrMask *ia2 =
|
||||
sc->iaddr->getAddressObjectInetAddrMask();
|
||||
|
||||
const InetAddrMask *oa1 =
|
||||
scmd->oaddr->getAddressObjectInetAddrMask();
|
||||
const InetAddrMask *oa2 =
|
||||
sc->oaddr->getAddressObjectInetAddrMask();
|
||||
|
||||
if ( ! getOverlap(*(ia1), *(ia2)).empty() ||
|
||||
! getOverlap(*(oa1), *(oa2)).empty() )
|
||||
compiler->abort(
|
||||
"Static NAT rules overlap or are redundant: rules "+
|
||||
sc->rule+" and "+scmd->rule+" : "+
|
||||
@ -1394,6 +1405,7 @@ bool NATCompiler_pix::DetectOverlappingStatics::processNext()
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -420,7 +420,7 @@ namespace fwcompiler {
|
||||
typedef struct {
|
||||
std::string iface1, iface2;
|
||||
libfwbuilder::InetAddr addr;
|
||||
libfwbuilder::InetNetmask mask;
|
||||
libfwbuilder::InetAddr mask;
|
||||
} nonat_static_parameters;
|
||||
std::deque<nonat_static_parameters> all_nonat_statics;
|
||||
public:
|
||||
|
||||
@ -450,7 +450,7 @@ bool NATCompiler_pix::PrintRule::processNext()
|
||||
StaticCmd *scmd=pix_comp->static_commands[ rule->getInt("sc_cmd") ];
|
||||
|
||||
InetAddr outa=scmd->oaddr->getAddress();
|
||||
InetNetmask outm=scmd->oaddr->getNetmask();
|
||||
InetAddr outm=scmd->oaddr->getNetmask();
|
||||
InetAddr insa=scmd->iaddr->getAddress();
|
||||
/*
|
||||
* we verify that odst and tdst have the same size in verifyRuleElements,
|
||||
|
||||
@ -123,14 +123,14 @@ int PolicyCompiler_pix::prolog()
|
||||
{
|
||||
if (netmask.find(".")!=string::npos)
|
||||
{
|
||||
InetNetmask nm(netmask);
|
||||
InetAddr nm(netmask);
|
||||
nm.isAny(); // to avoid warning abt unused var
|
||||
} else
|
||||
{
|
||||
int nm_length;
|
||||
istringstream str(netmask);
|
||||
str >> nm_length;
|
||||
InetNetmask nm(nm_length);
|
||||
InetAddr nm(nm_length);
|
||||
netmask = nm.toString();
|
||||
}
|
||||
} catch(FWException &ex)
|
||||
|
||||
@ -164,7 +164,7 @@ bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
|
||||
InetAddr addr=a->getAddress();
|
||||
pix_comp->output << " network-object ";
|
||||
if (Network::cast(obj)!=NULL) {
|
||||
InetNetmask mask=a->getNetmask();
|
||||
InetAddr mask=a->getNetmask();
|
||||
pix_comp->output << addr.toString() << " ";
|
||||
pix_comp->output << mask.toString() << " ";
|
||||
} else {
|
||||
@ -353,7 +353,7 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
|
||||
ostringstream str;
|
||||
|
||||
InetAddr srcaddr=o->getAddress();
|
||||
InetNetmask srcmask=o->getNetmask();
|
||||
InetAddr srcmask=o->getNetmask();
|
||||
|
||||
if (Interface::cast(o)!=NULL)
|
||||
{
|
||||
@ -363,11 +363,11 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
|
||||
return string("interface ") + interface_->getLabel() + " ";
|
||||
}
|
||||
|
||||
srcmask=InetNetmask(InetAddr::getAllOnes());
|
||||
srcmask=InetAddr(InetAddr::getAllOnes());
|
||||
}
|
||||
|
||||
if (IPv4::cast(o)!=NULL)
|
||||
srcmask=InetNetmask(InetAddr::getAllOnes());
|
||||
srcmask=InetAddr(InetAddr::getAllOnes());
|
||||
|
||||
|
||||
if (srcaddr.isAny() && srcmask.isAny())
|
||||
|
||||
@ -1,17 +1,17 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" id="root">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" lastModified="1208635848" id="root">
|
||||
<Library color="#d2ffd0" id="id4511636323682" name="User">
|
||||
<ObjectGroup id="id4511636423682" name="Objects">
|
||||
<ObjectGroup id="id4511636523682" name="Addresses">
|
||||
<IPv4 address="10.3.14.10" id="id451164E423682" name="baby.vk.crocodile.org" netmask="255.255.255.255"/>
|
||||
<IPv4 address="10.3.14.102" id="id451164F923682" name="h-10.3.14.102" netmask="255.255.255.255"/>
|
||||
<IPv4 address="10.3.14.255" id="id451164FA23682" name="h-10.3.14.255" netmask="255.255.255.255"/>
|
||||
<IPv4 address="10.3.14.53" id="id451164FB23682" name="h-10.3.14.53" netmask="255.255.255.255"/>
|
||||
<IPv4 address="10.3.14.65" id="id451164FC23682" name="h-10.3.14.65" netmask="255.255.255.255"/>
|
||||
<IPv4 address="10.3.14.43" id="id451164FD23682" name="neo.vk.crocodile.org" netmask="255.255.255.255"/>
|
||||
<IPv4 address="10.3.14.30" id="id4511653423682" name="tower.vk.crocodile.org" netmask="255.255.255.255"/>
|
||||
<IPv4 address="10.3.14.41" id="id4511653523682" name="x1.vk.crocodile.org" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id451164E423682" name="baby.vk.crocodile.org" address="10.3.14.10" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id451164F923682" name="h-10.3.14.102" address="10.3.14.102" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id451164FA23682" name="h-10.3.14.255" address="10.3.14.255" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id451164FB23682" name="h-10.3.14.53" address="10.3.14.53" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id451164FC23682" name="h-10.3.14.65" address="10.3.14.65" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id451164FD23682" name="neo.vk.crocodile.org" address="10.3.14.43" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id4511653423682" name="tower.vk.crocodile.org" address="10.3.14.30" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id4511653523682" name="x1.vk.crocodile.org" address="10.3.14.41" netmask="255.255.255.255"/>
|
||||
</ObjectGroup>
|
||||
<ObjectGroup id="id4511636623682" name="DNS Names"/>
|
||||
<ObjectGroup id="id4511636723682" name="Address Tables"/>
|
||||
@ -30,11 +30,11 @@
|
||||
<ObjectGroup id="id4511636923682" name="Hosts">
|
||||
<Host id="id451164EB23682" name="beaver">
|
||||
<Interface bridgeport="False" dyn="False" id="id451164EF23682" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" id="id451164F023682" name="beaver:lo:ip" netmask="255.0.0.0"/>
|
||||
<IPv4 id="id451164F023682" name="beaver:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id451164F523682" name="eth0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="10.3.14.40" id="id451164F723682" name="beaver:eth0:ip1" netmask="255.255.255.0"/>
|
||||
<IPv4 address="192.168.123.123" id="id451164F823682" name="beaver:eth0:ip2" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id451164F723682" name="beaver:eth0:ip1" address="10.3.14.40" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id451164F823682" name="beaver:eth0:ip2" address="192.168.123.123" netmask="255.255.255.0"/>
|
||||
<physAddress address="00:30:48:20:16:10" id="id451164F623682" name="beaver:eth0:mac"/>
|
||||
</Interface>
|
||||
<HostOptions>
|
||||
@ -97,7 +97,7 @@
|
||||
<ServiceGroup id="id4511637323682" name="TagServices"/>
|
||||
</ServiceGroup>
|
||||
<ObjectGroup id="id4511637423682" name="Firewalls">
|
||||
<Firewall comment="" host_OS="ios" id="id46412B5226577" inactive="False" lastCompiled="1185060662" lastInstalled="0" lastModified="1178760458" name="testios1" platform="iosacl" ro="False" version="12.x">
|
||||
<Firewall comment="" host_OS="ios" id="id46412B5226577" inactive="False" lastCompiled="1185060662" lastInstalled="0" lastModified="1208635848" name="testios1" platform="iosacl" ro="False" version="12.x">
|
||||
<NAT id="id46412B5626577"/>
|
||||
<Policy id="id46412B5526577">
|
||||
<PolicyRule action="Deny" comment="anti-spoofing" direction="Inbound" disabled="False" id="id464154BB29061" log="True" position="0">
|
||||
@ -351,7 +351,7 @@
|
||||
<Option name="stateless">False</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id464147C929061" log="False" position="12">
|
||||
<PolicyRule action="Accept" comment="interface ethernet1 has address on network 10.10.10.0/24, therefore net-10.10.10 is behind the router and we do not need to put rules 12-18 in outbound acl of eth0" direction="Both" disabled="False" id="id464147C929061" log="False" position="12">
|
||||
<Src neg="False">
|
||||
<ObjectRef ref="id4641456629061"/>
|
||||
</Src>
|
||||
@ -521,13 +521,13 @@
|
||||
</Policy>
|
||||
<Routing id="id46412B5726577"/>
|
||||
<Interface bridgeport="False" dyn="False" id="id46412B5826577" label="" name="ethernet0" security_level="50" unnum="False" unprotected="False">
|
||||
<IPv4 address="1.1.1.1" id="id46412B5926577" name="testios1:ethernet0:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id46412B5926577" name="testios1:ethernet0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id46412B5A26577" label="" mgmt="False" name="ethernet1" security_level="100" unnum="False" unprotected="True">
|
||||
<IPv4 address="10.10.10.1" id="id46412B5B26577" name="testios1:ethernet1:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id46412B5B26577" name="testios1:ethernet1:ip" address="10.10.10.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4642828219184" label="" mgmt="False" name="ethernet2" security_level="100" unnum="False" unprotected="True">
|
||||
<IPv4 address="3.3.3.3" comment="" id="id4642828319184" name="testios1:ethernet2:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id4642828319184" name="testios1:ethernet2:ip" address="3.3.3.3" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="10.10.10.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -538,9 +538,10 @@
|
||||
<Option name="accept_established">true</Option>
|
||||
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
||||
<Option name="add_check_state_rule">true</Option>
|
||||
<Option name="admUser"/>
|
||||
<Option name="altAddress"/>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="check_shading">False</Option>
|
||||
<Option name="compiler"></Option>
|
||||
<Option name="configure_interfaces">true</Option>
|
||||
<Option name="eliminate_duplicates">true</Option>
|
||||
<Option name="firewall_dir">/etc</Option>
|
||||
@ -553,21 +554,21 @@
|
||||
<Option name="iosacl_acl_basic">True</Option>
|
||||
<Option name="iosacl_acl_no_clear">False</Option>
|
||||
<Option name="iosacl_acl_substitution">False</Option>
|
||||
<Option name="iosacl_acl_temp_addr"/>
|
||||
<Option name="iosacl_acl_temp_addr"></Option>
|
||||
<Option name="iosacl_add_clear_statements">true</Option>
|
||||
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
||||
<Option name="iosacl_epilog_script"/>
|
||||
<Option name="iosacl_epilog_script"></Option>
|
||||
<Option name="iosacl_include_comments">True</Option>
|
||||
<Option name="iosacl_logging_buffered">False</Option>
|
||||
<Option name="iosacl_logging_buffered_level"/>
|
||||
<Option name="iosacl_logging_buffered_level"></Option>
|
||||
<Option name="iosacl_logging_console">False</Option>
|
||||
<Option name="iosacl_logging_console_level"/>
|
||||
<Option name="iosacl_logging_console_level"></Option>
|
||||
<Option name="iosacl_logging_timestamp">False</Option>
|
||||
<Option name="iosacl_logging_trap_level"/>
|
||||
<Option name="iosacl_prolog_script"/>
|
||||
<Option name="iosacl_logging_trap_level"></Option>
|
||||
<Option name="iosacl_prolog_script"></Option>
|
||||
<Option name="iosacl_regroup_commands">False</Option>
|
||||
<Option name="iosacl_syslog_facility"/>
|
||||
<Option name="iosacl_syslog_host"/>
|
||||
<Option name="iosacl_syslog_facility"></Option>
|
||||
<Option name="iosacl_syslog_host"></Option>
|
||||
<Option name="limit_value">0</Option>
|
||||
<Option name="linux24_ip_forward">1</Option>
|
||||
<Option name="load_modules">true</Option>
|
||||
@ -577,10 +578,10 @@
|
||||
<Option name="loopback_interface">lo0</Option>
|
||||
<Option name="macosx_ip_forward">1</Option>
|
||||
<Option name="manage_virtual_addr">true</Option>
|
||||
<Option name="mgmt_addr"/>
|
||||
<Option name="mgmt_addr"></Option>
|
||||
<Option name="mgmt_ssh">False</Option>
|
||||
<Option name="openbsd_ip_forward">1</Option>
|
||||
<Option name="output_file"/>
|
||||
<Option name="output_file"></Option>
|
||||
<Option name="pass_all_out">false</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
@ -602,7 +603,7 @@
|
||||
<Option name="prompt1">$ </Option>
|
||||
<Option name="prompt2"> # </Option>
|
||||
<Option name="solaris_ip_forward">1</Option>
|
||||
<Option name="sshArgs"/>
|
||||
<Option name="sshArgs"></Option>
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
@ -759,10 +760,10 @@
|
||||
</Policy>
|
||||
<Routing id="id4641321026611"/>
|
||||
<Interface bridgeport="False" dyn="False" id="id4641321126611" label="" name="ethernet0" security_level="50" unnum="False" unprotected="False">
|
||||
<IPv4 address="1.1.1.1" id="id4641321326611" name="testios20:ethernet0:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id4641321326611" name="testios20:ethernet0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4641321426611" label="" mgmt="False" name="ethernet1" network_zone="sysid0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="10.10.10.1" id="id4641321626611" name="testios20:ethernet1:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id4641321626611" name="testios20:ethernet1:ip" address="10.10.10.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="10.10.10.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -773,10 +774,10 @@
|
||||
<Option name="accept_established">true</Option>
|
||||
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
||||
<Option name="add_check_state_rule">true</Option>
|
||||
<Option name="admUser"/>
|
||||
<Option name="altAddress"/>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="check_shading">False</Option>
|
||||
<Option name="compiler"/>
|
||||
<Option name="compiler"></Option>
|
||||
<Option name="configure_interfaces">true</Option>
|
||||
<Option name="eliminate_duplicates">true</Option>
|
||||
<Option name="firewall_dir">/etc</Option>
|
||||
@ -789,21 +790,21 @@
|
||||
<Option name="iosacl_acl_basic">True</Option>
|
||||
<Option name="iosacl_acl_no_clear">False</Option>
|
||||
<Option name="iosacl_acl_substitution">False</Option>
|
||||
<Option name="iosacl_acl_temp_addr"/>
|
||||
<Option name="iosacl_acl_temp_addr"></Option>
|
||||
<Option name="iosacl_add_clear_statements">true</Option>
|
||||
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
||||
<Option name="iosacl_epilog_script"/>
|
||||
<Option name="iosacl_epilog_script"></Option>
|
||||
<Option name="iosacl_include_comments">True</Option>
|
||||
<Option name="iosacl_logging_buffered">False</Option>
|
||||
<Option name="iosacl_logging_buffered_level"/>
|
||||
<Option name="iosacl_logging_buffered_level"></Option>
|
||||
<Option name="iosacl_logging_console">False</Option>
|
||||
<Option name="iosacl_logging_console_level"/>
|
||||
<Option name="iosacl_logging_console_level"></Option>
|
||||
<Option name="iosacl_logging_timestamp">False</Option>
|
||||
<Option name="iosacl_logging_trap_level"/>
|
||||
<Option name="iosacl_prolog_script"/>
|
||||
<Option name="iosacl_logging_trap_level"></Option>
|
||||
<Option name="iosacl_prolog_script"></Option>
|
||||
<Option name="iosacl_regroup_commands">False</Option>
|
||||
<Option name="iosacl_syslog_facility"/>
|
||||
<Option name="iosacl_syslog_host"/>
|
||||
<Option name="iosacl_syslog_facility"></Option>
|
||||
<Option name="iosacl_syslog_host"></Option>
|
||||
<Option name="limit_value">0</Option>
|
||||
<Option name="linux24_ip_forward">1</Option>
|
||||
<Option name="load_modules">true</Option>
|
||||
@ -813,10 +814,10 @@
|
||||
<Option name="loopback_interface">lo0</Option>
|
||||
<Option name="macosx_ip_forward">1</Option>
|
||||
<Option name="manage_virtual_addr">true</Option>
|
||||
<Option name="mgmt_addr"/>
|
||||
<Option name="mgmt_addr"></Option>
|
||||
<Option name="mgmt_ssh">False</Option>
|
||||
<Option name="openbsd_ip_forward">1</Option>
|
||||
<Option name="output_file"/>
|
||||
<Option name="output_file"></Option>
|
||||
<Option name="pass_all_out">false</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
@ -838,7 +839,7 @@
|
||||
<Option name="prompt1">$ </Option>
|
||||
<Option name="prompt2"> # </Option>
|
||||
<Option name="solaris_ip_forward">1</Option>
|
||||
<Option name="sshArgs"/>
|
||||
<Option name="sshArgs"></Option>
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
@ -1267,10 +1268,10 @@
|
||||
</Policy>
|
||||
<Routing id="id464265C512807"/>
|
||||
<Interface bridgeport="False" dyn="False" id="id464265C612807" label="" name="ethernet0" security_level="50" unnum="False" unprotected="False">
|
||||
<IPv4 address="1.1.1.1" id="id464265C812807" name="testios2:ethernet0:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id464265C812807" name="testios2:ethernet0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id464265C912807" label="" mgmt="True" name="ethernet1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="10.10.10.1" id="id464265CB12807" name="testios2:ethernet1:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id464265CB12807" name="testios2:ethernet1:ip" address="10.10.10.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="10.10.10.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1281,8 +1282,8 @@
|
||||
<Option name="accept_established">true</Option>
|
||||
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
||||
<Option name="add_check_state_rule">true</Option>
|
||||
<Option name="admUser"/>
|
||||
<Option name="altAddress"/>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="check_shading">False</Option>
|
||||
<Option name="configure_interfaces">true</Option>
|
||||
<Option name="eliminate_duplicates">true</Option>
|
||||
@ -1299,18 +1300,18 @@
|
||||
<Option name="iosacl_acl_temp_addr">10.10.10.0/24</Option>
|
||||
<Option name="iosacl_add_clear_statements">true</Option>
|
||||
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
||||
<Option name="iosacl_epilog_script"/>
|
||||
<Option name="iosacl_epilog_script"></Option>
|
||||
<Option name="iosacl_include_comments">True</Option>
|
||||
<Option name="iosacl_logging_buffered">False</Option>
|
||||
<Option name="iosacl_logging_buffered_level"/>
|
||||
<Option name="iosacl_logging_buffered_level"></Option>
|
||||
<Option name="iosacl_logging_console">False</Option>
|
||||
<Option name="iosacl_logging_console_level"/>
|
||||
<Option name="iosacl_logging_console_level"></Option>
|
||||
<Option name="iosacl_logging_timestamp">False</Option>
|
||||
<Option name="iosacl_logging_trap_level"/>
|
||||
<Option name="iosacl_prolog_script"/>
|
||||
<Option name="iosacl_logging_trap_level"></Option>
|
||||
<Option name="iosacl_prolog_script"></Option>
|
||||
<Option name="iosacl_regroup_commands">False</Option>
|
||||
<Option name="iosacl_syslog_facility"/>
|
||||
<Option name="iosacl_syslog_host"/>
|
||||
<Option name="iosacl_syslog_facility"></Option>
|
||||
<Option name="iosacl_syslog_host"></Option>
|
||||
<Option name="limit_value">0</Option>
|
||||
<Option name="linux24_ip_forward">1</Option>
|
||||
<Option name="load_modules">true</Option>
|
||||
@ -1320,10 +1321,10 @@
|
||||
<Option name="loopback_interface">lo0</Option>
|
||||
<Option name="macosx_ip_forward">1</Option>
|
||||
<Option name="manage_virtual_addr">true</Option>
|
||||
<Option name="mgmt_addr"/>
|
||||
<Option name="mgmt_addr"></Option>
|
||||
<Option name="mgmt_ssh">False</Option>
|
||||
<Option name="openbsd_ip_forward">1</Option>
|
||||
<Option name="output_file"/>
|
||||
<Option name="output_file"></Option>
|
||||
<Option name="pass_all_out">false</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
@ -1345,7 +1346,7 @@
|
||||
<Option name="prompt1">$ </Option>
|
||||
<Option name="prompt2"> # </Option>
|
||||
<Option name="solaris_ip_forward">1</Option>
|
||||
<Option name="sshArgs"/>
|
||||
<Option name="sshArgs"></Option>
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
@ -1516,19 +1517,19 @@
|
||||
</Policy>
|
||||
<Routing id="id46435A0316989"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0416989" label="" mgmt="False" name="Ethernet1/0" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.171.2" id="id46435A0516989" name="c3620:Ethernet1/0:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id46435A0516989" name="c3620:Ethernet1/0:ip" address="192.168.171.2" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0616989" label="" mgmt="False" name="Ethernet1/1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="0.0.0.0" id="id46435A0716989" name="c3620:Ethernet1/1:ip" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id46435A0716989" name="c3620:Ethernet1/1:ip" address="0.0.0.0" netmask="255.255.255.255"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0816989" label="" mgmt="True" name="FastEthernet0/0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="10.3.14.201" id="id46435A0916989" name="c3620:FastEthernet0/0:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 id="id46435A0916989" name="c3620:FastEthernet0/0:ip" address="10.3.14.201" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0A16989" label="" mgmt="False" name="Null0" security_level="100" unnum="False" unprotected="True">
|
||||
<IPv4 address="0.0.0.0" id="id46435A0B16989" name="c3620:Null0:ip" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id46435A0B16989" name="c3620:Null0:ip" address="0.0.0.0" netmask="255.255.255.255"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0C16989" label="" mgmt="False" name="Serial1/0" security_level="100" unnum="False" unprotected="True">
|
||||
<IPv4 address="0.0.0.0" id="id46435A0D16989" name="c3620:Serial1/0:ip" netmask="255.255.255.255"/>
|
||||
<IPv4 id="id46435A0D16989" name="c3620:Serial1/0:ip" address="0.0.0.0" netmask="255.255.255.255"/>
|
||||
</Interface>
|
||||
<Management address="10.3.14.201">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1539,8 +1540,8 @@
|
||||
<Option name="accept_established">true</Option>
|
||||
<Option name="accept_new_tcp_with_no_syn">true</Option>
|
||||
<Option name="add_check_state_rule">true</Option>
|
||||
<Option name="admUser"/>
|
||||
<Option name="altAddress"/>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="check_shading">False</Option>
|
||||
<Option name="configure_interfaces">true</Option>
|
||||
<Option name="eliminate_duplicates">true</Option>
|
||||
@ -1552,21 +1553,21 @@
|
||||
<Option name="iosacl_acl_basic">True</Option>
|
||||
<Option name="iosacl_acl_no_clear">False</Option>
|
||||
<Option name="iosacl_acl_substitution">False</Option>
|
||||
<Option name="iosacl_acl_temp_addr"/>
|
||||
<Option name="iosacl_acl_temp_addr"></Option>
|
||||
<Option name="iosacl_add_clear_statements">true</Option>
|
||||
<Option name="iosacl_assume_fw_part_of_any">true</Option>
|
||||
<Option name="iosacl_epilog_script"/>
|
||||
<Option name="iosacl_epilog_script"></Option>
|
||||
<Option name="iosacl_include_comments">True</Option>
|
||||
<Option name="iosacl_logging_buffered">False</Option>
|
||||
<Option name="iosacl_logging_buffered_level"/>
|
||||
<Option name="iosacl_logging_buffered_level"></Option>
|
||||
<Option name="iosacl_logging_console">False</Option>
|
||||
<Option name="iosacl_logging_console_level"/>
|
||||
<Option name="iosacl_logging_console_level"></Option>
|
||||
<Option name="iosacl_logging_timestamp">False</Option>
|
||||
<Option name="iosacl_logging_trap_level"/>
|
||||
<Option name="iosacl_prolog_script"/>
|
||||
<Option name="iosacl_logging_trap_level"></Option>
|
||||
<Option name="iosacl_prolog_script"></Option>
|
||||
<Option name="iosacl_regroup_commands">False</Option>
|
||||
<Option name="iosacl_syslog_facility"/>
|
||||
<Option name="iosacl_syslog_host"/>
|
||||
<Option name="iosacl_syslog_facility"></Option>
|
||||
<Option name="iosacl_syslog_host"></Option>
|
||||
<Option name="limit_value">0</Option>
|
||||
<Option name="linux24_ip_forward">1</Option>
|
||||
<Option name="load_modules">true</Option>
|
||||
@ -1579,7 +1580,7 @@
|
||||
<Option name="mgmt_addr">10.3.14.40</Option>
|
||||
<Option name="mgmt_ssh">True</Option>
|
||||
<Option name="openbsd_ip_forward">1</Option>
|
||||
<Option name="output_file"/>
|
||||
<Option name="output_file"></Option>
|
||||
<Option name="pass_all_out">false</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
@ -1601,7 +1602,7 @@
|
||||
<Option name="prompt1">$ </Option>
|
||||
<Option name="prompt2"> # </Option>
|
||||
<Option name="solaris_ip_forward">1</Option>
|
||||
<Option name="sshArgs"/>
|
||||
<Option name="sshArgs"></Option>
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
@ -1611,7 +1612,7 @@
|
||||
</Library>
|
||||
<Library id="sysid99" name="Deleted Objects" ro="False">
|
||||
<ObjectRef ref="sysid0"/>
|
||||
<IPv4 address="10.10.10.1" comment="" id="id463FF31019380" name="test-ipt:eth0:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id463FF31019380" name="test-ipt:eth0:ip" address="10.10.10.1" netmask="255.255.255.0"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4511651D23682" label="" mgmt="False" name="imq1" security_level="100" unnum="True" unprotected="False"/>
|
||||
<Firewall comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network. This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." host_OS="freebsd" id="id453D8A6D12118" lastCompiled="0" lastInstalled="0" lastModified="1178678949" name="ipf" platform="ipf" ro="False" version="">
|
||||
<NAT id="id453D8AE412118">
|
||||
@ -1694,27 +1695,27 @@
|
||||
<IntervalRef ref="sysid2"/>
|
||||
</When>
|
||||
<PolicyRuleOptions>
|
||||
<Option name="action_on_reject"/>
|
||||
<Option name="classify_str"/>
|
||||
<Option name="custom_str"/>
|
||||
<Option name="ipf_route_opt_addr"/>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="classify_str"></Option>
|
||||
<Option name="custom_str"></Option>
|
||||
<Option name="ipf_route_opt_addr"></Option>
|
||||
<Option name="ipf_route_opt_if">le1</Option>
|
||||
<Option name="ipf_route_option">route_through</Option>
|
||||
<Option name="ipfw_classify_method">2</Option>
|
||||
<Option name="ipfw_pipe_port_num">0</Option>
|
||||
<Option name="ipfw_pipe_queue_num">0</Option>
|
||||
<Option name="ipt_continue">False</Option>
|
||||
<Option name="ipt_gw"/>
|
||||
<Option name="ipt_iif"/>
|
||||
<Option name="ipt_gw"></Option>
|
||||
<Option name="ipt_iif"></Option>
|
||||
<Option name="ipt_mark_connections">False</Option>
|
||||
<Option name="ipt_mark_prerouting">False</Option>
|
||||
<Option name="ipt_oif"/>
|
||||
<Option name="ipt_oif"></Option>
|
||||
<Option name="ipt_tee">False</Option>
|
||||
<Option name="pf_fastroute">False</Option>
|
||||
<Option name="pf_route_opt_addr"/>
|
||||
<Option name="pf_route_opt_if"/>
|
||||
<Option name="pf_route_opt_addr"></Option>
|
||||
<Option name="pf_route_opt_if"></Option>
|
||||
<Option name="pf_route_option">route_through</Option>
|
||||
<Option name="rule_name_accounting"/>
|
||||
<Option name="rule_name_accounting"></Option>
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
@ -1835,10 +1836,10 @@
|
||||
<Routing id="id453D8AF312118"/>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id453D8AF412118" label="" mgmt="False" name="le0" security_level="0" unnum="False" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id453D8AF512118" label="" mgmt="True" name="le1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id453D8AF712118" name="ipf:le1:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id453D8AF712118" name="ipf:le1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id453D8AF812118" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" comment="" id="id453D8AFA12118" name="ipf:lo:ip" netmask="255.0.0.0"/>
|
||||
<IPv4 comment="" id="id453D8AFA12118" name="ipf:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Management address="0.0.0.0">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -1929,27 +1930,27 @@
|
||||
<IntervalRef ref="sysid2"/>
|
||||
</When>
|
||||
<PolicyRuleOptions>
|
||||
<Option name="action_on_reject"/>
|
||||
<Option name="classify_str"/>
|
||||
<Option name="custom_str"/>
|
||||
<Option name="ipf_route_opt_addr"/>
|
||||
<Option name="ipf_route_opt_if"/>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="classify_str"></Option>
|
||||
<Option name="custom_str"></Option>
|
||||
<Option name="ipf_route_opt_addr"></Option>
|
||||
<Option name="ipf_route_opt_if"></Option>
|
||||
<Option name="ipf_route_option">Route through</Option>
|
||||
<Option name="ipfw_classify_method">2</Option>
|
||||
<Option name="ipfw_pipe_port_num">0</Option>
|
||||
<Option name="ipfw_pipe_queue_num">0</Option>
|
||||
<Option name="ipt_continue">False</Option>
|
||||
<Option name="ipt_gw"/>
|
||||
<Option name="ipt_iif"/>
|
||||
<Option name="ipt_gw"></Option>
|
||||
<Option name="ipt_iif"></Option>
|
||||
<Option name="ipt_mark_connections">False</Option>
|
||||
<Option name="ipt_mark_prerouting">False</Option>
|
||||
<Option name="ipt_oif">vlan1</Option>
|
||||
<Option name="ipt_tee">False</Option>
|
||||
<Option name="pf_fastroute">False</Option>
|
||||
<Option name="pf_route_opt_addr"/>
|
||||
<Option name="pf_route_opt_if"/>
|
||||
<Option name="pf_route_opt_addr"></Option>
|
||||
<Option name="pf_route_opt_if"></Option>
|
||||
<Option name="pf_route_option">Route through</Option>
|
||||
<Option name="rule_name_accounting"/>
|
||||
<Option name="rule_name_accounting"></Option>
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
@ -1970,27 +1971,27 @@
|
||||
<IntervalRef ref="sysid2"/>
|
||||
</When>
|
||||
<PolicyRuleOptions>
|
||||
<Option name="action_on_reject"/>
|
||||
<Option name="classify_str"/>
|
||||
<Option name="custom_str"/>
|
||||
<Option name="ipf_route_opt_addr"/>
|
||||
<Option name="ipf_route_opt_if"/>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="classify_str"></Option>
|
||||
<Option name="custom_str"></Option>
|
||||
<Option name="ipf_route_opt_addr"></Option>
|
||||
<Option name="ipf_route_opt_if"></Option>
|
||||
<Option name="ipf_route_option">Route through</Option>
|
||||
<Option name="ipfw_classify_method">2</Option>
|
||||
<Option name="ipfw_pipe_port_num">0</Option>
|
||||
<Option name="ipfw_pipe_queue_num">0</Option>
|
||||
<Option name="ipt_continue">False</Option>
|
||||
<Option name="ipt_gw"/>
|
||||
<Option name="ipt_iif"/>
|
||||
<Option name="ipt_gw"></Option>
|
||||
<Option name="ipt_iif"></Option>
|
||||
<Option name="ipt_mark_connections">False</Option>
|
||||
<Option name="ipt_mark_prerouting">False</Option>
|
||||
<Option name="ipt_oif">eth1</Option>
|
||||
<Option name="ipt_tee">False</Option>
|
||||
<Option name="pf_fastroute">False</Option>
|
||||
<Option name="pf_route_opt_addr"/>
|
||||
<Option name="pf_route_opt_if"/>
|
||||
<Option name="pf_route_opt_addr"></Option>
|
||||
<Option name="pf_route_opt_if"></Option>
|
||||
<Option name="pf_route_option">Route through</Option>
|
||||
<Option name="rule_name_accounting"/>
|
||||
<Option name="rule_name_accounting"></Option>
|
||||
<Option name="stateless">True</Option>
|
||||
</PolicyRuleOptions>
|
||||
</PolicyRule>
|
||||
@ -2037,11 +2038,11 @@
|
||||
</Policy>
|
||||
<Routing id="id4511651323682"/>
|
||||
<Interface bridgeport="False" dyn="False" id="id4511651623682" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="127.0.0.1" id="id4511651723682" name="test-ipt:lo:ip" netmask="255.0.0.0"/>
|
||||
<IPv4 id="id4511651723682" name="test-ipt:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4511651923682" label="" mgmt="False" name="teql0" security_level="100" unnum="True" unprotected="False"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id4511651B23682" label="" mgmt="False" name="imq0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="192.168.1.1" comment="" id="id463FFA2619380" name="test-ipt:imq0:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id463FFA2619380" name="test-ipt:imq0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" comment="" dyn="True" id="id4511652023682" label="" mgmt="False" name="eth0" security_level="100" unnum="False" unprotected="False">
|
||||
<physAddress address="00:12:17:03:B9:81" id="id4511652123682" name="test-ipt:eth0:mac"/>
|
||||
@ -2053,11 +2054,11 @@
|
||||
<physAddress address="00:12:17:03:B9:81" id="id4511652923682" name="test-ipt:vlan0:mac"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id4511652D23682" name="vlan1" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 address="24.6.139.57" id="id4511652F23682" name="test-ipt:vlan1:ip" netmask="255.255.248.0"/>
|
||||
<IPv4 id="id4511652F23682" name="test-ipt:vlan1:ip" address="24.6.139.57" netmask="255.255.248.0"/>
|
||||
<physAddress address="00:E0:18:A8:80:1E" id="id4511652E23682" name="test-ipt:vlan1:mac"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id4511653223682" name="br0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 address="10.10.10.2" comment="" id="id463FF31119380" name="test-ipt:br0:ip" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id463FF31119380" name="test-ipt:br0:ip" address="10.10.10.2" netmask="255.255.255.0"/>
|
||||
<physAddress address="00:12:17:03:B9:81" id="id4511653323682" name="test-ipt:br0:mac"/>
|
||||
</Interface>
|
||||
<Management address="10.10.10.2">
|
||||
@ -2068,27 +2069,27 @@
|
||||
<FirewallOptions>
|
||||
<Option name="accept_established">True</Option>
|
||||
<Option name="accept_new_tcp_with_no_syn">True</Option>
|
||||
<Option name="action_on_reject"/>
|
||||
<Option name="activationCmd"/>
|
||||
<Option name="admUser"/>
|
||||
<Option name="altAddress"/>
|
||||
<Option name="action_on_reject"></Option>
|
||||
<Option name="activationCmd"></Option>
|
||||
<Option name="admUser"></Option>
|
||||
<Option name="altAddress"></Option>
|
||||
<Option name="bridging_fw">False</Option>
|
||||
<Option name="check_shading">False</Option>
|
||||
<Option name="clamp_mss_to_mtu">False</Option>
|
||||
<Option name="classify_mark_terminating">False</Option>
|
||||
<Option name="cmdline"/>
|
||||
<Option name="compiler"/>
|
||||
<Option name="cmdline"></Option>
|
||||
<Option name="compiler"></Option>
|
||||
<Option name="configure_interfaces">True</Option>
|
||||
<Option name="debug">False</Option>
|
||||
<Option name="drop_invalid">False</Option>
|
||||
<Option name="eliminate_duplicates">true</Option>
|
||||
<Option name="epilog_script"/>
|
||||
<Option name="epilog_script"></Option>
|
||||
<Option name="firewall_dir">/etc</Option>
|
||||
<Option name="firewall_is_part_of_any_and_networks">True</Option>
|
||||
<Option name="freebsd_ip_forward">1</Option>
|
||||
<Option name="ignore_empty_groups">False</Option>
|
||||
<Option name="in_out_code">true</Option>
|
||||
<Option name="limit_suffix"/>
|
||||
<Option name="limit_suffix"></Option>
|
||||
<Option name="limit_value">0</Option>
|
||||
<Option name="linux24_ip_forward">1</Option>
|
||||
<Option name="load_modules">True</Option>
|
||||
@ -2103,10 +2104,10 @@
|
||||
<Option name="loopback_interface">lo0</Option>
|
||||
<Option name="macosx_ip_forward">1</Option>
|
||||
<Option name="manage_virtual_addr">True</Option>
|
||||
<Option name="mgmt_addr"/>
|
||||
<Option name="mgmt_addr"></Option>
|
||||
<Option name="mgmt_ssh">False</Option>
|
||||
<Option name="openbsd_ip_forward">1</Option>
|
||||
<Option name="output_file"/>
|
||||
<Option name="output_file"></Option>
|
||||
<Option name="pass_all_out">false</Option>
|
||||
<Option name="pf_limit_frags">5000</Option>
|
||||
<Option name="pf_limit_states">10000</Option>
|
||||
@ -2126,14 +2127,14 @@
|
||||
<Option name="pix_syslog_device_id_supported">false</Option>
|
||||
<Option name="pix_use_acl_remarks">true</Option>
|
||||
<Option name="prolog_place">top</Option>
|
||||
<Option name="prolog_script"/>
|
||||
<Option name="prolog_script"></Option>
|
||||
<Option name="prompt1">$ </Option>
|
||||
<Option name="prompt2"> # </Option>
|
||||
<Option name="snmp_contact">root</Option>
|
||||
<Option name="snmp_description">Linux SVEASOFT 2.4.20 #2 Wed Nov 17 11:49:43 CET 2004 mips</Option>
|
||||
<Option name="snmp_location">Unknown</Option>
|
||||
<Option name="solaris_ip_forward">1</Option>
|
||||
<Option name="sshArgs"/>
|
||||
<Option name="sshArgs"></Option>
|
||||
<Option name="ulog_cprange">0</Option>
|
||||
<Option name="ulog_nlgroup">1</Option>
|
||||
<Option name="ulog_qthreshold">1</Option>
|
||||
|
||||
@ -7,7 +7,7 @@ if which opendiff > /dev/null 2>&1; then
|
||||
elif which tkdiff > /dev/null 2>&1; then
|
||||
TOOL="tkdiff -b -B "
|
||||
else
|
||||
TOOL="diff -b -B "
|
||||
TOOL="diff -U 8 -b -B "
|
||||
fi
|
||||
|
||||
${TOOL} firewall${N}.fw.orig firewall${N}.fw
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" lastModified="1206322269" id="root">
|
||||
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" lastModified="1208501354" id="root">
|
||||
<Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User">
|
||||
<ObjectGroup id="stdid01_1" name="Objects">
|
||||
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
|
||||
@ -324,8 +324,8 @@
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host comment="" id="host-hostA" name="hostA">
|
||||
<Interface bridgeport="False" dyn="False" id="host-hostA-i" name="unknown" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="host-hostA-i-ipv4" name="address" address="192.168.1.10" netmask="255.255.255.255"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="host-hostA-i" label="" name="eth0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="host-hostA-i-ipv4" name="hostA:eth0:ip" address="192.168.1.10" netmask="255.255.255.255"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
||||
@ -668,9 +668,9 @@
|
||||
</HostOptions>
|
||||
</Host>
|
||||
<Host comment="this host has the same IP address as firewall 'firewall', plus it has MAC address. Testing for a combination of "--mac --source-mac" in the OUTPUT chain. " id="id3F14DFB8" name="fw-with-mac-1">
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id3F14DFB9" label="" mgmt="False" name="host-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 comment="" id="id3F14DFBA" name="host-with-mac-1/addr" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
<physAddress address="00:10:4b:de:e9:6f" id="id3F14DFBB" name="host-with-mac-1:1-pa"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id3F14DFB9" label="" mgmt="False" name="fw-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 comment="" id="id3F14DFBA" name="fw-with-mac-1:fw-with-mac-1:1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
<physAddress address="00:10:4b:de:e9:6f" id="id3F14DFBB" name="fw-with-mac-1:fw-with-mac-1:1:mac"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.10">
|
||||
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
|
||||
@ -988,7 +988,7 @@
|
||||
</ServiceGroup>
|
||||
</ServiceGroup>
|
||||
<ObjectGroup id="stdid12_1" name="Firewalls">
|
||||
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule " host_OS="linux24" id="fw-firewall2" inactive="False" lastCompiled="1188096924" lastInstalled="1142003872" lastModified="1206322269" name="firewall" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule " host_OS="linux24" id="fw-firewall2" inactive="False" lastCompiled="1188096924" lastInstalled="1142003872" lastModified="1208501354" name="firewall" platform="iptables" ro="False" version="">
|
||||
<NAT id="nat-firewall2">
|
||||
<NATRule comment="" disabled="False" id="nat-firewall2-0" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -2732,7 +2732,7 @@
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="this object is used to test all kinds of negation in policy and NAT rules" host_OS="linux24" id="id3AF5AA0A" inactive="False" lastCompiled="1188096933" lastInstalled="1142003872" lastModified="1158818477" name="firewall1" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="this object is used to test all kinds of negation in policy and NAT rules" host_OS="linux24" id="id3AF5AA0A" inactive="False" lastCompiled="1188096933" lastInstalled="1142003872" lastModified="1208501354" name="firewall1" platform="iptables" ro="False" version="">
|
||||
<NAT id="id3AF5AA0D">
|
||||
<NATRule disabled="False" id="id3C98491C" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -4013,19 +4013,19 @@
|
||||
</Policy>
|
||||
<Routing id="id3AF5AA0A-routing"/>
|
||||
<Interface bridgeport="False" comment="" dyn="False" id="id3AF5AA96" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3AF5AA96-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id3AF5AA96-ipv4" name="eth0:address" address="192.168.1.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id3AF5AA99" name="eth1" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3AF5AA99-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id3AF5AA99-ipv4" name="eth1:address" address="22.22.22.22" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id3B0B4BC8" name="eth2" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3B0B4BC8-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id3B0B4BC8-ipv4" name="eth2:address" address="192.168.2.1" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id3B0B4D35" name="lo" security_level="100" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3B0B4D35-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
<IPv4 comment="" id="id3B0B4D35-ipv4" name="lo:address" address="127.0.0.1" netmask="255.0.0.0"/>
|
||||
</Interface>
|
||||
<Interface bridgeport="False" dyn="False" id="id3B11F434" name="eth3" security_level="0" unnum="False" unprotected="False">
|
||||
<IPv4 id="id3B11F434-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
|
||||
<IPv4 comment="" id="id3B11F434-ipv4" name="eth3:address" address="22.22.23.23" netmask="255.255.255.0"/>
|
||||
</Interface>
|
||||
<Management address="192.168.1.1">
|
||||
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
|
||||
@ -4117,7 +4117,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="linux24" id="id3AFB66C6" inactive="False" lastCompiled="1188315148" lastInstalled="1142003872" lastModified="1197388709" name="firewall2" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="linux24" id="id3AFB66C6" inactive="False" lastCompiled="1188315148" lastInstalled="1142003872" lastModified="1208501354" name="firewall2" platform="iptables" ro="False" version="">
|
||||
<NAT id="id3AFB66C7">
|
||||
<NATRule disabled="False" id="id3AFB66C8" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -5688,7 +5688,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="this object is used to test negation in policy rules with "Assume firewall is part of 'Any'" turned OFF" host_OS="linux24" id="id3B0226B6" inactive="False" lastCompiled="1196093755" lastInstalled="1142003872" lastModified="1196093903" name="firewall3" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="this object is used to test negation in policy rules with "Assume firewall is part of 'Any'" turned OFF" host_OS="linux24" id="id3B0226B6" inactive="False" lastCompiled="1196093755" lastInstalled="1142003872" lastModified="1208501354" name="firewall3" platform="iptables" ro="False" version="">
|
||||
<NAT id="id3B0226B7">
|
||||
<NATRule disabled="False" id="id3B0226B8" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -6341,7 +6341,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="this object is used to test a configuration where firewall has dynamic address " host_OS="linux24" id="id3B0C6380" inactive="False" lastCompiled="1188097179" lastInstalled="1142003872" lastModified="1184801731" name="firewall4" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="this object is used to test a configuration where firewall has dynamic address " host_OS="linux24" id="id3B0C6380" inactive="False" lastCompiled="1188097179" lastInstalled="1142003872" lastModified="1208501354" name="firewall4" platform="iptables" ro="False" version="">
|
||||
<NAT id="id3B0C6381">
|
||||
<NATRule disabled="False" id="id3B0C6382" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -7128,7 +7128,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing firewall_is_part_of_any_and_networks also testing SNAT and DNAT rules when external interface has dynamic address dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. " host_OS="linux24" id="id3B19BEE6" lastCompiled="1204560061" lastInstalled="1142003872" lastModified="1204560033" name="firewall5" platform="iptables" ro="False">
|
||||
<Firewall comment="testing firewall_is_part_of_any_and_networks also testing SNAT and DNAT rules when external interface has dynamic address dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. " host_OS="linux24" id="id3B19BEE6" lastCompiled="1204560061" lastInstalled="1142003872" lastModified="1208501354" name="firewall5" platform="iptables" ro="False">
|
||||
<NAT id="id3B19BEE7">
|
||||
<NATRule disabled="False" id="id3CFD9EE2" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -9413,7 +9413,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. This is BRIDGING FIREWALL Firewall is part of any is OFF Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " host_OS="linux24" id="id3D94D4F8" inactive="False" lastCompiled="1188096947" lastInstalled="1142003872" lastModified="1171611400" name="firewall11" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. This is BRIDGING FIREWALL Firewall is part of any is OFF Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " host_OS="linux24" id="id3D94D4F8" inactive="False" lastCompiled="1188096947" lastInstalled="1142003872" lastModified="1208501354" name="firewall11" platform="iptables" ro="False" version="">
|
||||
<NAT id="id3D94D4F9">
|
||||
<NATRule disabled="True" id="id3E854D22" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -10271,7 +10271,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="Testing empty groups thing " host_OS="linux24" id="id3DE68A18" lastCompiled="1188096961" lastInstalled="1142003872" lastModified="0" name="firewall13" platform="iptables" ro="False">
|
||||
<Firewall comment="Testing empty groups thing " host_OS="linux24" id="id3DE68A18" lastCompiled="1188096961" lastInstalled="1142003872" lastModified="1208501354" name="firewall13" platform="iptables" ro="False">
|
||||
<NAT id="id3DE68A19">
|
||||
<NATRule disabled="False" id="id3DE68AFA" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -10787,7 +10787,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing translation from outside to the web server on DMZ, need to see what happens if clients on internal net connect to the NATted address of this server. This is a kind of "NAT back to the same subnet" with a twist. This firewall also has option "local NAT" enabled. NAT rules 0,2-7 should generate code in the OUTPUT and POSTROUTING chains. " host_OS="linux24" id="id3E189481" lastCompiled="1188096980" lastInstalled="1142003872" lastModified="0" name="firewall16" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="testing translation from outside to the web server on DMZ, need to see what happens if clients on internal net connect to the NATted address of this server. This is a kind of "NAT back to the same subnet" with a twist. This firewall also has option "local NAT" enabled. NAT rules 0,2-7 should generate code in the OUTPUT and POSTROUTING chains. " host_OS="linux24" id="id3E189481" lastCompiled="1188096980" lastInstalled="1142003872" lastModified="1208501354" name="firewall16" platform="iptables" ro="False" version="">
|
||||
<NAT id="id3E189482">
|
||||
<NATRule comment="should generate code in both PREROUTING and OUTPUT chain because option "local NAT" is enabled" disabled="False" id="id3E189483" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -12225,7 +12225,7 @@
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing firewall_is_part_of_any_and_networks also testing SNAT and DNAT rules when external interface has dynamic address dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. " host_OS="linux24" id="id3EFBC648" lastCompiled="1188097016" lastInstalled="1142003872" lastModified="1142003913" name="firewall20" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="testing firewall_is_part_of_any_and_networks also testing SNAT and DNAT rules when external interface has dynamic address dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning. " host_OS="linux24" id="id3EFBC648" lastCompiled="1188097016" lastInstalled="1142003872" lastModified="1208501354" name="firewall20" platform="iptables" ro="False" version="">
|
||||
<NAT id="id3EFBC649">
|
||||
<NATRule disabled="False" id="id3EFBC64A" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -12764,7 +12764,7 @@
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="two dynamic interfaces in the same policy or NAT rule " host_OS="linux24" id="id3F29FAAD" lastCompiled="1188097023" lastInstalled="1142003872" lastModified="0" name="firewall21" platform="iptables" ro="False">
|
||||
<Firewall comment="two dynamic interfaces in the same policy or NAT rule " host_OS="linux24" id="id3F29FAAD" lastCompiled="1188097023" lastInstalled="1142003872" lastModified="1208501354" name="firewall21" platform="iptables" ro="False">
|
||||
<NAT id="id3F29FAAE">
|
||||
<NATRule disabled="False" id="id3F2A008C" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -12953,7 +12953,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing NAT rules using custom services " host_OS="linux24" id="id3FADB89A" lastCompiled="1188097029" lastInstalled="1142003872" lastModified="1142003913" name="firewall22" platform="iptables" ro="False" version="1.2.9">
|
||||
<Firewall comment="testing NAT rules using custom services " host_OS="linux24" id="id3FADB89A" lastCompiled="1188097029" lastInstalled="1142003872" lastModified="1208501354" name="firewall22" platform="iptables" ro="False" version="1.2.9">
|
||||
<NAT id="id3FADB89B">
|
||||
<NATRule disabled="False" id="id3FADBAA3" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -13149,7 +13149,7 @@
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment=" This is BRIDGING FIREWALL " host_OS="linux24" id="id3FB32E8E" lastCompiled="1188097036" lastInstalled="1142003872" lastModified="1142003859" name="firewall23" platform="iptables" ro="False">
|
||||
<Firewall comment=" This is BRIDGING FIREWALL " host_OS="linux24" id="id3FB32E8E" lastCompiled="1188097036" lastInstalled="1142003872" lastModified="1208501354" name="firewall23" platform="iptables" ro="False">
|
||||
<NAT id="id3FB32E8F"/>
|
||||
<Policy id="id3FB32EAC">
|
||||
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3FB33184" log="False" position="0">
|
||||
@ -13547,7 +13547,7 @@
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing rules on unnumbered interface tun* " host_OS="linux24" id="id402B23A8" lastCompiled="1188097050" lastInstalled="1142003872" lastModified="0" name="firewall24" platform="iptables" ro="False">
|
||||
<Firewall comment="testing rules on unnumbered interface tun* " host_OS="linux24" id="id402B23A8" lastCompiled="1188097050" lastInstalled="1142003872" lastModified="1208501354" name="firewall24" platform="iptables" ro="False">
|
||||
<NAT id="id402B23A9"/>
|
||||
<Policy id="id402B23AA">
|
||||
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id402B2413" log="False" position="0">
|
||||
@ -14229,7 +14229,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore " host_OS="linux24" id="id417C680B" lastCompiled="1188097057" lastInstalled="1142003872" lastModified="1142003913" name="firewall25" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore " host_OS="linux24" id="id417C680B" lastCompiled="1188097057" lastInstalled="1142003872" lastModified="1208501354" name="firewall25" platform="iptables" ro="False" version="">
|
||||
<NAT id="id417C688D">
|
||||
<NATRule disabled="False" id="id417C688E" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -14762,7 +14762,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="this firewall uses iptables-restore format One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore" host_OS="linux24" id="id418C4609" lastCompiled="1188097064" lastInstalled="1142003872" lastModified="1142003913" name="firewall26" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="this firewall uses iptables-restore format One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore" host_OS="linux24" id="id418C4609" lastCompiled="1188097064" lastInstalled="1142003872" lastModified="1208501354" name="firewall26" platform="iptables" ro="False" version="">
|
||||
<NAT id="id418C468B">
|
||||
<NATRule disabled="False" id="id418C468C" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -15293,7 +15293,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="this firewall uses iptables-restore format all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" host_OS="linux24" id="id4183D041" inactive="False" lastCompiled="1197477543" lastInstalled="1142003872" lastModified="1197477519" name="firewall27" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="this firewall uses iptables-restore format all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" host_OS="linux24" id="id4183D041" inactive="False" lastCompiled="1197477543" lastInstalled="1142003872" lastModified="1208501354" name="firewall27" platform="iptables" ro="False" version="">
|
||||
<NAT id="id4183D0C3">
|
||||
<NATRule disabled="False" id="id4183D0C4" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -16012,7 +16012,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names " host_OS="linux24" id="id41D2945B" lastCompiled="1188097084" lastInstalled="1142003872" lastModified="0" name="firewall29" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names " host_OS="linux24" id="id41D2945B" lastCompiled="1188097084" lastInstalled="1142003872" lastModified="1208501354" name="firewall29" platform="iptables" ro="False" version="">
|
||||
<NAT id="id41D29482">
|
||||
<NATRule disabled="False" id="id41D29483" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -16570,7 +16570,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing AddressTable" host_OS="linux24" id="id43868A331434" lastCompiled="1188097112" lastInstalled="1142003872" lastModified="1205611789" name="firewall32" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="testing AddressTable" host_OS="linux24" id="id43868A331434" lastCompiled="1188097112" lastInstalled="1142003872" lastModified="1208501354" name="firewall32" platform="iptables" ro="False" version="">
|
||||
<NAT id="id43868A6D1434">
|
||||
<NATRule disabled="False" id="id43868A6E1434" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -16771,7 +16771,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing DNSName object" host_OS="linux24" id="id43867C1018346" lastCompiled="1188097121" lastInstalled="1142003872" lastModified="1205119254" name="firewall33" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="testing DNSName object" host_OS="linux24" id="id43867C1018346" lastCompiled="1188097121" lastInstalled="1142003872" lastModified="1208501354" name="firewall33" platform="iptables" ro="False" version="">
|
||||
<NAT id="id43867C4818346">
|
||||
<NATRule disabled="False" id="id43867C4918346" position="0">
|
||||
<OSrc neg="False">
|
||||
@ -20013,7 +20013,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">False</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment=" This is BRIDGING FIREWALL Testing module physdev " host_OS="linux24" id="id440C055614846" lastCompiled="1188097043" lastInstalled="1142003872" lastModified="1163136879" name="firewall23-1" platform="iptables" ro="False" version="1.3.0">
|
||||
<Firewall comment=" This is BRIDGING FIREWALL Testing module physdev " host_OS="linux24" id="id440C055614846" lastCompiled="1188097043" lastInstalled="1142003872" lastModified="1208501354" name="firewall23-1" platform="iptables" ro="False" version="1.3.0">
|
||||
<NAT id="id440C062B14846"/>
|
||||
<Policy id="id440C055C14846">
|
||||
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id440C055D14846" log="False" position="0">
|
||||
@ -22086,7 +22086,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">true</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing shadowing detection compiler runs with -xt flag firewall is assumed to be part of any" host_OS="linux24" id="id4513DEA62143" inactive="False" lastCompiled="1188097253" lastInstalled="0" lastModified="1158818614" name="test-shadowing-1" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="testing shadowing detection compiler runs with -xt flag firewall is assumed to be part of any" host_OS="linux24" id="id4513DEA62143" inactive="False" lastCompiled="1188097253" lastInstalled="0" lastModified="1208501354" name="test-shadowing-1" platform="iptables" ro="False" version="">
|
||||
<NAT id="id4513DEAA2143"/>
|
||||
<Policy id="id4513DEA92143">
|
||||
<PolicyRule action="Accept" comment="shades rule below" direction="Outbound" disabled="False" id="id4513DECC2143" log="False" position="0">
|
||||
@ -22369,7 +22369,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
|
||||
<Option name="verify_interfaces">True</Option>
|
||||
</FirewallOptions>
|
||||
</Firewall>
|
||||
<Firewall comment="testing shadowing detection compiler runs with -xt flag firewall is NOT assumed to be part of any" host_OS="linux24" id="id451488C42143" inactive="False" lastCompiled="1188097259" lastInstalled="0" lastModified="1158818614" name="test-shadowing-2" platform="iptables" ro="False" version="">
|
||||
<Firewall comment="testing shadowing detection compiler runs with -xt flag firewall is NOT assumed to be part of any" host_OS="linux24" id="id451488C42143" inactive="False" lastCompiled="1188097259" lastInstalled="0" lastModified="1208501354" name="test-shadowing-2" platform="iptables" ro="False" version="">
|
||||
<NAT id="id451489072143"/>
|
||||
<Policy id="id451488CA2143">
|
||||
<PolicyRule action="Accept" comment="shades rule below" direction="Outbound" disabled="False" id="id451488CB2143" log="False" position="0">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user