onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 01:37:17 +01:00
Code Issues Releases Wiki Activity
4,007 Commits 3 Branches 3 Tags
Commit Graph

66 Commits

Author SHA1 Message Date
Vadim Kurland
126b561e32 * PolicyCompiler_cisco.cpp (processNext): see #2308 "ASA rules 
with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
 2011-04-08 18:08:56 -07:00
Vadim Kurland
4d6302a4cc * CompilerDriver_pix_run.cpp (pixNetworkZoneChecks): see SF bug 
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
 2011-04-07 11:05:46 -07:00
Vadim Kurland
0e3bf10cb9 see #2252 compilers for iosacl and pix automatically increment/decrement port range boundaries to make tcp/udp port ranges defined in tcp/udp service objects inclusive 2011-03-21 12:56:37 -07:00
Vadim Kurland
0aa3eac4d4 * Compiler.cpp (expandGroupsInRuleElement): sorting objects in the 
rule element by name after group is expanded, this helps ensure
stable ordering of objects in generated configuration.

* Compiler.cpp (replaceClusterInterfaceInItfRE::processNext):
sorting objects in rule element after cluster interfaces have been
replaced, this helps ensure stable ordering of objects in generated
configuration.

* FWObject.h (FWObjectNameCmpPredicate): moved this class from
gui-specific module to libfwbuilder as it is universally useful.
It can compare FWObject objects by name and can optionally can
follow references; it can be used with std::sort() to sort lists
of FWObject pointers or directly sort rule elements.
 2011-03-12 19:50:24 -08:00
Vadim Kurland
fcd7c7920b re-ran tests for pix 2011-03-12 15:13:57 -08:00
Vadim Kurland
247d4efd61 commiting merge 2011-03-12 14:53:12 -08:00
Vadim Kurland
d3bf44b4d5 re-ran tests for pix 2011-03-12 14:44:47 -08:00
Vadim Kurland
1638eb4bd1 see #2207 finished fixes in all compilerts to enforce changes per #2209; regression tests for all platforms pass 2011-03-11 12:22:11 -08:00
Vadim Kurland
56f81407f1 fixes #2124 some error messages get multiplied when compiler splits rules 2011-02-20 21:32:58 -08:00
Vadim Kurland
e9e7f89cf2 see #1920 Setting host interface to unnumbered after it has been assigned IP address doesnt have desired effect 2011-02-20 18:03:21 -08:00
Vadim Kurland
37ab989922 see #1877 added test case for this 2011-02-20 17:45:46 -08:00
Vadim Kurland
4136d63957 see #2098 support for interfaces in PIX/ASA NAT rules; see #153 deprecating Rule::getInterfaceStr() 2011-02-19 19:13:01 -08:00
Vadim Kurland
04ef96c5fa see #2060 using correct syntax for commands to clear objects and object-groups on PIX 6.3 and other versions 2011-02-10 15:08:32 -08:00
Vadim Kurland
424b6d0604 re-ran tests 2011-02-03 10:07:55 -08:00
Vadim Kurland
78e177f759 see #1890 re-ran tests 2011-01-31 18:38:08 -08:00
Vadim Kurland
2c85c952bf see #1986 Cisco ASA remarks should be truncated to 100 characters or less; truncated remark lines 2011-01-25 11:25:20 -08:00
Vadim Kurland
7c1108204e see #1958 consistently use "exit" to get out of nested context in pix config 2011-01-24 16:41:34 -08:00
Vadim Kurland
5961400eb4 see #1981 ASA / FWSM Policy - Generate warning message if rule will not generate config data 2011-01-24 11:53:22 -08:00
Vadim Kurland
555e9425eb see #1968, #1972 object group deduplication finally works 2011-01-22 10:18:19 -08:00
Vadim Kurland
12d93a54c0 fixes #1963 move printing of object-group definitions to 
NamedObjectManager::getNamedObjectsDefinitions(); also refactoring of the code that generates "clear" commands
 2011-01-20 17:25:09 -08:00
Vadim Kurland
34630953cc see #1959 ASA Policy - ranges are broken into composite network instead of using range command. I now create named objects to represent address ranges and put them into object-group, whcih I can then use in access-list commands 2011-01-20 14:34:00 -08:00
Vadim Kurland
7058a72f3e see #1965 ASA Policy - PIX 6.1 configurations use object groups 2011-01-20 10:10:10 -08:00
Vadim Kurland
ea2caa4413 see #1951 simplify object-group names 2011-01-20 09:54:08 -08:00
Vadim Kurland
c34a758430 see #1959 ASA Policy - ranges are broken into composite network instead of using range command 2011-01-19 20:27:47 -08:00
Vadim Kurland
ca4c132e2b see #1954 "ASA NAT - generate warning if nat rule is split and one of the resulting nat rules have the same real interface and mapped interface". 2011-01-19 18:26:08 -08:00
Vadim Kurland
1b7a761d27 see #1916 nat rule must be "static" when subnet is present in TSrc 2011-01-17 17:54:47 -08:00
Vadim Kurland
bbb36271a6 see #1942 fixed test cases 2011-01-17 17:46:26 -08:00
Vadim Kurland
ca475b24d7 fixes #1948 incorrect configuration created when a CustomService object is used in a policy rule for PIX/ASA v<8.3 2011-01-17 14:35:55 -08:00
Vadim Kurland
8a91ae3882 fixes #1945 object-group names include ever-growing suffix 2011-01-17 13:52:00 -08:00
Vadim Kurland
b6b548f88f see #1944 ASA Policy - duplicate network object groups created for mixed service group with TCP dst and TCP src port range objects; FIXED 2011-01-17 13:20:38 -08:00
Vadim Kurland
bfce60d98d see #1943 ASA Policy - mixed service group with TCP destination port range and standard TCP object generates invalid config; protocol word "tcp" was missing after "deny". Generated configuration still does not load! 2011-01-17 13:04:02 -08:00
Vadim Kurland
f104cb6a11 see #1949 ASA NAT - split objects if OSrc contains objects that are in more than one network zone 2011-01-17 12:12:54 -08:00
Vadim Kurland
139d5ce2de * NamedObjectsAndGroupsSupport.cpp (processNext): Added support for 
CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
 -- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
 -- see #1929 "move map named_objects inside class NamedObjectManager"
 -- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
 -- see #1885 "named network and service objects in pix8"
 2011-01-16 23:02:49 -08:00
Vadim Kurland
e2c2725e6b see #1941 ASA NAT - compiler complains about range in original destination 2011-01-16 20:19:43 -08:00
Vadim Kurland
77690478f4 see #1940 ASA NAT - fwbuilder host objects interface ip is reserved keyword 2011-01-16 16:42:29 -08:00
Vadim Kurland
3e603c1375 see #1938 "icmp" commands were not properly generated for ASA 8.x policy rules 2011-01-16 16:09:29 -08:00
Vadim Kurland
f74713b2fa see #1927 added check to prohibit nat rule that translates destination but has ODst "any" 2011-01-16 15:12:17 -08:00
Vadim Kurland
86584b6aac fixes #1932 Add description field to generated NAT rules for ASA 2011-01-14 18:50:46 -08:00
Vadim Kurland
25b7da796e fixes #1934 and SF bug 3156376 "Can 
not find interface with network zone that includes address range"
 2011-01-14 18:41:50 -08:00
Vadim Kurland
99d0aba102 refs #1928 Support for object-group in OSrc 2011-01-13 19:05:58 -08:00
Vadim Kurland
0f99325869 test case, refs #1928 2011-01-13 18:03:54 -08:00
Vadim Kurland
64772160ac fixes #1917 Duplicate objects are not detected 2011-01-13 13:29:58 -08:00
Vadim Kurland
63257170e8 refs #1885 using named objects and object groups when multiple objects are found in TSrc; this fixes issue with address ranges 2011-01-13 12:49:25 -08:00
Vadim Kurland
59a90aabb1 fixes #1921 add rule processor to check correctness of TSrc after object-groups have been created 2011-01-13 10:34:36 -08:00
Vadim Kurland
f684d791c6 refs #1919 Fixed: do not put interface objects inside object-group for TSrc 2011-01-13 10:11:30 -08:00
Vadim Kurland
353ba61b7d refs #1907 ASA NAT - fwbuilder doesnt support multiple translated sources in a single NAT rule 2011-01-12 17:46:11 -08:00
Vadim Kurland
c9d0505af1 fixes #1912 Compiler error for ASA 8+ firewalls that have multiple networks in Policy rule and no network matches network zone 2011-01-12 16:03:06 -08:00
Vadim Kurland
77ae2185f2 refs #1908 "ASA NAT - cannot configure static NAT translations with (inside,outside)". Added radio buttons 2011-01-12 15:03:57 -08:00
Vadim Kurland
c6abdb0fc6 refs #1908 : added nat rule option to force the rule to be "static"; new build number 2011-01-11 18:32:54 -08:00
Vadim Kurland
d4f9c04aeb refs #1902 Add NAT rule option "translate dns" for PIX 2011-01-11 10:55:53 -08:00