tentative fix for SF bug 3169045 "Batch installer lists IPv4
address as management address". Built-in installer wanted to use
management interface address in batch mode even when alternative
address or putty session name was provided. This happens only in
batch mode install.
compiling single rule with IPv6 destination and IPv4 gateway or
interface". Routing compiler for iptables does not support ipv6 at
this time and will issue a warning when user tries to place ipv6
address or network in a routing rule. The warning does not appear
when ipv6 address is a member of a group used in the rule. Also
see #1575.
move up the "access-list mode auto-commit" command". Command that
configures access list commit mode should be issued before any
commands that clear and configure access lists. Also in this
change moving commands that set up temporary access list to the
top of the script.
object created on import". Iptables rules in the table mangle
will be imported in the dedicated Policy rule set with name
"Mangle". Rules that use chains FORWARD and POSTROUTING in table
mangle can not be reproduced and will be marked as "bad" (color
red and corresponding comment).
rule action for Continue". Rules with action "Continue" should
translate into iptables commands without "-j TARGET" parameter. If
such rule also has logging enabled, it should use target "-j LOG"
instead of generating additional chain.
MAC-matching rules not generated properly". Iptables NAT rules
matching a group of host objects with both IP and MAC addresses each
in "Original Source" were not generated properly.
3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are
added automatically to ipv6 Linux firewall to permit neighbor discovery
packets should be also added to the FORWARD chain if the firewall is
a bridge.
see #2323
interfaces with the name vlan<xx> dont show as Bridge Port
Interfaces". This actually applies to all OS where we support vlan
and bridge interfaces. Fwbuilder GUI should allow the user to set
subinterface type to both "ethernet" and "vlan" when its parent
interface has type "bridge". Setting subinterface type to
"ethernet" makes it bridge port, while setting the type to "vlan"
signals policy compiler that it should generate code to configure
real vlan interface. If the name of the subinterface does not
include the name of the parent, such as "vlan101", or when the
name does not match vlan ID, such as "vlan8101", global
preferences option "Verify interface names and autoconfigure their
parameters..." should turned off. The option is located in the
Preferences dialog, tab "Objects".
router firewalls". Added support for basic IOS router clusters.
No failover protocol support at this time, but the cluster can be
configured with protocol "None" and fwbuilder will do address
substitutions at compile time.
with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
files upon closing editor panel". If user opened two data files in
the GUI and was in the process of editing objects in one of them,
the GUI would flip to the other file under certin circumstances.
see #2265 "ASA 8.3 acl import: access-list commands using two
named objects or object-groups", see #2290 "Access lists that
include mix of service objects and inline service definitions are
not properly imported". To import access-list command that matches
both source and destination tcp/udp ports and uses object-group in
either match I should create a new service group with a collection
of TCP or UDP service objects matching all combinations of source
and destination port ranges defined by the rule. This should work
when one or both matches use object-group in combination with
inline port match.
importer enounters access-list command that matches tcp or udp
ports with "neq" port operators in both source and
destination. This configuration is not supported by import at this
time.
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
access-list destination address and original service not set".
"Nat" and "static" commands that use access-list should import all
components of the access-list command (source, destination and
service/protocol).
nat rule has wrong interface defined". Importer mixed up inbound
and outbound interfaces in NAT commands created from combination
of "global" and "nat" PIX/ASA commands.
ends up with rules being created with duplicate rule
numbers". Also see #2172 "Crash when deleting rule - related to
#2171". When user deleted the last rule in a rule set, then used
Undo to restore it, the program lost track of rules in the rule
set and became unstable.
same service object-group that matches some tcp or udp ports can
be used to match both source and destination ports in an
access-list command. Importer should recognize when such group
is used to match source ports and create mirrored group with
potentially mirrored service objects. This should work when group
includes other groups.
test cases in asa8.3-acl.test
