MAC-matching rules not generated properly". Iptables NAT rules
matching a group of host objects with both IP and MAC addresses each
in "Original Source" were not generated properly.
3178186 "Add ND/NS allow rules for the FORWARD chain". Rules that are
added automatically to ipv6 Linux firewall to permit neighbor discovery
packets should be also added to the FORWARD chain if the firewall is
a bridge.
see #2323
interfaces with the name vlan<xx> dont show as Bridge Port
Interfaces". This actually applies to all OS where we support vlan
and bridge interfaces. Fwbuilder GUI should allow the user to set
subinterface type to both "ethernet" and "vlan" when its parent
interface has type "bridge". Setting subinterface type to
"ethernet" makes it bridge port, while setting the type to "vlan"
signals policy compiler that it should generate code to configure
real vlan interface. If the name of the subinterface does not
include the name of the parent, such as "vlan101", or when the
name does not match vlan ID, such as "vlan8101", global
preferences option "Verify interface names and autoconfigure their
parameters..." should turned off. The option is located in the
Preferences dialog, tab "Objects".
router firewalls". Added support for basic IOS router clusters.
No failover protocol support at this time, but the cluster can be
configured with protocol "None" and fwbuilder will do address
substitutions at compile time.
with service set to "http" and destination set to asa firewall
object should generate different command syntax". Policy rules
that have firewall object in Destination and http object in
Service now generate "http" commands. This is similar to how
fwbuilder generates "ssh", "telnet" and "icmp" commands to permit
corresponding services to the firewall itself.
files upon closing editor panel". If user opened two data files in
the GUI and was in the process of editing objects in one of them,
the GUI would flip to the other file under certin circumstances.
see #2265 "ASA 8.3 acl import: access-list commands using two
named objects or object-groups", see #2290 "Access lists that
include mix of service objects and inline service definitions are
not properly imported". To import access-list command that matches
both source and destination tcp/udp ports and uses object-group in
either match I should create a new service group with a collection
of TCP or UDP service objects matching all combinations of source
and destination port ranges defined by the rule. This should work
when one or both matches use object-group in combination with
inline port match.
importer enounters access-list command that matches tcp or udp
ports with "neq" port operators in both source and
destination. This configuration is not supported by import at this
time.
3213019 "FWSM Network zone and IPv6". Currently we do not support
ipv6 with PIX/ASA and FWSM. If user creates a group to be used as
network zone object and places ipv6 address in it, this address
should be ignored while compiling the policy but this should not
be an error.
access-list destination address and original service not set".
"Nat" and "static" commands that use access-list should import all
components of the access-list command (source, destination and
service/protocol).
nat rule has wrong interface defined". Importer mixed up inbound
and outbound interfaces in NAT commands created from combination
of "global" and "nat" PIX/ASA commands.
ends up with rules being created with duplicate rule
numbers". Also see #2172 "Crash when deleting rule - related to
#2171". When user deleted the last rule in a rule set, then used
Undo to restore it, the program lost track of rules in the rule
set and became unstable.
same service object-group that matches some tcp or udp ports can
be used to match both source and destination ports in an
access-list command. Importer should recognize when such group
is used to match source ports and create mirrored group with
potentially mirrored service objects. This should work when group
includes other groups.
test cases in asa8.3-acl.test
and udp port names are recognized on import; also since PIX/ASA
converts udp port numbersin "show run" output to the same names
as if they were tcp, using the same name mapping table.
ASA access-lists that are not applied in an access-group". Policy
rule set will be created and populated with rules found in the
corresponding access-list even if this access-list is not applied
to an interface with access-group command.
the parser for PIX/ASA configs to make it recognize object-group
and named object names used to define source port, destination
address or destination port in "access-list ... tcp|udp" rules,
including ambiguous situation when an object-group appears after
source address specification because this group can define either
source port or destination address.
support for import of object-group and service-object statements
of type "tcp-udp" (these get imported as service group object with
two tcp and udp service objects).
