CustomService objects in policy and nat rules for asa 8.3 using
named objects and object-groups.
-- see #1942 "ASA NAT - if custom service is included in service
group incorrect config generated"
-- see #1929 "move map named_objects inside class NamedObjectManager"
-- see #1946 "restrict generation of the named objects by
PolicyCompiler_pix to ASA 8"
-- see #1885 "named network and service objects in pix8"
service objects in pix8". So far, these objects are only used
for nat configuration.
* NATCompiler_asa8_writers.cpp (processNext): fixes#1903 "correct
order of clear commands for ASA 8.3"
* NATCompiler_asa8_writers.cpp (printSDNAT): refs #1886 "new nat
configuration in pix 8.3". Initial support for new style nat
configuation.
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
"policy-map type inspect ip-options" command in PIX v8.2 and later.
At this time, of all possible types of "policy-map type inspect"
command only "ip-options" is implemented.
and possibly other embedded Linux systems". Generated script does not
use modprobe utility when host OS is set to "DD-WRT" or "OpenWRT" and
should not try to find this utility on the system. This is also
related to the SourceForge bug 3032293
cluster". Since the order in which I copy rule sets is
undefined and because they may have references to each other via
branching rules, I need to fix references after I create all
of them.
create redirect rule in cluster firewall object". Iptables nat
rule with target REDIRECT could not be built in a cluster
configuration. It should be possible to do this by putting cluster
object in Translated Destination.
addresses of vlan interfaces". This function used to take into
account only interfaces that were direct children objects of the
firewall. Since vlan interfaces are children of the corresponding
physical interface, they were not included.
"generated script gets .fw suffix even when user set output file
name". Suffix .fw should not be appended to the name entered by
the user in the "output file name" input field in the firewall
settings dialog.
"installer hangs and fails after activation of ipfw policy". As
soon as .fw script swapped ipfw sets usig command "ipfw sawp" and
deleted temporary set 1, ssh session would hang and eventually
break. We optionally add ipfw rules to permit ssh session used to
manage the firewall, as well as a rule to permit reply packets but
the latter rule was not built correctly. It should match source
and destination reversed, as well as match keyword "established"
and recreate state with "keep-state". This rule automatically
recreates state for the established ssh session over which
firewall policy is being managed. Also added a comment to the
firewall settings dialog for ipfw to remind the user that address
or subnet they use with this automatic rule should be as narrow as
possible.
wants to use putty session, show session name instead of the ip
address in the "Address that will be used to communicate with the
firewall" input field in the installer options dialog.
matching algorithm that determins which interface a rule should be
associated with for Cisco IOS ACLs. Previously compiler did not
compare subnets properly and because of that it interpreted some
configurations incorrectly. For example in the case with a network
object 10.0.0.0/8 in "source" and an interface with address
10.0.0.1/24 (network should not be considered matching) compiler
considered this interface matching and assigned the rule to the
interface only with direction "inbound".
pscp.exe supports putty session in place of the target name but
not if argument "-load session_name" is also present. Plink.exe
does the same. We can not use fwb_session_with_keepalive if user
wants to use putty session.
behavior is for the compiler to create files in the directory
specified by the argument of the "-d" command line flag. If
flag "-d" is not provided, files should be created in the current
directory.
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI.
problem" (type 4, any code) per SF feature request 3094743. Also
added service group object "ipv6 unreachable messages" that
includes ICMPv6 messages "destination unreachable", "packet too
big", "parameter problem" and "time exceeded" per SF feature
request 3094758
