mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-19 09:47:20 +01:00
12d93a54c0
NamedObjectManager::getNamedObjectsDefinitions(); also refactoring of the code that generates "clear" commands
388 lines
13 KiB
Plaintext
Executable File
388 lines
13 KiB
Plaintext
Executable File
!
|
|
! This is automatically generated file. DO NOT MODIFY !
|
|
!
|
|
! Firewall Builder fwb_iosacl v4.2.0.3440
|
|
!
|
|
! Generated Thu Jan 20 16:31:22 2011 PST by vadim
|
|
!
|
|
! Compiled for iosacl 12.1
|
|
!
|
|
!# files: * testios2.fw
|
|
!
|
|
|
|
! testios2:Routing:0: error: Object "test-addr-1" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall
|
|
! testios2:Routing:1: error: Can not use both gateway address and interface in IOS routing rule
|
|
! testios2:Routing:0: error: MultiPath routing not supported by platform
|
|
! testios2:Routing:1: error: MultiPath routing not supported by platform
|
|
|
|
!
|
|
! Prolog script:
|
|
!
|
|
|
|
!
|
|
! End of prolog script:
|
|
!
|
|
|
|
hostname testios2
|
|
|
|
! temporary access list for "safety net install"
|
|
no ip access-list extended tmp_acl
|
|
ip access-list extended tmp_acl
|
|
permit ip 10.10.10.0 0.0.0.255 any
|
|
deny ip any any
|
|
exit
|
|
interface ethernet1
|
|
no ip access-group in
|
|
no ip access-group out
|
|
ip access-group tmp_acl in
|
|
exit
|
|
no ip access-list extended e0_in
|
|
no ip access-list extended e0_out
|
|
no ip access-list extended e1_in
|
|
no ip access-list extended e1_out
|
|
|
|
! ================ IPv4
|
|
|
|
|
|
ip access-list extended e0_in
|
|
!
|
|
! Rule -1 backup ssh access rule (automatic)
|
|
permit tcp 10.10.10.0 0.0.0.255 host 1.1.1.1 eq 22
|
|
permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
|
|
!
|
|
! Rule 0 (ethernet0)
|
|
! anti-spoofing
|
|
deny ip 10.10.10.0 0.0.0.255 any log
|
|
deny ip 10.10.11.0 0.0.0.255 any log
|
|
deny ip 10.10.12.0 0.0.0.255 any log
|
|
!
|
|
! Rule 1 (global)
|
|
deny ip any any log fragments
|
|
!
|
|
! Rule 2 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 3 (ethernet0,ethernet1)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 5 (ethernet0)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 6 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 8 (ethernet0)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 11 (ethernet0)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 12 (global)
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
!
|
|
! Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
!
|
|
! Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
!
|
|
! Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
!
|
|
! Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
!
|
|
! Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
!
|
|
! Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
!
|
|
! Rule 19 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended e0_out
|
|
!
|
|
! Rule -2 backup ssh access rule (out) (automatic)
|
|
permit tcp host 1.1.1.1 eq 22 10.10.10.0 0.0.0.255
|
|
permit tcp host 10.10.10.1 eq 22 10.10.10.0 0.0.0.255
|
|
!
|
|
! Rule 1 (global)
|
|
deny ip any any log fragments
|
|
!
|
|
! Rule 3 (ethernet0,ethernet1)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 5 (ethernet0)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 11 (ethernet0)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 19 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended e1_in
|
|
!
|
|
! Rule -1 backup ssh access rule (automatic)
|
|
permit tcp 10.10.10.0 0.0.0.255 host 1.1.1.1 eq 22
|
|
permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22
|
|
!
|
|
! Rule 1 (global)
|
|
deny ip any any log fragments
|
|
!
|
|
! Rule 2 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 3 (ethernet0,ethernet1)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 4 (ethernet1)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 6 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 7 (ethernet1)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 10 (ethernet1)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 12 (global)
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
!
|
|
! Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
!
|
|
! Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
!
|
|
! Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
!
|
|
! Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
!
|
|
! Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
!
|
|
! Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
!
|
|
! Rule 19 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended e1_out
|
|
!
|
|
! Rule -2 backup ssh access rule (out) (automatic)
|
|
permit tcp host 1.1.1.1 eq 22 10.10.10.0 0.0.0.255
|
|
permit tcp host 10.10.10.1 eq 22 10.10.10.0 0.0.0.255
|
|
!
|
|
! Rule 1 (global)
|
|
deny ip any any log fragments
|
|
!
|
|
! Rule 2 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 3 (ethernet0,ethernet1)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 4 (ethernet1)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 10 (ethernet1)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
!
|
|
! Rule 12 (global)
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
!
|
|
! Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
!
|
|
! Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
!
|
|
! Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
!
|
|
! Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
!
|
|
! Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
!
|
|
! Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
!
|
|
! Rule 19 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
|
|
interface ethernet0
|
|
ip access-group e0_in in
|
|
exit
|
|
interface ethernet0
|
|
ip access-group e0_out out
|
|
exit
|
|
interface ethernet1
|
|
ip access-group e1_in in
|
|
exit
|
|
interface ethernet1
|
|
ip access-group e1_out out
|
|
exit
|
|
|
|
|
|
|
|
!
|
|
! Rule 0 (main)
|
|
!
|
|
! "Routing rule 0 (main)"
|
|
!
|
|
# testios2:Routing:0: error: Object "test-addr-1" used as gateway in the routing rule 0 (main) is not reachable because it is not in any local network of the firewall
|
|
!
|
|
! Rule 1 (main)
|
|
!
|
|
! "Routing rule 1 (main)"
|
|
!
|
|
# testios2:Routing:1: error: Can not use both gateway address and interface in IOS routing rule
|
|
|
|
!
|
|
! Epilog script:
|
|
!
|
|
|
|
! End of epilog script:
|
|
!
|