onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 09:18:23 +01:00
Code Issues Releases Wiki Activity
fwbuilder/doc/README.iosacl
Vadim Kurland fcfedad398 Initial import into v3 branch
2007-12-25 22:25:59 +00:00

76 lines
3.5 KiB
Plaintext
Raw Blame History

Policy compiler for Cisco IOS Access lists has been implemented as
part of the Firewall Builder GUI as of version 2.1.12. The first
functional build were importer worked on all supported OS was build
270 (May 22, 2007)
Support for Cisco IOS access lists in Firewall Builder v2.1.12, build 270:
----------------------------------------------------------------
Features implemented in this version:
- The compiler generates extended ACLs using "ip access-list
extended" command. ACL names are automatically generated using
abbreviated interface names and direction symbols to make it easy
to figure out which ACL is which. Compiler uses rather minimal set
of options of the "ip access-list" command and should generate code
that will work for IOS 12.x. I did not test with 11.x but I am
pretty sure it will work, at least with the latest versions of
11.x.
- Compiler can also add commands to configure logging.
- The GUI includes built-in installer for routers which works just
like installer for PIX. Both installers were updated however to
improve support for the automatic roll-back feature in case you
lose connect with the firewall or the router because of an error in
the policy. Now you can make installer schedule reboot in a few
minutes, then upload new policy or ACLs and then cancel reboot if
upload was successful. While before auto-rollback option was only
available if you installed in the test mode, now you can always use
it. Test mode means that installer does not save configuration in
the permanent memory, as before.
- All three installation methods that were available for PIX are now
available for routers: you can make it clear all access lists and
then load new ones or just update access lists without
clearing. The last method (the "safety net" method) creates
temporary acl to permit communication with the management station,
assigns it to the interface marked as management interface, then
clears all access lists and loads new ones and in the end swaps
proper list on the management interface. This helps prevent
locking yourself out of the router in the middle of the
installation process in case of an error in the ACL and at the same
time does not leave the router with no acls for the time it takes
to install new policy. In combination with automatic roll-back,
installation process is pretty reliable.
- New option has been added to the interface object, called
"unprotected". This allows you to mark some interfaces to be
skipped by the compiler when it picks interfaces for ACL
rules. This should be useful when you have routers with many
interfaces and only want to add ACLs to some of them. Also, you can
explicitly put interface objects into policy rules and specify
direction if you want to do this manually.
- Since router ACLs have no state, all rules should be created in the
policy pretty much like you do it on the router, including rules
that permit reply packets. New option has been added to the TCP
Service object, called "established". This makes compiler use
option "established" in rules it generates if it is supported by
the firewall platform. Compilers for iptables, ipfilter, pf and PIX
can not use objects with this option and treat it as an error
because corresponding platforms do not support it. IPFW, on the
other hand, supports it so compiler fwb_ipfw can use it.
Shortcomings of this version:
- "tos", "precedence" and "time-range" options are not supported
- "igmp" access lists can no be generated
Reference in New Issue View Git Blame Copy Permalink