mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-19 17:57:22 +01:00
315 lines
17 KiB
Plaintext
315 lines
17 KiB
Plaintext
Firewall Builder for PIX
|
|
|
|
Version 3.0.0
|
|
|
|
Summary of Features
|
|
|
|
Usage:
|
|
|
|
Like all Firewall Builder policy compilers, policy compiler for PIX has
|
|
the following command line options:
|
|
|
|
fwb_pix [-vV] [-d wdir] -f data_file.xml object_name
|
|
|
|
+------------------------------------------------------------------------+
|
|
| -f FILE | Specify the name of the data file to be processed. |
|
|
|---------+--------------------------------------------------------------|
|
|
| -d wdir | Specify working directory. Compiler creates file with PIX |
|
|
| | configuration in this directory. If this parameter is |
|
|
| | missing, then PIX configuration will be placed in the |
|
|
| | current working directory. |
|
|
|---------+--------------------------------------------------------------|
|
|
| -v | Be verbose: compiler prints diagnostic messages while it |
|
|
| | works. |
|
|
|---------+--------------------------------------------------------------|
|
|
| -V | Print version number and quit. |
|
|
+------------------------------------------------------------------------+
|
|
|
|
Compiler reads objects definitions and firewall description from the data
|
|
file specified with '-f' option and generates resultant Cisco PIX
|
|
configuration file. The configuration is written to the file with the name
|
|
the same as the name of the firewall object, plus extension '.fw'.
|
|
|
|
Normally you won't have to call policy compiler on the command line
|
|
because Firewall Builder GUI does it automatically when you use main menu
|
|
item 'Rules/Compile'. The GUI calls compiler with options -f and -d (if
|
|
working directory is specificed in the GUI Options dialog). Option '-v'
|
|
can be added in the 'Compile/Install' tab of the firewall object dialog.
|
|
|
|
Network Zones
|
|
|
|
In order to be able to assign generated access lists to interfaces of the
|
|
firewall, policy compiler needs information about network topology. This
|
|
information is relayed to it through the special parameter on firewall's
|
|
interface called Network Zone. Network Zone is a network object or a group
|
|
of objects that reflect all networks that are located 'behind' given
|
|
interface. In other words, it is assumed that only packets with source
|
|
addresses belonging to the Network Zone can enter this interface. See
|
|
Users Guide for more detailed explanation of this concept.
|
|
|
|
Policy:
|
|
|
|
When rule includes services 'telnet' or 'ssh' and destination is firewall
|
|
itself or one of its interfaces, compiler generates commands 'telnet' or
|
|
'ssh'.
|
|
|
|
When rule includes any ICMP service and destination is firewall or one of
|
|
its interfaces, compiler generates command 'icmp'
|
|
|
|
In all other cases compiler generates 'access-list' and attaches it to one
|
|
or several interfaces.
|
|
|
|
Compiler can emulate outbound ACL. We do not use commands 'outbound/apply'
|
|
since they are deprecated and Cisco recommends using access lists.
|
|
|
|
Compiler supports address range objects; it expands them to the set of
|
|
individual addresses.
|
|
|
|
Since PIX does not support checking for IP options, rules that use IP
|
|
Service objects with any options will cause compiler to stop processing of
|
|
the policy and print error message. The same goes for checking TCP options
|
|
and flags. There is one exception though: for IP object with options 'all
|
|
fragments' or "'short' fragments" compiler generates command 'sysopt
|
|
security fragguard'
|
|
|
|
Where possible, compiler creates and uses object-groups. In this version
|
|
different object-groups may contain the same objects, this will be fixed
|
|
in the future releases.
|
|
|
|
Policy compiler can perform check for shadowing rules, this is controlled
|
|
by an option in the GUI.
|
|
|
|
NAT
|
|
|
|
Compiler supports global pools; for rules that use network or address
|
|
range objects in Translated Source, compiler creates global pools with
|
|
appropriate addresses.
|
|
|
|
Dynamic translation rules where Translated Source is a firewall or one of
|
|
its interfaces generate global pool with option 'interface'
|
|
|
|
Dynamic translation rules that create translation going from lower
|
|
security level interface to the one with higher security level generate
|
|
command 'nat ... outside'
|
|
|
|
Compiler generates 'nat 0 ' commands for rules that require no translation
|
|
|
|
NAT compiler can perform the following checks for rule consistency and
|
|
correctness:
|
|
|
|
* check for duplicate 'nat' rules
|
|
* check for overlapping global pools
|
|
* check for overlapping 'static' rules
|
|
* check for 'static' rules overlapping with global pools
|
|
|
|
'timeout' commands
|
|
|
|
User can configure 'timeout' commands using 'Advanced' dialog in the
|
|
Firewall tab of the firewall object dialog. Firewall Builder has
|
|
information about default values of all parameters for 'timeout' commands
|
|
for PIX v6.1 and 6.2. All configured timeout commands can be reset to
|
|
their default values with a button 'Set all to defaults'.
|
|
|
|
'fixup' commands
|
|
|
|
User can configure 'fixup' commands using 'Advanced' dialog in the
|
|
Firewall tab of the firewall object dialog. Firewall Builder has
|
|
information about default values for all parameters for 'fixup' commands
|
|
for PIX v 6.1 and 6.2. All configured fixup commands can be reset to their
|
|
default values with a button 'Set all to defaults'.
|
|
|
|
'logging' commands
|
|
|
|
Policy compiler can generate 'logging' commands for syslog, internal
|
|
buffer and console logging. For syslog user can specify server name or
|
|
address, syslog message queue size, facility and level. For internal
|
|
buffer and console logging the level can be specified. User can also
|
|
enable logging timestamps for syslog logging. All logging parameters are
|
|
located in the 'Advanced' dialog in the Firewall tab of the firewall
|
|
object dialog.
|
|
|
|
'ntp' commands
|
|
|
|
Policy compiler can generate commands to configure NTP protocol. Up to
|
|
three NTP servers can be spcified, one of which can be marked as
|
|
preferred.
|
|
|
|
'snmp' commands
|
|
|
|
Policy compiler can generate commands to configure SNMP agent. SNMP
|
|
communities can be specified in the GUI. SNMP 'sysinfo' data, such as
|
|
location and contact can also be defined in the GUI. Two SNMP servers can
|
|
be configured, each of them can be configured for polling, traps or both.
|
|
Compiler can also generate command 'snmp-server enable traps' to send log
|
|
messages as SNMP trap notifications.
|
|
|
|
'sysopt' and 'floodguard' commands
|
|
|
|
Policy compiler can use the following 'sysopt' commands which are
|
|
controlled by the GUI elements in the 'Advanced' dialog in the Firewall
|
|
tab of the firewall object dialog:
|
|
|
|
* sysopt connection tcpmss
|
|
* sysopt connection timewait
|
|
* sysopt security fragguard
|
|
* sysopt nodnsalias inbound
|
|
* sysopt nodnsalias outbound
|
|
* sysopt route dnat
|
|
|
|
Compiler can also generate command 'floodguard enable/disable'.
|
|
|
|
Options found in the "Firewall" tab of the firewall dialog and their meaning:
|
|
|
|
+------------------------------------------------------------------------+
|
|
| Version: | PIX OS version, choices are 6.1 and 6.2 |
|
|
|----------------+-------------------------------------------------------|
|
|
| Prolog Script: | this is a list of any PIX configuration commands that |
|
|
| | will be included on top of generated configuration |
|
|
| | file. No syntax or other checks are done on commands |
|
|
| | in this list. |
|
|
|----------------+-------------------------------------------------------|
|
|
| Epilog Script: | this is a list of any PIX configuration commands that |
|
|
| | will be appended at the end of generated |
|
|
| | configuration file. No syntax or other checks are |
|
|
| | done on commands in this list. |
|
|
+------------------------------------------------------------------------+
|
|
|
|
Policy Compiler Options:
|
|
|
|
+------------------------------------------------------------------------+
|
|
| Assume firewall | For all rules where source or destination is 'any', |
|
|
| is part of Any | compiler generates PIX commands as if there was one |
|
|
| | more rule with firewall objects in the same rule |
|
|
| | element. In the case of PIX there is a difference |
|
|
| | only if service in the rule uses objects |
|
|
| | representing ssh, telnet and any icmp protocols, in |
|
|
| | which case it generates commands "ssh", "telnet" or |
|
|
| | "icmp" in addition to the regular access list |
|
|
| | command. |
|
|
|------------------+-----------------------------------------------------|
|
|
| Replace NAT'ed | PIX inspects packet with access lists before it |
|
|
| objects with | performs address translation. Many other firewall |
|
|
| their | platforms do it the other way around. This option |
|
|
| translations in | turns on emulation of the firewall that does NAT |
|
|
| policy rules | first. |
|
|
|------------------+-----------------------------------------------------|
|
|
| Emulate outbound | Normally PIX does not support outbound access |
|
|
| ACLs | lists.This option turns on amulation of outbound |
|
|
| | ACLs. |
|
|
|------------------+-----------------------------------------------------|
|
|
| Generate 'clear' | If this option is ON, compiler generates 'clear' |
|
|
| commands | commands to reset any pre-existing access lists, |
|
|
| | object-group, nat, global, static, telnet, ssh and |
|
|
| | other commands. |
|
|
|------------------+-----------------------------------------------------|
|
|
| Optimize | simplifies nat rules if object in Original Source |
|
|
| 'default nat' | is the same as the Network zone of one of the |
|
|
| rules | interfaces. Network zone of the interfaces defines |
|
|
| | all networks that are located "behind" this |
|
|
| | interface. This means that packets entering the |
|
|
| | interface may have source address only belonging to |
|
|
| | the Network zone of this interface. Since policy |
|
|
| | compiler can correctly assign nat rule to the |
|
|
| | interface using information about its Network Zone, |
|
|
| | explicit specification of the source address can be |
|
|
| | omitted. |
|
|
|------------------+-----------------------------------------------------|
|
|
| Ignore empty | Policy compiler can find and eliminate empty groups |
|
|
| groups in rules | if they are used in the policy rules. If this |
|
|
| | option is OFF, compiler treats empty groups as an |
|
|
| | error and aborts compilation. If it is ON, then it |
|
|
| | removes empty groups from rule elements. If rule |
|
|
| | element becomes empty (that is, becomes 'any') |
|
|
| | after the last empty group has been removed, then |
|
|
| | the whole rule is ignored. This may be useful if |
|
|
| | you need to control access to or from flexible |
|
|
| | group of hosts and do not want to make changes to |
|
|
| | the firewall policy rules. In this case you can |
|
|
| | create a group of hosts or networks and use it in |
|
|
| | the rule. Any changes to the set of hosts that need |
|
|
| | control can now be made in the group, with the rule |
|
|
| | staying intact. If for some reason the group |
|
|
| | becomes empty because all hosts have been removed, |
|
|
| | compiler will ignore the rule instead of treating |
|
|
| | empty group as 'any'. |
|
|
+------------------------------------------------------------------------+
|
|
|
|
Script formatting:
|
|
|
|
+------------------------------------------------------------------------+
|
|
| Comment the code | If this option is activated, compiler adds comments |
|
|
| | to the configuration file |
|
|
|------------------+-----------------------------------------------------|
|
|
| Group similar | If this option is activated, compiler groups |
|
|
| commands | similar commands next to each other, just like PIX |
|
|
| together | device does it in the output of "show config" |
|
|
| | command. Otherwise commands are grouped logically: |
|
|
| | first go all object-group commands, then all |
|
|
| | access-lists, then all nat, global and static |
|
|
| | commands. Commands access-list, nat, global and |
|
|
| | static are grouped by the rules they were generated |
|
|
| | for, as they appear in the GUI. If one rule |
|
|
| | requires several access-list commands assigned to |
|
|
| | different interfaces, these commands are grouped |
|
|
| | together. Command "show conf" groups access-list |
|
|
| | commands by their interface. |
|
|
+------------------------------------------------------------------------+
|
|
|
|
Verification of Policy Rules:
|
|
|
|
+------------------------------------------------------------------------+
|
|
| Detect rule | Shadowing happens because a rule is a superset of a |
|
|
| shadowing in the | subsequent rule and any packets potentially matched |
|
|
| policy | by a subsequent rule have already been matched by a |
|
|
| | prior rule. If this option is activated, compiler |
|
|
| | detects this situation and abort compilation with |
|
|
| | an error message. |
|
|
+------------------------------------------------------------------------+
|
|
|
|
Verification of NAT rules:
|
|
|
|
+------------------------------------------------------------------------+
|
|
| Check for | If this option is activated, compiler checks |
|
|
| duplicate nat | generated configuration for duplicate 'nat' |
|
|
| rules | commands |
|
|
|------------------+-----------------------------------------------------|
|
|
| Check for | If this option is activated, compiler checks |
|
|
| overlapping | generated configuration for overlapping 'global' |
|
|
| global pools | address pools |
|
|
|------------------+-----------------------------------------------------|
|
|
| Check for | If this option is activated, compiler checks |
|
|
| overlapping | generated configuration for 'static' commands that |
|
|
| statics | use overlapping address ranges. |
|
|
|------------------+-----------------------------------------------------|
|
|
| Check for | If this option is activated, compiler checks |
|
|
| overlapping | generated configuration for 'global' and 'static |
|
|
| global pools and | commands using overlapping address ranges. |
|
|
| statics | |
|
|
+------------------------------------------------------------------------+
|
|
|
|
Caveats:
|
|
|
|
PIX does not support filtering by MAC address. Although GUI provides entry
|
|
field for the MAC address, it is ignored by PIX policy compiler.
|
|
|
|
static translation (DNAT) rules create in fact bidirectional translation
|
|
(not only translation from outside to inside, but also in the opposite
|
|
direction using the same addresses). This is caused by the behavior of PIX
|
|
command 'static' and can't be easily fixed.
|
|
|
|
GUI option Logging is ignored because PIX can not turn logging on and off,
|
|
it always logs blocked packets.
|
|
|
|
There are no rule options available as of yet.
|
|
|
|
Unlike in Linux/iptables and other firewall platforms, PIX inspects packet
|
|
before it does NAT. Therefore policy rules that control access to NAT'ted
|
|
hosts should use objects, representing translated addresses instead of
|
|
objects representing real hosts. Firewall Builder provides an emulation
|
|
for the mode where NAT happens before the policy (ACL) inspection. Use
|
|
checkbox "Replace NAT'ed objects with their translations in policy rules"
|
|
to turn on this emulation. You can use objects representing real servers
|
|
in the policy rules if this option is on.
|
|
|
|
Version 3.0 does not support IPSEC configuration.
|