onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/pix/firewall50.fw.orig
Vadim Kurland 59f40e5d71 * PolicyCompiler_pix.cpp (printPreambleCommands): see #2347 "FWSM 
move up the "access-list mode auto-commit" command". Command that
configures access list commit mode should be issued before any
commands that clear and configure access lists. Also in this
change moving commands that set up temporary access list to the
top of the script.
2011-04-14 12:11:15 -07:00

479 lines
15 KiB
Plaintext
Executable File
Raw Blame History

!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_pix v4.2.0.3526
!
! Generated Thu Apr 14 12:07:19 2011 PDT by vadim
!
! Compiled for pix 7.0
! Outbound ACLs: supported
! Emulate outbound ACLs: yes
! Generating outbound ACLs: no
! Assume firewall is part of any: yes
!
!# files: * firewall50.fw
!
! this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule. PIX 7.0
! C firewall50:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
! C firewall50:Policy:9: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
! C firewall50:Policy:15: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule
! C firewall50:Policy:29: error: PIX does not support checking for IP options in ACLs.
!
! Prolog script:
!
!
! End of prolog script:
!
hostname firewall50
interface ethernet1
nameif outside
security-level 0
exit
interface ethernet0
nameif inside
security-level 100
exit
interface ethernet2
nameif dmz
security-level 50
exit
logging host inside 192.168.1.30
logging queue 512
logging facility 16
logging trap 0
no logging buffered
no logging console
no logging timestamp
logging on
timeout xlate 3:0:0
timeout conn 1:0:0
timeout udp 0:2:0
timeout sunrpc 0:10:0
timeout h323 0:5:0
timeout sip 0:30:0
timeout sip_media 0:0:0
timeout half-closed 0:0:0
timeout uauth 2:0:0 absolute
telnet timeout 5
clear config ssh
aaa authentication ssh console LOCAL
ssh timeout 5
clear config snmp-server
snmp-server community public
snmp-server enable traps
snmp-server host inside 192.168.1.20 poll
snmp-server host inside 192.168.1.22 trap
clear config ntp
ntp server 192.168.1.20 source inside prefer
no service resetinbound
no service resetoutside
sysopt connection tcpmss 1380
sysopt connection timewait
sysopt nodnsalias inbound
sysopt nodnsalias outbound
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
service-policy global_policy global
!################
clear config access-list tmp_acl
access-list tmp_acl permit ip 192.168.1.0 255.255.255.0 any
access-list tmp_acl deny ip any any
access-group tmp_acl in interface outside
access-group tmp_acl in interface inside
clear xlate
clear config static
clear config global
clear config nat
clear config access-list dmz_acl_in
clear config access-list inside_acl_in
clear config access-list outside_acl_in
clear config icmp
clear config telnet
clear config object-group
clear config object
object-group network id45142FA628543.dst.net.0
network-object host 211.11.11.11
network-object host 211.22.22.22
exit
object-group service id45142FA628543.srv.tcp.0 tcp
port-object eq 113
port-object eq 80
port-object eq 443
port-object eq 143
port-object eq 25
port-object eq 22
port-object eq 540
exit
object-group icmp-type id45142FCB28543.srv.icmp.0
icmp-object 3
icmp-object 0
icmp-object 11
exit
object-group service id45142FD728543.srv.tcp.0 tcp
port-object eq 70
port-object eq 6667
port-object eq 3128
port-object eq 23
exit
object-group service id45142FD728543.srv.udp.0 udp
port-object eq 53
port-object eq 161
exit
object-group network id45142FFC28543.dst.net.0
network-object host 192.168.1.10
network-object host 192.168.1.20
exit
object-group network id4514300A28543.dst.net.0
network-object 192.168.1.250 255.255.255.254
network-object 192.168.1.252 255.255.255.252
exit
object-group network id4514301628543.dst.net.0
network-object 192.168.1.250 255.255.255.254
network-object 192.168.1.252 255.255.255.252
exit
object-group network id4514302F28543.dst.net.0
network-object host 192.168.1.11
network-object host 192.168.1.12
network-object host 192.168.1.13
network-object host 192.168.1.14
network-object host 192.168.1.15
exit
object-group service id4514302F28543.srv.tcp.0 tcp
port-object eq 113
port-object eq 80
port-object eq 443
port-object eq 143
port-object eq 25
port-object eq 3128
port-object eq 22
port-object eq 540
exit
object-group network id4514303C28543.dst.net.0
network-object 192.168.1.11 255.255.255.255
network-object 192.168.1.12 255.255.255.252
exit
object-group service id4514304928543.srv.tcp.0 tcp
port-object eq 113
port-object eq 13
port-object eq 53
port-object eq 2105
port-object eq 21
port-object eq 70
port-object eq 80
port-object eq 443
port-object eq 143
port-object eq 993
port-object eq 6667
port-object eq 6667
port-object eq 543
port-object eq 544
port-object eq 389
port-object eq 98
port-object eq 3306
port-object eq 2049
port-object eq 119
port-object eq 110
port-object eq 5432
port-object eq 515
port-object eq 26000
port-object eq 512
port-object eq 513
port-object eq 514
port-object eq 4321
port-object eq 25
port-object eq 465
port-object eq 1080
port-object eq 3128
port-object eq 22
port-object eq 111
port-object eq 23
port-object range 10000 11000
port-object eq 540
port-object eq 7100
exit
!
! Rule 2 (ethernet1)
icmp permit any 3 outside
access-list outside_acl_in permit icmp any host 22.22.22.22 3
access-list outside_acl_in permit icmp any any 3
!
! Rule 3 (ethernet1)
! anti-spoofing rule
! firewall50:Policy:3: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any log 0 interval 300
!
! Rule 4 (ethernet0)
ssh 192.168.1.0 255.255.255.0 inside
!
! Rule 5 (ethernet0)
access-list inside_acl_in permit tcp any object-group id45142FA628543.dst.net.0 object-group id45142FA628543.srv.tcp.0
access-list inside_acl_in permit tcp any object-group id45142FA628543.dst.net.0 object-group id45142FA628543.srv.tcp.0
access-list dmz_acl_in permit tcp any object-group id45142FA628543.dst.net.0 object-group id45142FA628543.srv.tcp.0
!
! Rule 6 (ethernet0)
access-list inside_acl_in deny ip any host 192.168.1.255
!
! Rule 8 (global)
access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22
!
! Rule 9 (ethernet2,ethernet0)
! firewall50:Policy:9: warning: Rule with direction 'Outbound' was suppressed because generation of outbound access lists is turned off in firewall object settings
access-list inside_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22
access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22
access-list dmz_acl_in permit tcp host 192.168.2.10 host 192.168.1.10 eq 22
!
! Rule 10 (global)
access-list outside_acl_in permit icmp any host 192.168.1.10 object-group id45142FCB28543.srv.icmp.0
access-list inside_acl_in permit icmp any host 192.168.1.10 object-group id45142FCB28543.srv.icmp.0
access-list dmz_acl_in permit icmp any host 192.168.1.10 object-group id45142FCB28543.srv.icmp.0
!
! Rule 11 (global)
access-list outside_acl_in permit icmp any host 192.168.1.10
access-list inside_acl_in permit icmp any host 192.168.1.10
access-list dmz_acl_in permit icmp any host 192.168.1.10
access-list outside_acl_in permit tcp any host 192.168.1.10 object-group id45142FD728543.srv.tcp.0
access-list inside_acl_in permit tcp any host 192.168.1.10 object-group id45142FD728543.srv.tcp.0
access-list dmz_acl_in permit tcp any host 192.168.1.10 object-group id45142FD728543.srv.tcp.0
access-list outside_acl_in permit udp any host 192.168.1.10 object-group id45142FD728543.srv.udp.0
access-list inside_acl_in permit udp any host 192.168.1.10 object-group id45142FD728543.srv.udp.0
access-list dmz_acl_in permit udp any host 192.168.1.10 object-group id45142FD728543.srv.udp.0
access-list outside_acl_in permit 47 any host 192.168.1.10
access-list inside_acl_in permit 47 any host 192.168.1.10
access-list dmz_acl_in permit 47 any host 192.168.1.10
!
! Rule 12 (global)
access-list outside_acl_in permit icmp any host 22.22.22.22 3 log 0 interval 300
icmp permit any 3 inside
access-list inside_acl_in permit icmp any host 192.168.1.1 3 log 0 interval 300
icmp permit any 3 dmz
access-list dmz_acl_in permit icmp any host 192.168.2.1 3 log 0 interval 300
access-list outside_acl_in permit icmp any any 3 log 0 interval 300
access-list inside_acl_in permit icmp any any 3 log 0 interval 300
access-list dmz_acl_in permit icmp any any 3 log 0 interval 300
access-list outside_acl_in permit 47 any any log 0 interval 300
access-list inside_acl_in permit 47 any any log 0 interval 300
access-list dmz_acl_in permit 47 any any log 0 interval 300
access-list outside_acl_in permit 50 any any log 0 interval 300
access-list inside_acl_in permit 50 any any log 0 interval 300
access-list dmz_acl_in permit 50 any any log 0 interval 300
!
! Rule 14 (global)
access-list outside_acl_in permit ip object-group id45142FA628543.dst.net.0 object-group id45142FFC28543.dst.net.0
!
! Rule 15 (global)
! firewall50:Policy:15: warning: MAC address matching is not supported. One or several MAC addresses removed from source in the rule
access-list inside_acl_in permit tcp host 192.168.1.10 object-group id4514300A28543.dst.net.0 eq 3128
!
! Rule 16 (global)
access-list outside_acl_in permit tcp any object-group id4514301628543.dst.net.0 eq 3128
access-list inside_acl_in permit tcp any object-group id4514301628543.dst.net.0 eq 3128
access-list dmz_acl_in permit tcp any object-group id4514301628543.dst.net.0 eq 3128
!
! Rule 17 (global)
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 dmz
access-list outside_acl_in permit icmp any host 22.22.22.22 3
access-list inside_acl_in permit icmp any host 192.168.1.1 3
access-list dmz_acl_in permit icmp any host 192.168.2.1 3
!
! Rule 18 (global)
access-list outside_acl_in permit tcp any object-group id4514302F28543.dst.net.0 object-group id4514302F28543.srv.tcp.0
access-list inside_acl_in permit tcp any object-group id4514302F28543.dst.net.0 object-group id4514302F28543.srv.tcp.0
access-list dmz_acl_in permit tcp any object-group id4514302F28543.dst.net.0 object-group id4514302F28543.srv.tcp.0
!
! Rule 19 (global)
access-list outside_acl_in permit tcp any object-group id4514303C28543.dst.net.0 object-group id4514302F28543.srv.tcp.0
access-list inside_acl_in permit tcp any object-group id4514303C28543.dst.net.0 object-group id4514302F28543.srv.tcp.0
access-list dmz_acl_in permit tcp any object-group id4514303C28543.dst.net.0 object-group id4514302F28543.srv.tcp.0
!
! Rule 20 (global)
access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id4514304928543.srv.tcp.0
access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id4514304928543.srv.tcp.0
access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 object-group id4514304928543.srv.tcp.0
!
! Rule 21 (global)
! objects hostA and hostB are
! redundant and should be removed by
! removeRedundantAddressesFromDst
access-list outside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
access-list inside_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
access-list dmz_acl_in permit tcp any 192.168.1.0 255.255.255.0 eq 1494
!
! Rule 22 (global)
access-list outside_acl_in permit udp any range 10000 10010 host 192.168.1.10
access-list inside_acl_in permit udp any range 10000 10010 host 192.168.1.10
access-list dmz_acl_in permit udp any range 10000 10010 host 192.168.1.10
access-list outside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80
access-list inside_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80
access-list dmz_acl_in permit tcp any gt 1023 host 192.168.1.10 eq 80
access-list outside_acl_in permit tcp any range 20000 20020 host 192.168.1.10
access-list inside_acl_in permit tcp any range 20000 20020 host 192.168.1.10
access-list dmz_acl_in permit tcp any range 20000 20020 host 192.168.1.10
!
! Rule 25 (global)
access-list outside_acl_in permit ip host 22.22.22.22 host 22.22.22.22 log 0 interval 300
access-list inside_acl_in permit ip host 192.168.1.1 host 192.168.1.1 log 0 interval 300
access-list dmz_acl_in permit ip host 192.168.2.1 host 192.168.2.1 log 0 interval 300
!
! Rule 26 (global)
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
!
! Rule 27 (global)
access-list outside_acl_in permit ip host 22.22.22.22 any
access-list inside_acl_in permit ip host 192.168.1.1 any
access-list dmz_acl_in permit ip host 192.168.2.1 any
access-list inside_acl_in permit ip 192.168.1.0 255.255.255.0 any
!
! Rule 28 (global)
access-list outside_acl_in deny ip any any log 0 interval 300
access-list inside_acl_in deny ip any any log 0 interval 300
access-list dmz_acl_in deny ip any any log 0 interval 300
access-group dmz_acl_in in interface dmz
access-group inside_acl_in in interface inside
access-group outside_acl_in in interface outside
!
! Rule 0 (NAT)
global (outside) 1 interface
clear config access-list id451430AE28543.0
access-list id451430AE28543.0 permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 1 access-list id451430AE28543.0 tcp 0 0
global (dmz) 1 interface
!
!
! Rule 1 (NAT)
nat (dmz) 1 0.0.0.0 0.0.0.0 tcp 0 0
!
! Rule 2 (NAT)
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 0 0
!
!
! Rule 3 (NAT)
global (outside) 1 22.22.22.0 netmask 255.255.255.0
!
!
! Rule 4 (NAT)
global (outside) 1 22.22.22.21-22.22.22.25 netmask 255.255.255.0
!
!
! Rule 5 (NAT)
clear config access-list id451430F428543.0
access-list id451430F428543.0 permit tcp host 192.168.1.10 eq 25 any
static (inside,outside) tcp interface 25 access-list id451430F428543.0 tcp 0 0
!
! Rule 6 (NAT)
clear config access-list id47B71DF021818.0
access-list id47B71DF021818.0 permit tcp host 192.168.1.10 eq 25 any
!
! Rule 7 (NAT)
access-list id47B71DF021818.0 permit tcp host 192.168.1.10 eq 25 any
!
! Rule 8 (NAT)
access-list id47B71DF021818.0 permit tcp host 192.168.1.10 eq 25 any
static (inside,outside) tcp interface 2525 access-list id47B71DF021818.0 tcp 0 0
!
! Rule 9 (NAT)
global (inside) 8 interface
clear config access-list id4514310228543.0
access-list id4514310228543.0 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (dmz) 8 access-list id4514310228543.0 outside
!
! Rule 10 (NAT)
clear config access-list nat0.inside
access-list nat0.inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nat0.inside
!
! Rule 11 (NAT)
access-list nat0.inside permit ip host 192.168.1.11 192.168.2.0 255.255.255.0
access-list nat0.inside permit ip host 192.168.1.12 192.168.2.0 255.255.255.0
access-list nat0.inside permit ip host 192.168.1.13 192.168.2.0 255.255.255.0
access-list nat0.inside permit ip host 192.168.1.14 192.168.2.0 255.255.255.0
access-list nat0.inside permit ip host 192.168.1.15 192.168.2.0 255.255.255.0
!
! Rule 12 (NAT)
nat (dmz) 0 0 0
!
! Rule 13 (NAT)
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
!
! Rule 14 (NAT)
static (inside,dmz) 192.168.1.10 192.168.1.10 netmask 255.255.255.255
!
! Epilog script:
!
! End of epilog script:
!
Reference in New Issue View Git Blame Copy Permalink