Bug #30246 for PIX-Walker: inconsistent use of 'protocol' method in PIX::Accesslist and PIX::Object

Wed Oct 24 12:04:28 2007 peiffer [...] umn.edu - Ticket created

CC:	"Andrew D. Clark" <adc [...] umn.edu>, Scott Bertilson <scott [...] nts.umn.edu>
Subject:	inconsistent use of 'protocol' method in PIX::Accesslist and PIX::Object
Date:	Wed, 24 Oct 2007 10:59:48 -0500
To:	bug-PIX-Walker [...] rt.cpan.org
From:	Tim Peiffer <peiffer [...] umn.edu>

Bug Report: There is an inconsistent use of 'protocol' method in PIX::Accesslist and PIX::Object Distribution: PIX-Walker-1.03 Perl Version: 5.8.8 Operating Systems: RedHat EL4.0 2.6.9-55.0.9.ELsmp and also Fedora Core5 kernel 2.6.20-1.2320.fc5 The man page example for PIX::Walker indicates that the way to match is using the 'protocol' attribute. foreach my $line ($acl->lines) { if ($line->match( source => ’10.0.1.100’, dest => ’192.168.1.3’, port => ’80’, protocol => ’tcp’)) { print "Matched ACL $acl->name ($acl->elements ACE)\n" if !$matched++; print $line->print, "\n"; } } The module lib/PIX/Accesslist/Line.pm new() references 'proto' in the constructor, while lib/PIX/Object/protocols.pm references 'protocols' in each of the methods. With an object group and acl for ICMP defined similar to below, your example matches the ICMP filter (in error). object-group icmp-type G_ICMP_ANY-IP description ## Global Namespace * Permit ICMP Protocol Types From/To "Any IPv4" To/From "Inside Vlan" ## icmp-object echo-reply icmp-object unreachable icmp-object echo icmp-object time-exceeded access-list OUTSIDE_TO_INSIDE extended permit icmp object-group ANY object-group ANY object-group G_ICMP_ANY-IP Tim Peiffer Network Support Engineer Networking and Telecommunications Services University of Minnesota / NorthernLights GigaPOP

Fri Nov 07 07:21:46 2008 lifo101 [...] gmail.com - Correspondence added

The parameter 'protocol' in the $line->match() example was wrong and should have been 'proto'. The documentation will be updated. However, the inconsistency you mention is not correct. PIX::Accesslist protocols are different than PIX::Object protocols and thus are not related. I will look into the icmp_type error, I never tested that object-group type since we've never used that type in our firewalls before. On Wed Oct 24 12:04:28 2007, peiffer@umn.edu wrote: Show quoted text

> Bug Report: There is an inconsistent use of 'protocol' method in > PIX::Accesslist and PIX::Object > > Distribution: PIX-Walker-1.03 > Perl Version: 5.8.8 > Operating Systems: RedHat EL4.0 2.6.9-55.0.9.ELsmp and also Fedora Core5 > kernel 2.6.20-1.2320.fc5 > > The man page example for PIX::Walker indicates that the way to match is > using the 'protocol' attribute. > foreach my $line ($acl->lines) { > if ($line->match( > source => ’10.0.1.100’, > dest => ’192.168.1.3’, > port => ’80’, > protocol => ’tcp’)) { > print "Matched ACL $acl->name ($acl->elements ACE)\n" if !$matched++; > print $line->print, "\n"; > } > } > The module lib/PIX/Accesslist/Line.pm new() references 'proto' in the > constructor, while lib/PIX/Object/protocols.pm references 'protocols' in > each of the methods. > > With an object group and acl for ICMP defined similar to below, your > example matches the ICMP filter (in error). > > object-group icmp-type G_ICMP_ANY-IP > description ## Global Namespace * Permit ICMP Protocol Types From/To > "Any IPv4" To/From "Inside Vlan" ## > icmp-object echo-reply > icmp-object unreachable > icmp-object echo > icmp-object time-exceeded > > access-list OUTSIDE_TO_INSIDE extended permit icmp object-group ANY > object-group ANY object-group G_ICMP_ANY-IP > > Tim Peiffer > Network Support Engineer > Networking and Telecommunications Services > University of Minnesota / NorthernLights GigaPOP

Fri Nov 07 07:21:48 2008 The RT System itself - Status changed from 'new' to 'open'

Fri Nov 07 07:21:49 2008 lifo101 [...] gmail.com - Status changed from 'open' to 'rejected'