Volker Tanger's
W Y A E . D E
| Empty services section makes FWdoc_to_* scripts to fail | |
| From: | "Marchand, Vincent" |
| Date: | Fri, 29 May 2009 09:56:44 +0000 |
Hi there,
I am a happy user of this very useful FWdoc tools suite.
I recently came across a slight problem with a policy file, where every Fwd=
oc_to_* conversion script would fail.
I found out that the actual issue would lie with an empty services section =
in one of the access rule :
,{
"number": "722",
"enabled": "no",
"from": [
{"object": "gr_GROUP" }
],
"from_inverted": "no",
"to": [
"host.domain.tld"
],
"to_inverted": "no",
"services": [
],
"services_inverted": "no",
"action": "accept",
"action_qualifier": "",
"log": "Log",
"time": "Any",
"install_on": [
{
"firewall": "gr_FW1",
"interface": [ "Any" ],
"method": "fw1"
}
],
"comment": "Name:, Comment: "
}
Checking further, it appears the root cause of the issue seems to be with t=
he fw1r65_to_fwdoc.pl script, as the policy file itself has something defin=
ed in the relevant access rule definition :
:services (
:AdminInfo (
:chkpf_uid ("{2D1D597E-0174-4BD8-A8FB-1FD2D6091F6B}")
:ClassName (rule_services)
)
:compound (
: ("MS_CIFS_TCP_445->CIFS-host"
:AdminInfo (
:chkpf_uid ("{BE553357-7810-4EF3-B136-FE6684B5E8B2}")
:ClassName (rule_services_compound_element)
)
:color (black)
:resource CIFS-host
:service MS_CIFS_TCP_445
:type (Tcp)
)
)
:op ()
)
My guess is this is related to the fact a resource is defined here - but Pe=
rl being a kind of "black box" for me at this stage, I am not able to confi=
rm this suspicion, and hence relying on the knowledgeable guys out there :o=
)
Thanks in advance,
Vincent=