FirewallBuilder

Figure 5.55. The Network Object

The network object describes an IP network or subnet. Use main menu Net Object / New Network item to create objects of this type. The Network object dialog object provides the following entry fields:

Let's use the network object shown above in a policy rule compiled for different target platforms.

Figure 5.56. IPv4 Network Object Used in a Rule

Here is what we get for iptables:

$IPTABLES -A FORWARD -p tcp -m tcp  -s 172.16.22.0/24  --dport 80  -m state \
--state NEW  -j ACCEPT 

Here is the output produced for PF:

pass in   quick inet proto tcp  from 172.16.22.0/24  to any port 80 keep state
pass out  quick inet proto tcp  from 172.16.22.0/24  to any port 80 keep state

Here is how the output looks like when the rule is compiled into Cisco IOS access lists. (This is one of the generated access lists.)

ip access-list extended outside_out
  permit tcp 172.16.22.0 0.0.0.255 any  eq 80 
exit
          

Here is what we get when the rule is compiled into Cisco ASA (PIX) configuration. Note how the compiler uses netmask 255.255.255.0 for PIX, while for IOS it was converted to 0.0.0.255. Also, the interface "inside" was configured with network zone 172.16.0.0/12, which matched network object used in the source element of the rule. Because of that, the compiler put the rule only into the access list attached to interface "inside."

access-list inside_acl_in permit tcp 172.16.22.0 255.255.255.0 any eq 80 
access-group inside_acl_in in interface inside