Policy compiler for Cisco IOS Access lists has been implemented as
part of the Firewall Builder GUI as of version 2.1.12. The first
functional build were importer worked on all supported OS was build
270 (May 22, 2007)


Support for Cisco IOS access lists in Firewall Builder v2.1.12, build 270:
----------------------------------------------------------------

Features implemented in this version:

 - The compiler generates extended ACLs using "ip access-list
   extended" command. ACL names are automatically generated using
   abbreviated interface names and direction symbols to make it easy
   to figure out which ACL is which. Compiler uses rather minimal set
   of options of the "ip access-list" command and should generate code
   that will work for IOS 12.x. I did not test with 11.x but I am
   pretty sure it will work, at least with the latest versions of
   11.x.

 - Compiler can also add commands to configure logging.

 - The GUI includes built-in installer for routers which works just
   like installer for PIX. Both installers were updated however to
   improve support for the automatic roll-back feature in case you
   lose connect with the firewall or the router because of an error in
   the policy. Now you can make installer schedule reboot in a few
   minutes, then upload new policy or ACLs and then cancel reboot if
   upload was successful. While before auto-rollback option was only
   available if you installed in the test mode, now you can always use
   it. Test mode means that installer does not save configuration in
   the permanent memory, as before.

 - All three installation methods that were available for PIX are now
   available for routers: you can make it clear all access lists and
   then load new ones or just update access lists without
   clearing. The last method (the "safety net" method) creates
   temporary acl to permit communication with the management station,
   assigns it to the interface marked as management interface, then
   clears all access lists and loads new ones and in the end swaps
   proper list on the management interface.  This helps prevent
   locking yourself out of the router in the middle of the
   installation process in case of an error in the ACL and at the same
   time does not leave the router with no acls for the time it takes
   to install new policy. In combination with automatic roll-back,
   installation process is pretty reliable.

 - New option has been added to the interface object, called
   "unprotected". This allows you to mark some interfaces to be
   skipped by the compiler when it picks interfaces for ACL
   rules. This should be useful when you have routers with many
   interfaces and only want to add ACLs to some of them. Also, you can
   explicitly put interface objects into policy rules and specify
   direction if you want to do this manually.

 - Since router ACLs have no state, all rules should be created in the
   policy pretty much like you do it on the router, including rules
   that permit reply packets.  New option has been added to the TCP
   Service object, called "established". This makes compiler use
   option "established" in rules it generates if it is supported by
   the firewall platform. Compilers for iptables, ipfilter, pf and PIX
   can not use objects with this option and treat it as an error
   because corresponding platforms do not support it. IPFW, on the
   other hand, supports it so compiler fwb_ipfw can use it.


Shortcomings of this version:

 - "tos", "precedence" and "time-range" options are not supported

 - "igmp" access lists can no be generated