- goes through a repository of configs and puts all the firewall rules into a nice spreadsheet with a tab for each firewall
- for each rule, it actually shows you the hostnames and IPs of each group member
- for service groups, it looks in /etc/services for the name of the service rather than just listing the port
- descriptions of each group are put into those little cell note things, so you can just hover over to see more details
- disabled rules show as grayed out
- it actually works (unlike other cpan modules I tried to use to parse pix)
This program I actually like because it does a whole lot in a fairly easy to understand way. There is potential here beyond writing a spreadsheet. All of the rules are broken out into a decent data structure, so it would be simple to use this as a starting point for writing a script to convert your ruleset to Netscreen or something. To use the spreadsheet features this will require the Spreadsheet::WriteExcel module, but if you just want to parse pix it's plain old perl.
As a quick offshoot of this script I made this script that uses List::Compare to look at the differences between firewalls in two sites. It also shows lists of unused names and unused object groups for cleanup purposes.
A feature that I started implementing was the ability to do rule shading detection. Lets say rule one is deny any any and rule two is permit any any - clearly rule one makes any subsequent rule useless and misleading. You Check Point people or fwbuilder folks have had this for a long time - but as far as I know in the Check Point and Netscreen world it seems like there is no such function. Alas I never finished that part.
If you use this please drop a comment and let me know.
No comments:
Post a Comment