Firewall Wizards mailing list archives
RE: Firewall-1 diff?
From: Vargas Miguel <mvargas () tnsi com>
Date: Wed, 21 Mar 2001 14:32:09 -0500
I like this idea a lot. One possible suggestion: do a diff on 'arp -a' and 'netstat -rn'. This would show if there has been a change to static routes and arps (for NATs). I had a similar idea. My idea was to use CVS to somehow replace the 'fw load' and 'fw fetch' commands so that they would first 'check out' and then 'check in' the rules and object files. CVS would then allow you to rollback changes, in case you screwed up your files.
-----Original Message----- From: Dawes, Rogan (ZA - Johannesburg) [SMTP:rdawes () deloitte co za] Sent: Tuesday, March 20, 2001 8:15 AM To: firewall-wizards () nfr com Subject: [fw-wiz] Firewall-1 diff? Hi folks, I am working on writing a Firewall-1 "diff" script, that will be able to highlight changes from one snapshot to the next. The main use that I see for it is for a computer audit department to observe and monitor changes on firewalls, that are not operated by themselves. The snapshot can be taken at whatever intervals desired, most likely daily, and would comprise MD5 sums of the system INSPECT scripts, and copies of objects.C and rulebases.fws (I think. I've been working with the local GUI so much I may be confused ATM). The MD5 sum is simply a "poor man's Tripwire", as the INSPECT is not generally modified, and is not worth writing specific code to handle. The script parses objects and rules, to be able to give appropriate granularity to a "diff". One option would just be to use diff, with some context, and hope that it includes the object name, and sufficient details to be useful. I think this is a bit difficult to get right, given the possible size of an object definition, e.g. a firewall with 16 interfaces, and the last one changes IP address. My solution is to parse the file, then do a recursive diff into each object, noting any changes found, and recording them on the way out, together with the values that have changed. Simple output looks like: $ ./fwdiff2.pl The following elements have changed : firewall1\if-0\ipaddr was 'xxx.xxx.102.19', is now 'xxx.xxx.102.18' firewall1\if-0\spoof\color was 'Navy Blue', is now 'Green' Rules that have changed The following elements have changed : rule001\dst\members was 'intdns00, CA-Unicenter', is now 'intdns00' rule002\services\members was 'rdd, rm_xtar, rm_kill, rm_mount, rsh-out-going', is now 'rdd, rm_xtar, rm_kill, rm_mount' This can be formatted nicely, including the rest of the rule, i.e. was this an "accept" or "deny" rule, etc. Has anybody done something like this before, or am I the only person who sees a need for a tool that does this? I am also hoping to get input from people regarding desired features, things to watch out for, etc. Eventually, I hope to release this to the world, for general consumption. This will obviously depend on the client that I will be writing this for. Comments, suggestions, pointers, insults all welcome. Rogan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall-1 diff? Dawes, Rogan (ZA - Johannesburg) (Mar 21)
- Re: Firewall-1 diff? mike (Mar 22)
- <Possible follow-ups>
- RE: Firewall-1 diff? Vargas Miguel (Mar 22)
- RE: Firewall-1 diff? Kalat, Andrew (ISS Atlanta) (Mar 23)