RE: Firewall-1 diff?

[Vargas Miguel <mvargas () tnsi com>]

I like this idea a lot.  One possible suggestion: do a diff on 'arp -a' and
'netstat -rn'.  This would show if there has been a change to static routes
and arps (for NATs).

I had a similar idea.  My idea was to use CVS to somehow replace the 'fw
load' and 'fw fetch' commands so that they would first 'check out' and then
'check in' the rules and object files.  CVS would then allow you to rollback
changes, in case you screwed up your files.

> -----Original Message-----
> From: Dawes, Rogan (ZA - Johannesburg) [SMTP:rdawes () deloitte co za]
> Sent: Tuesday, March 20, 2001 8:15 AM
> To:   firewall-wizards () nfr com
> Subject:      [fw-wiz] Firewall-1 diff?
>
> Hi folks,
>
> I am working on writing a Firewall-1 "diff" script, that will be able to
> highlight changes from one snapshot to the next.
>
> The main use that I see for it is for a computer audit department to
> observe
> and monitor changes on firewalls, that are not operated by themselves. The
> snapshot can be taken at whatever intervals desired, most likely daily,
> and
> would comprise MD5 sums of the system INSPECT scripts, and copies of
> objects.C and rulebases.fws (I think. I've been working with the local GUI
> so much I may be confused ATM). The MD5 sum is simply a "poor man's
> Tripwire", as the INSPECT is not generally modified, and is not worth
> writing specific code to handle.
>
> The script parses objects and rules, to be able to give appropriate
> granularity to a "diff". One option would just be to use diff, with some
> context, and hope that it includes the object name, and sufficient details
> to be useful.  I think this is a bit difficult to get right, given the
> possible size of an object definition, e.g. a firewall with 16 interfaces,
> and the last one changes IP address.
>
> My solution is to parse the file, then do a recursive diff into each
> object,
> noting any changes found, and recording them on the way out, together with
> the values that have changed.
>
> Simple output looks like:
>
> $ ./fwdiff2.pl
> The following elements have changed :
> firewall1\if-0\ipaddr was 'xxx.xxx.102.19', is now 'xxx.xxx.102.18'
> firewall1\if-0\spoof\color was 'Navy Blue', is now 'Green'
>
> Rules that have changed
> The following elements have changed :
> rule001\dst\members was 'intdns00, CA-Unicenter', is now 'intdns00'
> rule002\services\members was 'rdd, rm_xtar, rm_kill, rm_mount,
> rsh-out-going', is now 'rdd, rm_xtar, rm_kill, rm_mount'
>
> This can be formatted nicely, including the rest of the rule, i.e. was
> this
> an "accept" or "deny" rule, etc.
>
> Has anybody done something like this before, or am I the only person who
> sees a need for a tool that does this?
>
> I am also hoping to get input from people regarding desired features,
> things
> to watch out for, etc.
>
> Eventually, I hope to release this to the world, for general consumption.
> This will obviously depend on the client that I will be writing this for.
>
> Comments, suggestions, pointers, insults all welcome.
>
> Rogan
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards