From: Christian V. <vi...@op...> - 2008-11-27 14:40:36
|
Hi all, my officemate asked me recently, if there is any tool available to analyze the shorewall policies and rules to get a "picture" of the allowed connections, or to get a list of allowed connections for a given IP. Since firewall rules tend to get more complex and confusing over the time :-) I don't think it's a dumb question, especially if the main work is done by one person and the other person is only envolved in holiday times, like it often is practice in small businesses. There are a few projects out there which try to analyze the output of iptables, but I didn't find anything really useful. So, before I try to develop something by myself, just the question: Does anybody here know of a working tool for analyzing or visualizing the firewall ruleset (based on the shorewall configuration or output of iptables)? Has anybody here developed some scripts I could take as base, so I don't need to invent the wheel a second time? Thanks for any hints, Christian |
From: Tom A. <to...@ta...> - 2008-11-29 23:45:53
|
Karsten Bräckelmann wrote: > On Thu, 2008-11-27 at 15:27 +0100, Christian Vieser wrote: >> my officemate asked me recently, if there is any tool available to analyze >> the shorewall policies and rules to get a "picture" of the allowed connections, >> or to get a list of allowed connections for a given IP. >> >> Since firewall rules tend to get more complex and confusing over the time :-) > [...] > >> There are a few projects out there which try to analyze the output of iptables, > > Got to admit, I'm slightly confused by the question. I've always seen > shorewall to be pretty much exactly that. A tool to define policies and > rules ("allowed connections" as you put it) for my network, in a > structured, comprehensible and easy to define way. If I can define my > rules, I can read and interpret them just the same. :) > > To put it in other words: Isn't the shorewall configuration sufficient > to get a picture of allowed traffic? > > > Since you specifically mentioned "small businesses", how large and > complicated are your policies and rules? > > I think he's looking for an independent third part. The cheap answer -- have someone run nmap against your firewall. |
From: Karsten B. <kb...@sh...> - 2008-11-28 19:06:48
|
On Thu, 2008-11-27 at 15:27 +0100, Christian Vieser wrote: > my officemate asked me recently, if there is any tool available to analyze > the shorewall policies and rules to get a "picture" of the allowed connections, > or to get a list of allowed connections for a given IP. > > Since firewall rules tend to get more complex and confusing over the time :-) [...] > There are a few projects out there which try to analyze the output of iptables, Got to admit, I'm slightly confused by the question. I've always seen shorewall to be pretty much exactly that. A tool to define policies and rules ("allowed connections" as you put it) for my network, in a structured, comprehensible and easy to define way. If I can define my rules, I can read and interpret them just the same. :) To put it in other words: Isn't the shorewall configuration sufficient to get a picture of allowed traffic? Since you specifically mentioned "small businesses", how large and complicated are your policies and rules? -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html |
From: Christian V. <vi...@op...> - 2008-12-01 13:23:16
|
Ok, just putting a few answers together. Karsten Bräckelmann wrote: > To put it in other words: Isn't the shorewall configuration sufficient > to get a picture of allowed traffic? > > Since you specifically mentioned "small businesses", how large and > complicated are your policies and rules? The rules file has nearly 1000 lines (a third of them are comments or blank lines), we have about twenty zones and interfaces defined (and yes, we really need them). Of course the shorewall configuration is much pretty readable, but you have to arrange your rules in one or the other way. And there are rules applying to groups of destinations. So it's nearly impossible to arrange the rules in such a manner that all lines affecting a distinct host or zone are grouped together. Shorewall Geek wrote: > The output of 'shorewall dump' tells you everything you ever need > to know about your Shorewall configuration. Of course, you have to > understand IP networking, Linux Networking and Netfilter in order to > interpret the output. And this is the point. Not all employees are at the same high skill level. So there is the wish to have a little command line tool (perhaps it could even be embedded in an apache service), where you put in a host name or ip address, and you get out a compact listing of allowed connections to/from this host. I don't think that it's very much work to write such a tool. I just wondered, if or how someone else solved this problem. Perhaps there are other ways to enable a compact view on the firewall rules I don't think of. Thank you for your attention, Christian |
From: Shorewall G. <sho...@co...> - 2008-12-01 15:53:11
|
Christian Vieser wrote: > Shorewall Geek wrote: > >> The output of 'shorewall dump' tells you everything you ever need >> to know about your Shorewall configuration. Of course, you have to >> understand IP networking, Linux Networking and Netfilter in order to >> interpret the output. > > > And this is the point. Not all employees are at the same high skill > level. But your goal should be to get them to that skill level, right? > So there is > the wish to have a little command line tool (perhaps it could even be > embedded in an > apache service), where you put in a host name or ip address, and you get > out a > compact listing of allowed connections to/from this host. > > I don't think that it's very much work to write such a tool. I disagree. If you try to account for policy routing (multi-ISP), packet marking, NAT, Proxy ARP, ... the tool will be quite complex. |
From: Karsten B. <kb...@sh...> - 2008-11-30 02:31:39
|
On Sat, 2008-11-29 at 18:21 -0500, Tom Allison wrote: > Karsten Bräckelmann wrote: > > On Thu, 2008-11-27 at 15:27 +0100, Christian Vieser wrote: > > To put it in other words: Isn't the shorewall configuration sufficient > > to get a picture of allowed traffic? > I think he's looking for an independent third part. Maybe. Honestly, I don't think so, though, given in his original post Christian asked for a > > > tool for analyzing or visualizing the firewall ruleset (based on the > > > shorewall configuration or output of iptables) So he would be happy with something visualizing his shorewall conf. > The cheap answer -- have someone run nmap against your firewall. That will only show a tiny window, even of a rather trivial network. -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html |
From: Shorewall G. <sho...@co...> - 2008-11-30 02:45:52
|
Karsten Bräckelmann wrote: > On Sat, 2008-11-29 at 18:21 -0500, Tom Allison wrote: >> Karsten Bräckelmann wrote: >>> On Thu, 2008-11-27 at 15:27 +0100, Christian Vieser wrote: > >>> To put it in other words: Isn't the shorewall configuration sufficient >>> to get a picture of allowed traffic? > >> I think he's looking for an independent third part. > > Maybe. Honestly, I don't think so, though, given in his original post > Christian asked for a > > > > tool for analyzing or visualizing the firewall ruleset (based on the >>>> shorewall configuration or output of iptables) > > So he would be happy with something visualizing his shorewall conf. > > >> The cheap answer -- have someone run nmap against your firewall. > > That will only show a tiny window, even of a rather trivial network. The output of 'shorewall dump' tells you everything you ever need to know about your Shorewall configuration. Of course, you have to understand IP networking, Linux Networking and Netfilter in order to interpret the output. But you don't have to know anything about Shorewall! So I think that qualifies as "independent". |
From: Don D. <sho...@an...> - 2008-12-01 22:54:03
|
This is an excellent question, and has relevance beyond just troubleshooting and maintenance. I don't know how many times an auditor has asked the pointed audit question, "What controls (tools and processes) do you use to verify the technology in place is configured correctly to support policy...". The fact that the Shorewall config files are further "compiled", before loading to firewall, really says that unless you are reviewing the output from iptables directly, you really have no good answer to that question. You may have already found this, but take a look at ITVal on Sourceforge (http://sourceforge.net/projects/itval/). It doesn't give you a "picture" of the firewall, but probably better, it lets you formulate queries against the table rules. I have been playing with it a bit (mostly reading docs) and it is something I plan on looking into deeper at later date. I liked what I have seen so far, especially that you can create scripts so that testing runs are repeatable, and can be built to answer specific questions. Don -----Original Message----- From: Christian Vieser [mailto:vi...@op...] Sent: Thursday, November 27, 2008 6:28 AM To: sho...@li... Subject: [Shorewall-users] firewall analysis Hi all, my officemate asked me recently, if there is any tool available to analyze the shorewall policies and rules to get a "picture" of the allowed connections, or to get a list of allowed connections for a given IP. Since firewall rules tend to get more complex and confusing over the time :-) I don't think it's a dumb question, especially if the main work is done by one person and the other person is only envolved in holiday times, like it often is practice in small businesses. There are a few projects out there which try to analyze the output of iptables, but I didn't find anything really useful. So, before I try to develop something by myself, just the question: Does anybody here know of a working tool for analyzing or visualizing the firewall ruleset (based on the shorewall configuration or output of iptables)? Has anybody here developed some scripts I could take as base, so I don't need to invent the wheel a second time? Thanks for any hints, Christian ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Sho...@li... https://lists.sourceforge.net/lists/listinfo/shorewall-users |
From: Christian V. <vi...@op...> - 2008-12-02 14:37:39
|
Don Drohman wrote: > This is an excellent question, and has relevance beyond just > troubleshooting and maintenance. I don't know how many times an auditor > has asked the pointed audit question, "What controls (tools and > processes) do you use to verify the technology in place is configured > correctly to support policy...". The fact that the Shorewall config > files are further "compiled", before loading to firewall, really says > that unless you are reviewing the output from iptables directly, you > really have no good answer to that question. > Don, thank you for strengthening this point. This is indeed an aspect in firewall operations often overseen. > You may have already found this, but take a look at ITVal on Sourceforge > (http://sourceforge.net/projects/itval/). It doesn't give you a > "picture" of the firewall, but probably better, it lets you formulate > queries against the table rules. > Interesting tool. Unfortunately it crashes when feeded with my firewall config (but it runs with the smaller ruleset of a second firewall). If I get it working (and manage to understand the query syntax) this would definitely meet my needs. Regards, Christian |