fw1rules.pl: Analyze and print a report of Firewall-1 rules and objects Copyright (C) 2000-2008 Volker Tanger This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. http://www.gnu.org/copyleft/gpl.html HISTORY Previous versions (before 7.x) of this program were based on previous work by an anonymous programmer who posted it to the FireWall-1 mailing list. Stephan Moser and Sean O'Neill modified the program considerably and put it under the GPL. You will find these programs in the archive file FWRulesArchive.zip on the WYAE webserver. The old codebase (pre 7.0 era) suffered quite heavily from patchwork bloat, peaking in a number of mutually incompatible patches sent to me. So after a number of unsuccessful attempts to include patches (or: programming the stuff) for implicit NAT, encryption and security servers all the stuff finally got tangled too much - so I set out to start from new, clean base. To mark the difference to the old codebase and to enable forking (which already seems to have happened) I slightly changed the name from fwrules to fw1rules. The new version (7.x) is separating reading the config file(s) into a (well documented) internal "database" in a first step - and then, in the second step, doing all the output. Nice side-effect: all information (services, objects, rules, etc.) can (additionally) be dumped into separate text or CSV files. This came out "for free" from debugging aids to the first step. Plus adding other output will be simple then. LaTeX (and resulting PDF) are already on my wish-list... For bug reports and suggestions or if you just want to talk to me please contact me at volker.tanger@wyae.de Updates will be available at http://www.wyae.de/software/fw1rules/ please check there for updates prior to submitting patches! ------------------------------------------------------------------------ May 2008 v7.3.43 to v7.3.44 * Stefan Brunner - fix for implicit NAT rules - Custom timeout values - ICMP Type/Code values - SUN-RPC program IDs - MS-RPC UUIDs - fix for name/comment R65 * Kevin Steves - Support for host objects with multiple interfaces ------------------------------------------------------------------------ March 2008 v7.3.42 to v7.3.43 * Jacob Jacobson - added patches for R65 compatibility ------------------------------------------------------------------------ November 2004 v7.3.41 to v7.3.42 * Kevin Steves - found duplicate line in DumpNatTSV function ------------------------------------------------------------------------ October 2004 v7.3.40 to v7.3.41 * Don Wood - added fix for services with single port * Volker Tanger - removed bug in FWS reading routine (line 3959) that failed reading one-word comments as reported in thorough bug report by Daniel Wisniewski - corrected README (which still listed --dump... options) ------------------------------------------------------------------------ March 2004 v7.3.39 to v7.3.40 * "Francesco Vigo" - fixed bug in template processing for source ports (line 3571/2572) - dito for implicit rules, line 3228 ------------------------------------------------------------------------ March 2004 v7.3.38 to v7.3.39 * Volker Tanger - added --merge_AI option (just a copy of --merge_SP3) as lots of people keep asking... - I'm no longer actively searching for a new maintainer but will stay coordinator * Heinz Peterhans - bugfix for "Sections Title", which sometimes were missed... ------------------------------------------------------------------------ February 2004 v7.3.37 to v7.3.38 * Bernd Rudack - added a commonly asked-for feature: objects and services groups expansion (plus a few flags for detailed expansion control) * Volker Tanger - removed experimental CIS-FAST routines ------------------------------------------------------------------------ November 2003 v7.3.36 to v7.3.37 * Edda Hochstrate - corrected off-by-one error for interface output * Heinz.Peterhans - corrected AntiSpoofing for NG AI - it now distincts between "Any" and "This Net" * Paul Ewing Jr. - patch: now displays the :EXP part of "other" service type as DST-port (formerly titled "ICMP extension") * Hiroyuki Kimura - provided patch to support for User ClientAuth * Volker Tanger - services used only in implicit rules are now tagged as used and listed accordingly. Thanks for bug report goes to David Pascoe ------------------------------------------------------------------------ June 2003 v7.3.35 to v7.3.36 * Brian Pothier - corrected code to include the section titles ------------------------------------------------------------------------ June 2003 v7.3.34 to v7.3.35 * Mark Hurst - provided patch for groups with a large number of members (line truncation in HTML for line > 4000 chars). * Fabrice Gonton - found bug in (still incomplete) &ReadResources() procedure which lead to listing of empty services. ------------------------------------------------------------------------ March 2003 v7.3.33 to v7.3.34 * Brian Pothier - provided tool MAKE_MHT to create an MS-IE webarchive file - provided hack to include the section titles ------------------------------------------------------------------------ March 2003 v7.3.32 to v7.3.33 * Volker Tanger - corrected header confusion in OBJECTS.CSV template as noted by Christian Labreche ------------------------------------------------------------------------ March 2003 v7.3.31 to v7.3.32 * Volker Tanger - fixed bug in --with_interfaces read-in routine that marked all objects as "used". Problem was multiple use of the one-time-read-only positional variable "$1" - bug noticed by Peter-Paul Worm - added missing icons back from the old images (missing noted by Brian Pothier ------------------------------------------------------------------------ March 2003 v7.3.30 to v7.3.31 * Hiroyuki Kimura - fixed buglet, now removing all quotes from user rules ------------------------------------------------------------------------ March 2003 v7.3.29 to v7.3.30 * Volker Tanger - bug when using ressource services with nonstandard names (see below) solved a bit nicer. - first explicit NAT rule was missed for NG confg files, as reported by Keith Smith , solved. - removed Gerhard's tool "wXfws.pl" from CONTRIB due to below. * Gerhard Thiele - include comments that are missing in NG-SP3 config files - includes advanced pattern matching logic ------------------------------------------------------------------------ February 2003 v7.3.28 to v7.3.29 * Volker Tanger - bug when using ressource services with nonstandard names (i.e. other than http/smtp/ftp) as noted by Alexandr S Purtov . Corrected. - Gerhard Thiele added tool wXfws.pl to include comments that are missing in NG-SP3 config files. See CONTRIB directory. ------------------------------------------------------------------------ January 2003 v7.3.27 to v7.3.28 * Volker Tanger - removed bug in template processing reported by Florian Leibenzeder - only used objects were printed regardless --all_objects option. Corrected. ------------------------------------------------------------------------ January 2003 v7.3.26 to v7.3.27 * Volker Tanger - completed --link_to option (was not really implemented) * Hiroyuki Kimura - added printing out the details of 'group_with_exclusion' objects - printing out anti-spoofing settings * Fabien Martinet/Julien Lefebvre - updated colour information to reflect new NG colours - quite a number of optimizations for icon handling. Not all made it into this release (yet?) because they are a major change in an older version - fitting the old diff to new source is quite time consuming. WARNING! Only the NG icons are working proper now. The 4.1 icons (partially wrong named) are removed and available as separate archive. ------------------------------------------------------------------------ January 2003 v7.3.25 to v7.3.26 * Hiroyuki Kimura - added printing out members of gateway clusters - corrected gateway interface behaviour for NG ------------------------------------------------------------------------ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Feature Freeze announced !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! January 2003 v7.3.24 to v7.3.25 * Kevin Steves - corrected typos in README - corrected template special character (as ) handling * Fabien Martinet/Julien Lefebvre - provided new, coloured NG icons ------------------------------------------------------------------------ December 2002 (same day) v7.3.23 to v7.3.24 * Volker Tanger - major bug found by reports by Thomas Munn - line reading (esp. for Microsoft based systems was handled incorrect, resulting (for now) in missing icons in NAT rules and objects not marked as used. My mistake - incorrect parameter return. Fixed globally now. ------------------------------------------------------------------------ December 2002 v7.3.22 to v7.3.23 * Volker Tanger - changed --title= option behaviour as suggested by Darren Beatty - corrected colouring scheme upon suggestion/bugreport of Fabien Martinet - changed properties background in CSS as suggested by Hans Maurer - writing on and copying printouts is better that way. ------------------------------------------------------------------------ December 2002 v7.3.21 to v7.3.22 * Volker Tanger - Corrected a bug introduced with objects file reading in 7.3.6: Micro$oft-based config files are not read as reported by Hans Maurer ------------------------------------------------------------------------ December 2002 v7.3.20 to v7.3.21 * Volker Tanger - changed rules reading to enable reading multiple *.W files for (more) complete --unused-objects output - renamed NG icons - quite a number is missing, though... ------------------------------------------------------------------------ December 2002 v7.3.19 to v7.3.20 * Volker Tanger - changed TEMPLATE format for better international support and easier reading - nicer output of setting (simply added   where useful) ------------------------------------------------------------------------ December 2002 v7.3.18 to v7.3.19 * Volker Tanger - changed graphic format from GIF to PNG - added TXT templates - included warnings on --dump options, which will be dumped with one of the next (major) releases. Better start early... ------------------------------------------------------------------------ December 2002 v7.3.17 to v7.3.18 * Volker Tanger - corrected USAGE text (which still showed some USER parameters) and explained dropped userDB support a bit longer in the error message displayed. - corrected usergroup output (wrong due to dropped user support) as noted by Richard Lucassen - corrected packing mechanism to include the NG icons, too... ------------------------------------------------------------------------ November 2002 v7.3.16 to v7.3.17 * Volker Tanger - corrected an off-by-one error when processing interface information as noted by Bill Powell * Kevin Steves - corrected port limit handling in services (including another off-by one and missing handling of "less-than") ------------------------------------------------------------------------ November 2002 v7.3.15 to v7.3.16 * Sharon Besser - provided NG-icons (from CheckPoint's WebVisualization Tool) * Kevin Steves - fixed bug in DumpRulesTSV (tab missing) - fixed missing ICMP translation table * Daniel Wisniewski - added "Tacacs" icon ------------------------------------------------------------------------ November 2002 v7.3.14 to v7.3.15 * Volker Tanger - corrected another error in RULES.SQL template as noted by Daniel Wisniewski - field/value mixup. - Parameter parsing error: "--version" did not work as noted by Rikard Stemland Skjelsvik Simple addition solved that problem. - just was told: TIME objects are not working at all. So did a unclean workaround to display at least the proper icon. ------------------------------------------------------------------------ November 2002 v7.3.13 to v7.3.14 * Volker Tanger - corrected error in RULES.SQL template as noted by Daniel Wisniewski - in the first (untested) versions I used reserved words. Bad boy me. - completed --include_template= option ------------------------------------------------------------------------ October 2002 v7.3.12 to v7.3.13 * Volker Tanger - corrected typo in RULES.SQL template as noted by Daniel Wisniewski - which resulted in invalid "to" entries entered into the database. - clarified USAGE a tiny bit (for templates) ------------------------------------------------------------------------ October 2002 v7.3.11 to v7.3.12 * Ian Genge ) - bug in user-rules fixed - forgot to eliminate double-quotes - added border around tables, though it does look nicer on the screen without, reading pritouts is easier that way. - corrected typo * Volker Tanger - implicit rules were printed ALWAYS regardless flag and its USAGE text was wrong/outdated as noted by Daniel Wisniewski - corrected. ------------------------------------------------------------------------ October 2002 v7.3.10 to v7.3.11 * Volker Tanger - user-rules (e.g. for client-encrypt) were not read correctly as reported by Dan Golden fixed now - even if not too clean (see source in routine ReadAccessRules). ------------------------------------------------------------------------ October 2002 v7.3.9 to v7.3.10 * Ian Genge ) - provided more icons (dns-server, CA, ldap, exclusion_group) - fixed (another) bug in reading servers subroutine ------------------------------------------------------------------------ October 2002 v7.3.8 to v7.3.9 * Peter van Eynde - corrected more endless-loops when reading NG (ReferenceObject) * Volker Tanger - fixed "--debug" option (missing in parameter definition) - removed complaint when omitting "--no_users" ------------------------------------------------------------------------ October 2002 v7.3.7 to v7.3.8 * Peter van Eynde - corrected endless-loops when reading NG (line 651) ------------------------------------------------------------------------ October 2002 v7.3.6 to v7.3.7 * Volker Tanger - added "--debug" option as there were endless-loops reported - corrected version information - disabled users due to (increasingly) broken routines ------------------------------------------------------------------------ October 2002 v7.3.5 to v7.3.6 * Volker Tanger - added NG compatibility: core reading routines (objects, services, rules) now working ------------------------------------------------------------------------ October 2002 v7.3.4 to v7.3.5 * Mark van Gelder - fixed non-handling of HTTPS ressources (yes, httpS) - provided UFP graphic - fixed ALL_USERS graphics bug ------------------------------------------------------------------------ October 2002 v7.3.3 to v7.3.4 * Volker Tanger - bugfix - HTML referencing was broken for objects - as noted by a whole bunch of people. ------------------------------------------------------------------------ October 2002 v7.3.2 to v7.3.3 * Volker Tanger - fixed EOF-handling bug as reported by Stelios Leftheris * Roland Alder - sent patch for "--show_members" option ------------------------------------------------------------------------ September 2002 v7.3.1 to v7.3.2 * Volker Tanger - improved (i.e. more robust) referencing in HTML - introducing the bugfix below introduced a different bug. So deleted those changes. * Andrea Barbieri - provided correct handling of machine ranges * Olivier Badet - provided GIFs for RADIUS, TCP_SUBINTERFACE and INTERFACE - added server support - added option --dump_unused_objects_tsv * Olivier Badet & Volker Tanger - added interface support ------------------------------------------------------------------------ September 2002 v7.3.0 to v7.3.1 * Volker Tanger - IP address range bugfix - the type was not parsed at all as reported by Andrea Barbieri ------------------------------------------------------------------------ August 2002 v7.2.10 to v7.3.0 * Volker Tanger - embedded subroutines for CIS-Fast routines *** Volker Tanger Forked 7.3.0 into the ASLrules script, that does similar things for the "Astaro Security Linux" Firewall. The script homepage is located at http://www.wyae.de/software/aslrules/ ------------------------------------------------------------------------ July 2002 v7.2.9 to v7.2.10 * Oddbjorn Steffensen - provided an extended CSS for FW1Rules' HTML output. - recoded/compressed HTML output routines - changed output to get alternating table rows which makes reading easier and the output more elegant * Volker Tanger - applied patch above to the other tables, too - corrected a few typos ------------------------------------------------------------------------ July 2002 v7.2.8 to v7.2.9 * Volker Tanger - corrected bug: §§§disabled§§§ placeholder in templates was not evaluated for implicit NAT rules - explicit NAT had problems in default HTML output as there was a missing - bug found by Miguel A Cortez Tena solved: inserted where it was missing... ;-) - due to popular request: now there are the --match_comment=... and --match_installon=... options which enable the user to filter rules according to entries in the "Comments" or "InstallOn" columns - use with care! ------------------------------------------------------------------------ July 2002 v7.2.7 to v7.2.8 * Joachim Altenheim - improved NG compatibility (when using ressources) - removed bug with rules using AUTH - supplied some more icons * Tetsujyoh Go - found and removed bug that prevented service source port from being printed out. * Volker Tanger - DISABLED flag not evaluated for explicit NAT rules - bug found by Frank Breedijk solved: handling analogue to access rules WARNING! The correction of the "NAT disabled bug" may lead to incompatible processing of NAT.TSV files (in case you use them for forther automated processing). ------------------------------------------------------------------------ June 2002 v7.2.6 to v7.2.7 * Volker Tanger - optimization was done a bit too thorough in 7.1.0 so object and service icons were not defined if using --no_objects and/or --no_services switches - bug found by Tom Lorelle solved: both types are read regardless options ------------------------------------------------------------------------ June 2002 v7.2.5 to v7.2.6 * Volker Tanger - "install on" not working correctly when having more than one object in "install on" - bug found by Mark Villaverde solved: object separator was set wrong ------------------------------------------------------------------------ June 2002 v7.2.4 to v7.2.5 * Volker Tanger - script did not dump the last NAT rule - bug found by Neil Burt solved: count limit was off by 1 ------------------------------------------------------------------------ April 2002 v7.2.3 to v7.2.4 * Volker Tanger - corrected Printlog bug (name in wrong case line 502) as found by Michael Glassman - renamed Us(e)rgroup-Icon to match the program code. Bug found by Rikard Stemland Skjelsvik - RULESHISTORY.SH script got a major overhaul. Mechanism is working much better now - and is tested. ------------------------------------------------------------------------ April 2002 v7.2.2 to v7.2.3 * Volker Tanger - corrected bug about missing negated items in access rules which somehow sneaked in between 7.1.2 and 7.1.3 as found by Richard Lodge ------------------------------------------------------------------------ April 2002 v7.2.1 to v7.2.2 * Volker Tanger - step forward to NG compatibility: Paul Sears analyzed the "bug" in my parsing pattern. I chose a different kludge, though... ;-) ------------------------------------------------------------------------ April 2002 v7.2.0 to v7.2.1 * Volker Tanger - optimized HTML output a bit for people trimming it manually (just some newlines and comments) on suggestion of Mike Vore - corrected objects separation - corrected log file creation - added ruleshistory.sh script in CONTRIB - Corrected bug resulting in broken RulesTSV (missing tabs) as found by Daniel Wisniewski ------------------------------------------------------------------------ April 2002 v7.1.7 to v7.2.0 * Volker Tanger - output into templates - more formats, more flexibility (default templates: TXT, HTML and LaTeX/PDF plus a number of dumps) - added ADVANCED_USAGE.txt - maillist fwtools@wyae.de was established - corrected HTML header colours in service/user tables - removed comment "linebreaks" (colon) - corrected --dump_rules_tsv (implicit rules column count) ------------------------------------------------------------------------ March 2002 v7.1.6 to v7.1.7 * Volker Tanger - splitted USAGE.txt from README - just being lazy editing two files with each parameter change... * Daniel Wisniewski - patched a bug that stemmed from options renaming (7.1.2), that rendered objects dump useless ------------------------------------------------------------------------ March 2002 v7.1.5 to v7.1.6 * Volker Tanger - patched patch below for shorter network output * John Adams - provided patch for "--with_ip" option. ------------------------------------------------------------------------ March 2002 v7.1.4 to v7.1.5 * Volker Tanger - corrected bug because of which service members were not listed (follower to bugfix 7.1.2 -> 7.1.3) as spotted by Edward Luck - Corrected implicit ICMP was not working - spotted by Edward Luck - NG still not working correctly: missing action, log and complete NAT table. But the rest seems to work. ------------------------------------------------------------------------ March 2002 v7.1.3 to v7.1.4 * Volker Tanger - corrected icon inconsistency for IKE as found by Edward Luck * Petr Sava - corrected read-in routines for better compatibility with NG in access rules. ------------------------------------------------------------------------ March 2002 v7.1.2 to v7.1.3 * Volker Tanger - currected service separation bug when using ressources or services with blanks (spaces) in their name. * Helmar Gerloni - nicened comment fields (removed quotes) - added UserAuth / ClientAuth - corrected --no_users / --title options * Helmar Gerloni and Ian Genge ) - simultaneously found even more NAT errors (Volker: *argh*) ------------------------------------------------------------------------ February 2002 v7.1.1 to v7.1.2 * Volker Tanger - parameters more consistent (everywhere "objects" instead of just "objs") - started output into templates - more formats, more flexibility (default planned: TXT, HTML and LaTeX/PDF) - removed major cut/paste error in Users headline - corrected bug not marking object as being used when only used in the "Install On" column - as reported by John Mackender - corrected another implicit NAT bug * Ian Genge - corrected two implicit NAT bugs (typo, HTML out mix-up) * Helmar Gerloni - corrected inconsistencies in user file paramter and usage output, provided negated TCP icon * Dennis Barmenkov - provided negated icons *** Stefan Majer Forked 7.1.0 into the project CP2FWBUILDER, that converts FW1 rulesets into a FWBUILDER configuration file (XML). Project to be located at SourceForge. ----------------------------------------------------------------------- February 2002 v7.1.0 to v7.1.1 * Volker Tanger - including the patches below, some cleaning up, some debugging (minor stuff) * Ian Genge - corrected table labeling error - suggested & implemented improved object output (now including NAT) ------------------------------------------------------------------------ February 2002 v7.0.10 to v7.1.0 * Volker Tanger - output of properties (thus rendering 6.1.5 useless - finally!) - output of ressourced services in ruleset correct, alas ressources itself not handled yet. - implicit access rules (in dumps and HTML) - text dump of property settings ------------------------------------------------------------------------ February 2002 v7.0.9 to v7.0.10 * Volker Tanger - dump of unused users, too - added switches --no_rules, --no_objects, --no_services and --no_users - correct handling of MS-DOS type files (all CR+LF, sometimes spaces instead of tabs) ------------------------------------------------------------------------ February 2002 v7.0.8 to v7.0.9 * Volker Tanger - comments for objects and services (bracket matching) corrected (thanks to David Pascoe for reporting this problem) - NAT rules now translate to "Original" instead of "Any", corrected (thanks to Charlie Acker for reporting this problem) - corrected false empty NAT rule between explicit and implicit - corrected NAT in HTML output (Any/Original mixed up) - added user TXT and TSV dump (thanks to Christian's read) - corrected wrong handling in HTML when using --all_objs * Christian Port - added user reading and HTML output - clean NAT rule reading - added tool fwdbexport.pl ------------------------------------------------------------------------ January 2002 v7.0.7 to v7.0.8 * Volker Tanger - sorting of objects and services corrected (case ignore) - sorting by type, then alphabetically - that to group the services and objects by type (thanks to Magnus Sandberg for this idea!). * Joachim Altenberg - fixed problem with "install on" when only "Gateways" is definded. ------------------------------------------------------------------------ December 2001 v6.1.>4 to v7.0.7 * Volker Tanger - (re)wrote most of the code from scratch - separating reading the config file(s) into a (well documented) internal data format in a first step - and then, in the second step, doing all the output. * Frank Steidl - supplied the new transparent icons ------------------------------------------------------------------------