Firewall Navigation

A colleague of mine is not having enough sleep lately because he has to understand a 12,000+ lines of firewall rules. The customer wants him to find out the relationship amount the 700+ named hosts, 500+ object-groups, 10+ access-groups and 10+ interfaces. He has to literally use Ctrl-F to find the object and copy-and paste into MS Excel. He spent at least a whole week in this exercise and not able finish half of the rules.

I happened to bump into him the other day in the data centre and thought I may be able to help him. At first, I thought I could model this in a direct graph and visualise it using Graphviz. It turned out to be quite awkward and not easy to model. I also explored in converting the rules to XML, but I need a good XML nagivator that I can traverse which I couldn't find one. After some thought, I realised I may be able to use Freemind, a free mind mapping software to visualise the data. This looked very promising but it may take a while for me to implement something useful for my colleague. He needs a tool now.

This implementation that I am going to show you is pretty easy. First, I need to plant my anchors (<a name=>) for host name, object-group, access-group, interface and line number. Second, I need to find out all the references that refer to the above anchors (that's about 1500+) and make them hyperlink. A CGI shell script is used to 'grep' the pattern when the user click on any of the anchors in the left menu, the script also dynamically highlights the search word in red. All the hyperlinks are clickable so that it can jump to the reference anchor in the original firewall configuration file for details, especially if the link is a object-group. Line numbers are also dynamically hyperlinked.

The whole process of converting the plain text firewall configuration to dynamical web front end can be achieved by shell scripts and Tcl. Tcl "string map" is very power in converting references to html hyperlinks. My original implementation using the 'dump' way took hours to do. With "string map", it took 19 seconds! Such a performance gain can only be achieved by using the right tool for the right job. BTW, lots of thinking involved before the actual implementation.

I blurred the screen dump to hide the actual firewall details. Just to cover my ass. FYI, I will still explore the freemind way when I have more time.