Maybe FLINT? http://www.matasano.com/playbook/flint
Never tried it so feedback is welcome... :-) /bs On Wed, Aug 18, 2010 at 5:38 PM, George Michaelson <[email protected]> wrote: > I have been looking at acl management s/w in the freecode space and I can > find lots of tools which manage/distribute and test ACLs in routers. > > I'm wondering if anyone has written a parser which can construct rule-trees > and get rid of the cruft, unusable, order-misorder and other issues in a > large ACL pool? > > Its possible this is NP in the wider sense, but even a partial improvement > would be useful > > something which can take a couple of hundred basic and extended ACLs and > tell you > > these <ten> don't work > these <twenty> conflict > the remaining <x> have a sequence and can reduce to this basic <x-y> > set > > (we've got the usual "acquisition of rule by accretion" problem across 4 > edge/core routers with a mix of public facing, internal, WiFi, guest rules, > and I hate to think this is either start from scratch, or intractable. The > evidence is that its FRAGILE) > > -G >
