This is an excellent question, and has relevance beyond just troubleshooting and maintenance. I don't know how many times an auditor has asked the pointed audit question, "What controls (tools and processes) do you use to verify the technology in place is configured correctly to support policy...". The fact that the Shorewall config files are further "compiled", before loading to firewall, really says that unless you are reviewing the output from iptables directly, you really have no good answer to that question.
You may have already found this, but take a look at ITVal on Sourceforge (http://sourceforge.net/projects/itval/). It doesn't give you a "picture" of the firewall, but probably better, it lets you formulate queries against the table rules. I have been playing with it a bit (mostly reading docs) and it is something I plan on looking into deeper at later date. I liked what I have seen so far, especially that you can create scripts so that testing runs are repeatable, and can be built to answer specific questions. Don -----Original Message----- From: Christian Vieser [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2008 6:28 AM To: [email protected] Subject: [Shorewall-users] firewall analysis Hi all, my officemate asked me recently, if there is any tool available to analyze the shorewall policies and rules to get a "picture" of the allowed connections, or to get a list of allowed connections for a given IP. Since firewall rules tend to get more complex and confusing over the time :-) I don't think it's a dumb question, especially if the main work is done by one person and the other person is only envolved in holiday times, like it often is practice in small businesses. There are a few projects out there which try to analyze the output of iptables, but I didn't find anything really useful. So, before I try to develop something by myself, just the question: Does anybody here know of a working tool for analyzing or visualizing the firewall ruleset (based on the shorewall configuration or output of iptables)? Has anybody here developed some scripts I could take as base, so I don't need to invent the wheel a second time? Thanks for any hints, Christian ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
