[tclug-list] script to cleanup firewall rules

Tue Feb 22 15:11:46 CST 2005

Jay,

I was going to suggest loading the rules into a 
data structure that suggests a solution, but 
after thinking about that, I don't see how to work 
it either. So...load the rules in a dumb data 
structure (an array of arrays) and create subs 
that look for the common bits in each rule (the 
host part in example 1 and the rule in example 
2) and consolidate them there. 

Perhaps prepend each sub array in the data 
structure with an undef value and fill that 
value with the row number of the consolidated
rule:

@rules = (
  [undef, qw(access-list outside_in permit ip 1.1.1.0 255.255.255.128 host
2.2.2.2)],
  [undef, qw(access-list outside_in permit ip 1.1.1.128 255.255.255.128
host 2.2.2.2)],
);

becomes:

@rules = (
  [2, qw(access-list outside_in permit ip 1.1.1.0 255.255.255.128 host
2.2.2.2)],
  [2, qw(access-list outside_in permit ip 1.1.1.128 255.255.255.128 host
2.2.2.2)],
  [undef, qw(access-list outside_in permit ip 1.1.1.0 255.255.255.0 host
2.2.2.2)],
);

The object-group stuff may need to be handled differently.

Doh! Since Josh pointed out that Cisco already has this, 
I'd see what they have. :-)

Troy

>>> Jay Austad <austad at signal15.com> 02/22/05 2:15 PM >>>
Does anyone know of a perl script that I can use to parse a Cisco PIX
config file and have it suggest the creation of object groups and possibly
summarize the ruleset?

I've got a bunch of PIX configs that need to be cleaned up.  Some are
using conduits, some are using acl's.

If nothing exists like this, does anyone have any suggestions for writing
one in perl?  I can't really think of a good way to go about it.  For
example, if I had this in the config:
access-list outside_in permit ip 1.1.1.0 255.255.255.128 host 2.2.2.2
access-list outside_in permit ip 1.1.1.128 255.255.255.128 host 2.2.2.2

It would suggest replacement with:
access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.2

Or if I had:
access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.1
access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.2
access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.3
access-list outside_in permit ip 1.1.1.0 255.255.255.0 host 2.2.2.4

It would suggest making an object-group for the 2.2.2.x addresses and
replacing the rules with:
access-list outside_in permit ip 1.1.1.0 255.255.255.0 object-group
mygroup