Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Rule checker - firewall audit

    Firewalling
    4
    8
    2560
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kfolman last edited by

      Hi

      I recently took over a pfsense box on a rather big network. Lots of aliases, lots of subnets and vlans.

      I have been ordered to do an audit, and the rules are such a mess, that it almost seems like an impossible task.

      A tool that would really help me, would be a piece of software, that are able to check ip/net for connectivity. This would enable me, to quickly get a list of ip adresses / ports that a specific ip is allowed to communicate with.

      Have any of you heard about such software?
      If not, are anyone interested in collaborating on making that software? I'm an sort of skilled PHP programmer.

      Thanks for your time guys!

      Kasper

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        Usually the use of aliases help make it easier to understand.  Is it really the case that the rules are a "mess", or is it that you are having a hard time understanding what they are doing?  I doubt you will get much response for the project you propose, but we're more than happy to help you figure out your rules.

        1 Reply Last reply Reply Quote 0
        • K
          kfolman last edited by

          @KOM:

          Usually the use of aliases help make it easier to understand.  Is it really the case that the rules are a "mess", or is it that you are having a hard time understanding what they are doing?  I doubt you will get much response for the project you propose, but we're more than happy to help you figure out your rules.

          Thanks for your answer. But they are a mess. It's not just me who are having troubles understanding them. They're a mess. :)

          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            I suspect a manual audit is your only option.  Validate everything one by one.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              How many rules you talking about?  So your wanting a tool like nipper? https://www.titania.com/nipperstudio

              Yeah I don't think they have support for pf..

              1 Reply Last reply Reply Quote 0
              • K
                kfolman last edited by

                @johnpoz:

                How many rules you talking about?  So your wanting a tool like nipper? https://www.titania.com/nipperstudio

                Yeah I don't think they have support for pf..

                I would say around 5000 rules.

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  5000??  That just seems insane..

                  Yeah an audit is in order along with a restructure and simplification most likely…

                  1 Reply Last reply Reply Quote 0
                  • A
                    athurdent last edited by

                    Not exactly what you are looking for, but maybe this will help to identify rules with no hits:
                    https://forum.pfsense.org/index.php?topic=97925.msg545345#msg545345

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy