/* * fwprint version 6.0.1 November 14, 1998 * Dave Wreski * * This program attempts to print out the firewall rules using FW-1 * version 3.x It is capable of printing everything contained in the * default.W and objects.C file in a human-readable format, which can * then be generated into a report for firewall analysis. * * See * for more information * * This program is Year 2000 compliant, but if you're using * this after the year 2000, you need to get an updated version ;) * * Changes: * - Feb 03 1998 * Apparently some patch to FW-1 changed the format slightly which * required about two hours worth of changes in parsing mechanism * * - Feb 27 1998 * Fixed/Added support for printing out only the gateway hosts * Updated documentation to be more informative on usage * * - March 04, 1998 * There is still a bug someplace. Something is wrong with rule * 64 that causes memory to be scribbled on. I thought it was fixed, * but the LNSIZE must be increased to 200 chars to avoid this problem. * Wish ddd worked :( * * - March 07, 1998 * Fixed rule-64 bug. The services string was not being terminated * correctly, which caused a buffer overrun. * Also fixed gateway/hostname parsing problem. It now correctly * seperates gateways and hosts into the proper sections, and writes * them to a file in /tmp according to the gateway or hostname. * * - March 11, 1998 * Added ability to print out all services matching a specific pattern * * - November 14, 1998 * Fixed allocation problem with number of allowed objects/svcs in * linked list. * */ #include "rules.h" #include "objects.h" #include "services.h" void usage(void); void show_examples(void); char *version="fwprint 6.0.1 November 14, 1998"; int main(int argc, char *argv[]) { int c; int verbose=0; int all=0; int services=0; int objects=0; int rules=0; int network=0; int allnet=0; int srcdst=3; int gateways=0; /* used with -g argument to specify gateway name we * are searching for */ char gwname[LNSIZE]; /* contains default.W filename */ char rulesC[LNSIZE]; /* contains objects.C filename */ char objectsC[LNSIZE]; /* contains the specific network object name we are looking for */ char netname[LNSIZE]; gwname[0] = '\0'; rulesC[0] = '\0'; objectsC[0] = '\0'; netname[0] = '\0'; /* set to NULL initially so it can be used in compare later */ netname[0] = '\0'; if(argc < 2) { usage(); exit(1); } /* Process command-line arguments */ while(1) { c = getopt(argc, argv, "hprosavxg:f:j:n:i:"); if(c == -1) { break; } switch(c) { /* show example usage information */ case 'x': show_examples(); exit(0); /* a placeholder to simply accept -p as an option to fwprint * shell script */ case 'p': break; /* indicate verbose printing */ case 'v': verbose=1; break; case 'r': /* prevent accidentally using two printout types */ if((objects == 1) || (services == 1) || (all == 1)) { usage(); fprintf(stderr,"\n*** Cannot combine those options ***\n"); exit(1); } rules=1; break; /* print out all objects */ case 'o': if((rules == 1) || (services == 1) || (all == 1)) { usage(); fprintf(stderr,"\n*** Cannot combine those options ***\n"); exit(1); } objects=1; break; /* print out all services */ case 's': if((objects == 1) || (rules == 1) || (all == 1)) { usage(); fprintf(stderr,"\n*** Cannot combine those options ***\n"); exit(1); } services=1; break; /* defines a specific gateway host, usually used to split default.W into * multiple files */ case 'g': if(optarg) sprintf(gwname,"%s",optarg); gateways=1; break; /* defines whether we are interested in one specific source * or destination */ case 'i': allnet=1; if(optarg) srcdst = atoi(optarg); if((srcdst != 0) && (srcdst != 1)) srcdst=4; break; /* netname we are looking for */ case 'n': network=1; if(optarg) sprintf(netname,"%s",optarg); break; /* default.W filename */ case 'f': if(optarg) sprintf(rulesC,"%s",optarg); break; /* objects.C filename */ case 'j': if(optarg) sprintf(objectsC,"%s",optarg); break; /* print all information */ case 'a': if((objects == 1) || (rules == 1) || (services == 1)) { usage(); fprintf(stderr,"\n*** Cannot combine those options ***\n"); exit(1); } all=1; break; /* help -- not used here */ case 'h': usage(); exit(0); break; default: /* Check usage */ printf("Try 'fwprint -h' for correct usage\n"); exit(1); } } if(argc < 6) { usage(); exit(1); } if(optind < argc) { fprintf(stderr,"\n** non-option ARGV-elements: "); fprintf(stderr,"%s ", argv[optind++]); fprintf(stderr,"\n At least one of those options do not take an argument\n"); fprintf(stderr,"\nTry 'fwprint -h' for usage instructions\n"); exit(1); } if((rulesC[0] == '\0') || (objectsC[0] == '\0')) { fprintf(stderr,"\n** Must specify rule-base filename with -f\n"); fprintf(stderr,"and filter-file with -g\n"); fprintf(stderr,"Try 'fwprint -h' for usage instructions\n"); exit(1); } if(gateways == 1) { find_gateways(rulesC,gwname); exit(0); } /* simply initialize each structure */ initrules(); initservices(); initobjlist(); /* break each file into their proper pieces, and store * in the proper structure */ find_rules(rulesC); find_obj(objectsC); find_svc(objectsC); /* Used to print out a specific service type. `netname' becomes * the service type here. Order is important here -- be sure * to keep this before matching the 'allnet' flag */ if((network == 1) && (netname[0] != '\0') && (services == 1)) { dumpsource(netname,verbose,2); } /* print out information/properties on specific network or hostname */ if((network == 1) && (allnet == 0)) { dumpnet(netname,verbose); exit(0); } /* -i option used for printing information on rules with -n as source * or destination */ if((network == 0) && (allnet == 1)) { fprintf(stderr,"\n"); fprintf(stderr,"** Option -i requires '-n srchost'**\n"); usage(); exit(1); } /* print rules only */ if(rules) { dumpsource(NULL,verbose,3); exit(0); } /* Used with -n argument */ if(netname[0] != '\0') { dumpsource(netname,verbose,srcdst); exit(0); } /* print all information */ if(all) dump_resolv(verbose); /* print services only */ if(services) dump_svc(verbose); /* print objects only. Consider using -n instead */ if(objects) dumpnet(NULL,verbose); return(0); } void usage(void) { fprintf(stderr,"%s\n",version); fprintf(stderr,"See http://nic.com/~dave/Security/fwprint.html\n"); fprintf(stderr,"Usage:\n\tfwprint [-h] [-x] [-r|-o|-s|-a] [-v] [-n objname] [-g gwname]\n"); fprintf(stderr,"\t\t-j filter-file -f rule-base\n"); fprintf(stderr,"\n\tTry using default.W for rule-base and objects.C for filter-file\n"); fprintf(stderr,"\n\t-r\t\t Print rules only\n"); fprintf(stderr,"\t-o\t\t Print objects only\n"); fprintf(stderr,"\t-s\t\t Print services only\n"); fprintf(stderr,"\t-n objname \t Print information about a specific object\n"); fprintf(stderr,"\t-a\t\t Print all information available\n"); fprintf(stderr,"\t-v\t\t Combined with other options, will print more verbosely\n"); fprintf(stderr,"\t-p\t\t Force printing to screen\n"); fprintf(stderr,"\t-i [0|1]\t Use 0 for source or 1 for destination\n"); fprintf(stderr,"\t-g gwname\t Specify gateway name\n"); fprintf(stderr,"\t-x\t\t Show a list of usage examples\n\n"); fprintf(stderr,"\t NOTE: The -a, -r, -s and -o default to postscript output\n"); fprintf(stderr,"\t Use -p option to force ASCII printing to stdout\n\n"); } void show_examples(void) { fprintf(stdout,"\n\ fwprint %s\nSee http://nic.com/~dave/Security/fwprint.html for more info\n\n\ Sample Usage:\n\n\ Assume default.W for rule-base, and objects.C for filter-file\n\n\ To see usage instructions:\n\ \t fwprint -h\n\n\ To print all information available:\n\ \t fwprint -a -f default.W -j objects.C | lpr\n\n\ To print all information on a particular host:\n\ \t fwprint -n hostname -f default.W -j objects.C\n\n\ To print out all objects with source, destination, service and gateway host:\n\ \t fwprint -r -f default.W -j objects.C | lpr\n\n\ To print out all objects and all available information on each object:\n\ \t fwprint -o -f default.W -j objects.C | lpr\n\n\ To print out all services and all available information on each service:\n\ \t fwprint -s -f default.W -j objects.C | lpr\n\n\ To seperate a rule-base into individual files according to specific gateway:\n\ \t fwprint -g gwname -f default.W -j objects.C\n\n\ To print out all rule entries with 'hostname' as a source:\n\ \t fwprint -i 0 hostname -f default.W -j objects.C | lpr\n\n\ To print out all rule entries with 'hostname' as a destination:\n\ \t fwprint -i 1 -n hostname -f default.W -j objects.C | lpr\n\n\ NOTE:\n\ - Default output format is postscript to standard output. You can force\n\ printing ASCII output to stdout by adding the -p option.\n\n\ - Pipe the -x option to /bin/more, as it may be longer than 25 lines\n\n\ - The -v option can be also be given to print more verbose information\n\ that is not usually desired.\n\n\ - Some options may print output longer than 80 columns.\n\n\ - The -g option now creates a file in /tmp using the gateway name\n\n\ - Incorrect usage will result in error message sent to standard error.\n\ Redirect standard error to standard output using redirection:\n\ \t fwprint 2>&1 | /bin/more\n\n\ ",version); }