Using fwprint

Version 6.0.1 November 14, 1998

Introduction

fwprint formats the information contained in the data files that FW-1 produces, and prints it out in a human-readable format.

It contains many command-line options that can be used to print out specific information you may be looking for, or everthing that is contained in those data files, suitable for report generation.

It works in conjunction with a shell script wrapper program, which sends the output to another program that formats and prints it.

Download fwprint-6.0.1.tgz here

Download fwprint-6.0.1.tar here

Download fwprint-6.0.1.bin.tgz here

Background Information

A firewall is a component or set of components that restricts access between a protected network and the Internet, or between other sets of networks. Our firewall contains a specific list of properties that allows communications between authorized parties. All other information communicating with the firewall is dropped, preventing access from unauthorized hosts.

Contained in the Firewall-1 version 3.x data files are all the attributes of a typical firewall rule.

It is important to have an understanding of the type of information a firewall needs before one can make use of the information it provides. A typical packet of information that passes through a firewall has a set of headers containing certain information. The main information is:

Additionally, the firewall machine and firewall software knows things about the packet that aren't reflected in the packet headers, such as:

Available Information

Some of the information fwprint can provide the user with is as follows:

Source and Destination hostnames and what services are permitted to be transferred between them
Description and expansion of groups of networks. These groups contain a combination of hosts that were created to make reading of rules when using the firewall viewer more clear
The gateway host that the rule is actually operating on
All available information about a particular host, network or gateway, such as its IP address, hostname, netmask, interface names, etc.
The time of day the rule is in effect
All source or destination connections to a particular host, network or gateway
The service type for a particular rule, and the protocol it uses
Whether network broacast is allowed on that network

Command Usage

fwprint is the main program that reads the Firewall-1 objects and prints them to the screen. It accepts multiple command-line arguments to tailor the output to the desired information the user is requesting.

This program requires the two files that comprise the actual firewall code. Typically default.W, called the rule-base, and objects.C, called the filter-file should be used.

Typing:

fwprint -h

fwprint 6.0.1 November 14, 1998
See http://nic.com/~dave/Security/fwprint.html
Usage:
        fwprint [-r|-o|-s|-a|-x|-h] [-v] [-n objname] [-g gwname]
                -j filter-file -f rule-base

        Try using default.W for rule-base and objects.C for filter-file

        -r               Print rules only
        -o               Print objects only
        -s               Print services only
        -n objname       Print information about a specific object
        -a               Print all information available
        -v               Combined with other options, will print more verbosely
        -p               Force printing to screen
        -i [0|1]         Use 0 for source or 1 for destination
        -g gwname        Specify gateway name
        -x               Show a list of usage examples

         NOTE: The -a, -r, -s and -o default to postscript output
         Use -p option to force ASCII printing to stdout

The -f and -j arguments must always point to your rule-base file and filter-file FW-1 source files.

The rule-base contains the actual rules you wish to process. This file typically ends in 'W'. Such an example might be default.W

The filter-file contains the objects that define the filter-file. This file typically ends in 'C'. Such an example might be objects.C

The examples shown below will use default.W and objects.C as the rule-base and filter-file.

The options -a, -r, -o, and -s default to printing postscript to the standard output. You should pipe this to a printer, or specify the -p option to print ASCII to standard output instead.

Command Execution

-r
This option is used to print out the source and destination hostname, service, service offered by the rule, which firewall it is installed on, and the time the rule is in effect. This option may be used for a quick printout of the basic information available, suitable for reference. It looks very similiar to the real screen output when using the firewall viewer.

Sample Usage:

           fwprint -r -f default.W -j objects.C

Sample Output:

	Rule	Source Host	Dest Host	Service	  Action	Install	  Time
	------------------------------------------------------------------------------
	014	hostMonitor	dnshost		http       accept 	internalfw Any
	        internalfw	webserv

-o

This option has specific information about each object in the set of rules. An object is any network, gateway or host that is listed in the rule set. Some examples might be 'mynet' and 'internalfw'. This option might be useful in finding and printing out properties of all objects listed in the entire rule set. It prints them out in the order they are listed in the object files.

Sample Usage:

           fwprint -o -f default.W -j objects.C

Sample Output:

	Object	    Obj Name    IP Address      Netmask		Gateway	  Broadcast	
	---------------------------------------------------------------------------
	Network	   etherhost   192.168.200.0   255.255.255.0   internalfw  allow

-s

This option is very similiar to the previous one, except it prints out all available information about a the services that are listed in the rule set. Some examples might be 'nntp', 'www', etc. This option would also be useful in finding and printing out all services that are listed in the firewall.

Sample Usage:

           fwprint -s -f default.W -j objects.C

Sample Output:

	Service   	Service   	Service 	Port
          Num      	  Type       	  Name  	Num
        -----------------------------------------------------
           0        	  tcp             http   	 80
           1        	  tcp       	  smtp   	 25

-a

This is probably the most useful option. It starts at the first rule listed in the rule set, and prints out all available information on it. If the particular rule involves multiple sources, destinations, or services, it will print out those as well. If the rule is found to be a network, it will print the network name, as well as expanding it into its hostname contents. The service groups will also be expanded, and printed.

Sample Usage:

           fwprint -a -f default.W -j objects.C

An example would not fit within the margins given here.

-n netname

This option prints out all available information about one specific object. If that object is a network, it will print out the network name, its netmask, as well as the hosts that it contains and their IP addresses. The gateway (firewall) host that it is installed on, and finally all network interface connections it may have, as well as their IP addresses. This option is useful for finding which particular network a host is installed on, and a DNS name lookup replacement :)

Also, this option can be used in conjunction with the -i argument to print out all information on a particular host as a source or destination. See the -i argument for more information

Additionally, when combined with the -s option, it can be used to print out all services matching the pattern supplied to the -n argument.

Sample Usage:

           fwprint -n internalfw -f default.W -j objects.C

Sample Output:

	Gateway                         internalfw      192.168.0.10                                         
	Multiple Interfaces: 
         	0                          le0   192.168.200.135   255.255.255.0
         	1                          nf1      192.168.0.10   255.255.255.0
         	2                          nf0    192.168.220.66   255.255.255.0
         	3                        nf0:1     192.168.25.10   255.255.255.0

Additionally, the -a argument can be given to print out all available information on the argument given to -n, including IP address and service port numbers.

Sample Usage:

           fwprint -s -n http -f default.W -j objects.C

Sample Output:

	Rule	Source Host	Dest Host	Service	  Action	Install	    Time
	--------------------------------------------------------------------------------
	014	dnshost		internalfw	http       accept 	internalfw   Any
	        webserv		webserv1
	142	dnshost		appsvr		http       accept 	internalfw   Any
	        smtphost	proxy

-i [0|1]

This option is used in conjunction with the -n option to print out rules with a specific source or destination. Use 0 for source rules, and 1 for destination rules. The -n option is then used to specific which source or destination to be printed.

Sample Usage:

           fwprint -i 0 -n dnshost -f default.W -j objects.C

Sample Output:

	Rule	Source Host	Dest Host	Service	  Action	Install	  Time
	-------------------------------------------------------------------------------
	014	dnshost		internalfw	http       accept 	internalfw  Any
	        webserv		webserv1
	142	dnshost		appsvr		http       accept 	internalfw  Any
	        smtphost	proxy

Here we see two rules that matched our pattern; that is, those having dnshost as the source hostname.

Notice the entire rule is printed, not just the specific host or network matching the pattern given to the -n argument.

As an added twist, the -a option can also be given, to see all hosts IP addresses, and service port numbers.

-g gwname

This option is used to seperate the log data files into seperate output files to reduce the number of entries per file.

Sample Usage:

		fwprint -g gwhost1 -f default.W -j objects.C > gwhost1.W
		fwprint -g gwhost2 -f default.W -j objects.C > gwhost2.W

The output file would then contain only the rules that matched the pattern given to the -g option. Be sure to use redirection, as the default output is to the console

After the output file is created, it will still need to be imported into the FW-1 database. Databases other than the default, like 'internalfw.W' and 'output.W', require special options at the top and bottom of the file to be treated as databases other than the default.

In other words, the directives in the source files will still contain the filename given on the command-line, not the output filename, and should be converted either manually, or by FW-1 software.

Additionally, FW-1 inserts a marker at the top of the file to indicate how the rule-base should be viewed in the graphical interface. This typically coincides with the filename it was imported as, but could be different. Such an example of the first line of the file after it is imported might be:

("##internalfw.W##"

An example of the last lines in the file after it is imported might be:

:rulename (internalfw)
:filename (internalfw.W)

-v

There is so much information in the firewall rules files that much of it becomes repetitive after only a few rules. When fwprint detects there will be duplication of services, for example, they are abbreviated to save space, and for readability. Using the -v option will force fwprint to print this duplication, so it can be scrutinized fully. An example may be if a specific services has more than four entries, typically it will be truncated at the fifth, and a message printed in place of it instead.

-p

See Printing Usage section below for complete details. This option forces priting to the screen, despite it being too long to read coherently on xterm's with limited line widths or otherwise.

Also, by default the -n option is not sent to the printer.



Printing Usage

Due to the large amounts of information fwprint generates, it is necessary to print many of the options using landscape, instead of the standard portrait format. Despite this, many options print longer than the width of a landscape page.

For this reason fwprint uses other programs to perform its printing.

The other programs that are used are available on many of our intranet servers. Font sizes are calculated automatically, as well as margins and the text itself.

The enscript program converts the ASCII output to 9-point font, and convert it to landscape output for those options that require it.

The states program, which is part of enscript, creates the highlighting that is printed.

The fwprint program is actually a shell script that processes the command-line options, calls the fwrules program, enscript and states programs, and determines the proper way to print it.

By default, the output from fwprint is converted to postscript, and sent to standard output. It should be piped to the printer, such as in:

	fwprint -a -f default.W -j objects.C | lpr

You can force printing the ASCII text output to the screen with the -p option.