PIX::Walker is a Perl module to process Cisco PIX configs and 'walk' access-lists.
SYNOPSIS
PIX::Walker is an object that allows you to process PIX firewall configs and 'walk' an access-list for matches. PIX OS versions 6 and 7 are supported.
** This module is still in very early development **
'Loose' ACL matching performed. This means that you can specify as little as a source IP to match what line(s) that IP would match in the ACL on the firewall. Or you can provide every detail including source/dest IPs, ports, and protocol to match a specific line of an ACL. Loose matching allows you to see potential lines in a large ruleset that a single source or destination IP might match.
More than just the first line match can be returned. If your search criteria can technically match multiple lines they will all be returned. This is useful for seeing extra matches in your ACL that might also match and can help you optimize your ACL.
EXAMPLE
use PIX::Walker;
my $config = ' ... string of full firewall config ... ';
my $fw = new PIX::Walker($config);
my $acl = $fw->acl('outside_access') || die("ACL does not exist");
my $matched = 0;
foreach my $line ($acl->lines) {
if ($line->match(
source => '10.0.1.100',
dest => '192.168.1.3',
port => '80',
protocol => 'tcp')) {
print "Matched ACL $acl->name ($acl->elements ACE)n" if !$matched++;
print $line->print, "n";
}
}
METHODS
acl($name)
Returns an PIX::Accesslist object for the ACL named by $name.
acls()
Returns an array of PIX::Accesslist objects for each access-list found in the firewall configuration. Returns undef if there is no matching ACL.
alias($string)
Returns the IP of the alias given in $alias. If no alias is found than the string is returned unchanged.
findip($ip, [$trace])
Matches the IP to an existing network-group. Does not validate it within any ACL. If a single group is matched a scalar is returned with the name, otherwise an array reference is returned containing all matches.
* $ip is an IP address to look for.
* $trace is an optional reference to a trace buffer. If an IP is found in a nested group the trace will allow you to find out where it was nested. See tracedump() for more information.
findport($port, [$trace])
Matches the PORT to an existing service-group. Does not validate it within any ACL. If a single group is matched a scalar is returned with the name, otherwise an array reference is returned containing all matches.
* $port is the PORT to look for.
* $trace is an optional reference to a trace buffer. If a PORT is found in a nested group the trace will allow you to find out where it was nested. See tracedump() for more information.
obj($name)
Returns an PIX::Object object for the object-group that matches the $name given.
tracedump($trace)
Prints out the trace dump given. This will allow you to see where IP's and PORT's are being matched within their object-groups even if they are nested.
$matched = $fw->findip($ip, $trace);
$fw->tracedump($trace);
Requirements:
· Perl
Product's homepage
Requirements:
· Perl
Find us on Google+
