Firewall Notes

mrpeppah · 2015-10-04T01:49:02.000Z

I’d like to hear others opinions on this. I am looking for a way to keep track of firewall rules that I use on my web servers and which server has what rules enabled. Instead of having to go to each server and reading off the rules is there a better method for keeping track?

Does anyone keep an excel of each rule or anything like this or do you just add them as needed and when there is a problem you trace it?

For the curious, this is for iptables paired with f2b.

jacobsencss · 2015-10-04T02:15:57.000Z

Honestly I don’t know what our manager’s strategy is here, as we have nearly no access to those devices (firewalls, switches, routers… ).

I do not think we have anything other than a couple .txt files of the running config of our firewall (one of them at least). My buddy Jeff Cummings has a few PS scripts that could probably be adapted to parse the .txt and spit out the data into a readable/sortable .csv document. He did so with NMAP output and it was quite awesome, but it would be easier to have it in such easier, searchable, sortable format rather than hunting through the lists, one line at a time.

I’m going to have to pop in here and see what everyone else responds with. I’m curious, because I would love to see what methods are used, mostly because I have next to nothing for experience with firewall rules and rule configuration.

I’ve messed with Cisco IOS ACLs and extended ACLs a little, but that’s about it.

brianwhelton · 2015-10-04T08:27:36.000Z

Are you referring to Windows firewall or firewalls in general.

mrpeppah · 2015-10-04T14:29:28.000Z

Firewalls in general could work. I am using iptables for this.

jimmy-t · 2015-10-04T20:41:06.000Z

I would think a spreadsheet would be the most straightforward.

mrpeppah · 2015-10-04T20:49:12.000Z

My idea behind wanting to know is how do you keep track of what is enabled to be dropped or accepted. Do you just implement the rules as needed or do you keep track.

Some places I have worked for required a firewall request form to be filled out for the office but I don’t know where it went after that besides to a firewall team.

john2542970083 · 2015-10-05T13:06:59.000Z

It kind of sounds like a change control process you are talking about? It’s good you want to track every change and ensure it’s authorised/signed off.

As a followup, I suggest you look at a tool like RANCID for Cisco kit which continuously polls your device config and compares it to the last diff. When it finds a change it will display this, and you can check it was as per change control.

jeffreycummings · 2015-10-07T23:46:24.000Z

Yes, Joe, feed me the data, I can set you up with a powershell script to filter, sort, group, whatever you need done with the data.

hehehehe

Don’t let me forget this either.

Jeff