Thursday, 12 January 2012

Visualising rules from Firewall Builder - Part 1

Firewall Builder (available here is a GUI that lets you configure a variety of firewall devices, for example iptables on a linux box or Cisco ASAs.

The idea is to take the configuration file from Firewall Builder and generate some sort of rule visualisation. The ruleset I'm using is basically just the built-in template called "fw template 3". I then saved the ruleset as testfw.fwb.

So, lets process the file:

user@host:~/fwbvis$ ./ testfw.fwb ignoreme

Where the arguments are as follows:

  • - the script (below)
  • testfw.fwb - the firewall config saved by Firewall Builder
  • ignoreme - to be ignored for now. It will become a configuration file for colours etc.
  • - the output file. We just generate a png at the moment, in this case called

Here is the result:

It isn't perfect, but it is a pretty good start. The colours are as follows:

  • red - reject
  • orange - deny
  • green - accept
  • blue - anything else

So, here is the script so far. It's pretty ugly btw...


import sys
import pydot
from xml.etree.ElementTree import ElementTree

sFWFile = sys.argv[1];
sConfigFile = sys.argv[2];
sOutputFile = sys.argv[3];

    ds = open(sFWFile)
    print "Could not open file", sFWFile

    tree = ElementTree()
    print "Could not parse file", sFWFile

graph = pydot.Dot(graph_type='digraph')

prefix = ""
rules = []
objects = {}
for element in tree.iter():
    tag = element.tag
    if tag[0] == "{":
        uri,tag = tag[1:].split("}")
        if prefix == "":
            prefix = uri
    oid = element.get('id')
    if oid is None:
    objects[oid] = {'tag': tag }
    for (key,value) in element.items():
        if key != 'id':
            objects[oid][key] = value

for rule in tree.findall('.//{%s}PolicyRule' % prefix):
    oid = rule.get('id')
    action = objects[oid]['action']
    color = "black"
    if action == "Reject":
        color = "red"
    elif action == "Deny":
        color = "orange"
    elif action == "Accept":
        color = "green"
        color = "blue"

    src = rule.find('.//{%s}Src' % prefix).find('.//{%s}ObjectRef' % prefix).get("ref")
    if src in objects:
        src = objects[src]['name']
    dst = rule.find('.//{%s}Dst' % prefix).find('.//{%s}ObjectRef' % prefix).get("ref")
    if dst in objects:
        dst = objects[dst]['name']
    srv = rule.find('.//{%s}Srv' % prefix).find('.//{%s}ServiceRef' % prefix).get("ref")
    if srv in objects:
        srv = objects[srv]['name']
        srv = "unknown"
    graph.add_edge(pydot.Edge(src, dst, label=srv, color=color))


So, there you have it. More to follow as things improve.


  1. Nice little script I need to give this a try, anything that will allow me to get a better hands on things welcome.

  2. Also try AfterGlow if you can get your data into a CSV. Looked at CSV exporting in FB but didn't see it (only a quick look). Hence this script.

  3. Also, if you have anything you want me to look at/script, let me know :) Always interested in ideas for new projects.

  4. hi, will this work for distributed firewall?

  5. I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in Data Science with Python , kindly contact us
    MaxMunus Offer World Class Virtual Instructor led training on TECHNOLOGY. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us.
    Sangita Mohanty
    Skype id: training_maxmunus
    Ph:(0) 9738075708 / 080 - 41103383