Skip to content
/ F2F Public

A tool for checking that your policy is expressible by the target firewall system.

License

MIT license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lceragioli/F2F

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
Example
Example
 
 
fwsynthesizer
fwsynthesizer
 
 
lib
lib
 
 
src
src
 
 
Dockerfile
Dockerfile
 
 
FireWallSynthesizer.cabal
FireWallSynthesizer.cabal
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
f2f
f2f
 
 
f2fcont
f2fcont
 
 
setup.py
setup.py
 
 
update_libs.sh
update_libs.sh
 
 

Repository files navigation

Firewall-2-Firewall

Requirements

F2F requires docker

Installation

Build the docker image

docker build -t f2fcont .

the executable is f2f, that deals with the interaction with the docker application.

Usage

usage: ./f2f SOURCE-SYSTEM INTERFACE-FILE CONFIGURATION-FILE TARGET-SYSTEM

positional arguments: SOURCE-SYSTEM - the source firewall system, one between iptables, pf and ipfw INTERFACE-FILE - interface specification file (see the axamples) CONFIGURATION-FILE - the configuration file for the source firewall system TARGET-SYSTEM - the target firewall system, one between iptables, pf and ipfw

Usage Examples

$ ./f2f iptables Example/interfaces Example/iptables.conf pf

!!! Inexpressible Pair Found !!!

============================================================================
||     sIp     | sPort |   dIp   | dPort | prot ||  tr_src |    tr_dst    ||
============================================================================
||  151.15.1.5 |   *   | 9.9.9.9 |   43  | tcp  || id : id | 8.8.8.8 : id ||
|| 192.168.0.1 |       |         |       |      ||         |              ||
============================================================================


!!! Conflicting Pairs Found !!!

(P1, t1):
==============================================================
||    sIp     | sPort |     dIp      | dPort | prot ||  tr  ||
==============================================================
|| 151.15.1.5 |   *   | 192.168.0.10 |   *   |  *   || DROP ||
||            |       |              |       |      ||      ||
==============================================================

(P2, t2):
====================================================================================
||     sIp     | sPort |     dIp      | dPort | prot ||      tr_src     |  tr_dst ||
====================================================================================
|| 192.168.0.1 |   *   | 192.168.0.10 |   *   |  *   || 151.15.1.5 : id | id : id ||
||             |       |              |       |      ||                 |         ||
====================================================================================

in node q1:
with [P@ || t1@ || t2@]:
====================================================================================
||    sIp     | sPort |     dIp      | dPort | prot || tr1  || tr2_src | tr2_dst ||
====================================================================================
|| 151.15.1.5 |   *   | 192.168.0.10 |   *   |  *   || DROP || id : id | id : id ||
||            |       |              |       |      ||      ||         |         ||
====================================================================================
Hint: Apply tags to P1 in node q0 and use them to choose the transformation in node q1


$ ./f2f iptables Example/interfaces Example/iptables.conf ipfw

!!! Inexpressible Pair Found !!!

============================================================================
||     sIp     | sPort |   dIp   | dPort | prot ||  tr_src |    tr_dst    ||
============================================================================
||  151.15.1.5 |   *   | 9.9.9.9 |   43  | tcp  || id : id | 8.8.8.8 : id ||
|| 192.168.0.1 |       |         |       |      ||         |              ||
============================================================================


$ ./f2f table Example/interfaces Example/table.conf pf

!!! Inexpressible Pair Found !!!

==========================================================================================================
||     sIp     | sPort |              dIp              | dPort | prot ||      tr_src     |    tr_dst    ||
==========================================================================================================
|| 192.168.0.1 |   *   |      0.0.0.0 - 151.15.1.4     |   53  |  *   || 151.15.1.5 : id | 8.8.8.8 : id ||
||             |       |  151.15.1.6 - 192.167.255.255 |       |      ||                 |              ||
||             |       | 192.168.1.0 - 255.255.255.255 |       |      ||                 |              ||
==========================================================================================================


!!! Inexpressible Pair Found !!!

=================================================================================================
||    sIp     | sPort |              dIp              | dPort | prot ||  tr_src |    tr_dst    ||
=================================================================================================
|| 151.15.1.5 |   *   |      0.0.0.0 - 151.15.1.4     |   53  |  *   || id : id | 8.8.8.8 : id ||
||            |       |  151.15.1.6 - 192.167.255.255 |       |      ||         |              ||
||            |       | 192.168.1.0 - 255.255.255.255 |       |      ||         |              ||
=================================================================================================


!!! Conflicting Pairs Found !!!

(P1, t1):
================================================================================
||              sIp              | sPort |     dIp     | dPort | prot ||  tr  ||
================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 192.168.0.7 |  443  |  *   || DROP ||
||  151.15.1.6 - 192.167.255.255 |       |             |       |      ||      ||
|| 192.168.1.0 - 255.255.255.255 |       |             |       |      ||      ||
================================================================================

(P2, t2):
=====================================================================================================
||              sIp              | sPort |    dIp     | dPort | prot ||  tr_src |      tr_dst      ||
=====================================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 151.15.1.5 |  443  |  *   || id : id | 192.168.0.7 : id ||
||  151.15.1.6 - 192.167.255.255 |       |            |       |      ||         |                  ||
|| 192.168.1.0 - 255.255.255.255 |       |            |       |      ||         |                  ||
=====================================================================================================

in node q3:
with [P@ || t1@ || t2@]:
======================================================================================================
||              sIp              | sPort |     dIp     | dPort | prot || tr1  || tr2_src | tr2_dst ||
======================================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 192.168.0.7 |  443  |  *   || DROP || id : id | id : id ||
||  151.15.1.6 - 192.167.255.255 |       |             |       |      ||      ||         |         ||
|| 192.168.1.0 - 255.255.255.255 |       |             |       |      ||      ||         |         ||
======================================================================================================
Hint: Apply tags to P1 in node q2 and use them to choose the transformation in node q3


!!! Conflicting Pairs Found !!!

(P1, t1):
================================================================================
||              sIp              | sPort |     dIp     | dPort | prot ||  tr  ||
================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 192.168.0.6 |   22  |  *   || DROP ||
||  151.15.1.6 - 192.167.255.255 |       |             |       |      ||      ||
|| 192.168.1.0 - 255.255.255.255 |       |             |       |      ||      ||
================================================================================

(P2, t2):
=====================================================================================================
||              sIp              | sPort |    dIp     | dPort | prot ||  tr_src |      tr_dst      ||
=====================================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 151.15.1.5 |   22  |  *   || id : id | 192.168.0.6 : id ||
||  151.15.1.6 - 192.167.255.255 |       |            |       |      ||         |                  ||
|| 192.168.1.0 - 255.255.255.255 |       |            |       |      ||         |                  ||
=====================================================================================================

in node q3:
with [P@ || t1@ || t2@]:
======================================================================================================
||              sIp              | sPort |     dIp     | dPort | prot || tr1  || tr2_src | tr2_dst ||
======================================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 192.168.0.6 |   22  |  *   || DROP || id : id | id : id ||
||  151.15.1.6 - 192.167.255.255 |       |             |       |      ||      ||         |         ||
|| 192.168.1.0 - 255.255.255.255 |       |             |       |      ||      ||         |         ||
======================================================================================================
Hint: Apply tags to P1 in node q2 and use them to choose the transformation in node q3


$ ./f2f table Example/interfaces Example/table.conf ipfw

!!! Inexpressible Pair Found !!!

==========================================================================================================
||     sIp     | sPort |              dIp              | dPort | prot ||      tr_src     |    tr_dst    ||
==========================================================================================================
|| 192.168.0.1 |   *   |      0.0.0.0 - 151.15.1.4     |   53  |  *   || 151.15.1.5 : id | 8.8.8.8 : id ||
||             |       |  151.15.1.6 - 192.167.255.255 |       |      ||                 |              ||
||             |       | 192.168.1.0 - 255.255.255.255 |       |      ||                 |              ||
==========================================================================================================


!!! Inexpressible Pair Found !!!

=================================================================================================
||    sIp     | sPort |              dIp              | dPort | prot ||  tr_src |    tr_dst    ||
=================================================================================================
|| 151.15.1.5 |   *   |      0.0.0.0 - 151.15.1.4     |   53  |  *   || id : id | 8.8.8.8 : id ||
||            |       |  151.15.1.6 - 192.167.255.255 |       |      ||         |              ||
||            |       | 192.168.1.0 - 255.255.255.255 |       |      ||         |              ||
=================================================================================================


$ ./f2f table Example/interfaces Example/table.conf iptables

!!! Conflicting Pairs Found !!!

(P1, t1):
================================================================================
||              sIp              | sPort |     dIp     | dPort | prot ||  tr  ||
================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 192.168.0.7 |  443  |  *   || DROP ||
||  151.15.1.6 - 192.167.255.255 |       |             |       |      ||      ||
|| 192.168.1.0 - 255.255.255.255 |       |             |       |      ||      ||
================================================================================

(P2, t2):
=====================================================================================================
||              sIp              | sPort |    dIp     | dPort | prot ||  tr_src |      tr_dst      ||
=====================================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 151.15.1.5 |  443  |  *   || id : id | 192.168.0.7 : id ||
||  151.15.1.6 - 192.167.255.255 |       |            |       |      ||         |                  ||
|| 192.168.1.0 - 255.255.255.255 |       |            |       |      ||         |                  ||
=====================================================================================================

in node q3:
with [P@ || t1@ || t2@]:
======================================================================================================
||              sIp              | sPort |     dIp     | dPort | prot || tr1  || tr2_src | tr2_dst ||
======================================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 192.168.0.7 |  443  |  *   || DROP || id : id | id : id ||
||  151.15.1.6 - 192.167.255.255 |       |             |       |      ||      ||         |         ||
|| 192.168.1.0 - 255.255.255.255 |       |             |       |      ||      ||         |         ||
======================================================================================================
Hint: Apply tags to P1 in node q1 and use them to choose the transformation in node q3


!!! Conflicting Pairs Found !!!

(P1, t1):
================================================================================
||              sIp              | sPort |     dIp     | dPort | prot ||  tr  ||
================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 192.168.0.6 |   22  |  *   || DROP ||
||  151.15.1.6 - 192.167.255.255 |       |             |       |      ||      ||
|| 192.168.1.0 - 255.255.255.255 |       |             |       |      ||      ||
================================================================================

(P2, t2):
=====================================================================================================
||              sIp              | sPort |    dIp     | dPort | prot ||  tr_src |      tr_dst      ||
=====================================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 151.15.1.5 |   22  |  *   || id : id | 192.168.0.6 : id ||
||  151.15.1.6 - 192.167.255.255 |       |            |       |      ||         |                  ||
|| 192.168.1.0 - 255.255.255.255 |       |            |       |      ||         |                  ||
=====================================================================================================

in node q3:
with [P@ || t1@ || t2@]:
======================================================================================================
||              sIp              | sPort |     dIp     | dPort | prot || tr1  || tr2_src | tr2_dst ||
======================================================================================================
||      0.0.0.0 - 151.15.1.4     |   *   | 192.168.0.6 |   22  |  *   || DROP || id : id | id : id ||
||  151.15.1.6 - 192.167.255.255 |       |             |       |      ||      ||         |         ||
|| 192.168.1.0 - 255.255.255.255 |       |             |       |      ||      ||         |         ||
======================================================================================================
Hint: Apply tags to P1 in node q1 and use them to choose the transformation in node q3

About

A tool for checking that your policy is expressible by the target firewall system.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 2

  •  
  •  

Languages