INSTALLATION

To install this module, run the following commands:

    perl Makefile.PL
    make
    make test
    make install

NAME
    PIX::Walker - Process Cisco PIX configs and 'walk' access-lists

SYNOPSIS
    PIX::Walker is an object that allows you to process PIX firewall configs and
    'walk' an access-list for matches. PIX OS versions 6 and 7 are supported.

    ** This module is still in very early development **

    'Loose' ACL matching performed. This means that you can specify as little as
    a source IP to match what line(s) that IP would match in the ACL on the
    firewall. Or you can provide every detail including source/dest IPs, ports,
    and protocol to match a specific line of an ACL. Loose matching allows you
    to see potential lines in a large ruleset that a single source or
    destination IP might match.

    More than just the first line match can be returned. If your search criteria
    can technically match multiple lines they will all be returned. This is
    useful for seeing extra matches in your ACL that might also match and can
    help you optimize your ACL.

EXAMPLE
      use PIX::Walker;

      my $config = ' ... string of full firewall config ... ';
      my $fw = new PIX::Walker($config);
      my $acl = $fw->acl('outside_access') || die("ACL does not exist");

      my $matched = 0;
      foreach my $line ($acl->lines) {
        if ($line->match(
            source => '10.0.1.100', 
            dest => '192.168.1.3', 
            port => '80', 
            protocol => 'tcp')) {
          print "Matched ACL $acl->name ($acl->elements ACE)\n" if !$matched++;
          print $line->print, "\n";
        }
      }

METHODS
    acl($name)

        Returns an PIX::Accesslist object for the ACL named by $name.

    acls()

        Returns an array of PIX::Accesslist objects for each access-list found
        in the firewall configuration. Returns undef if there is no matching
        ACL.

    alias($string)

        Returns the IP of the alias given in $alias. If no alias is found than
        the string is returned unchanged.

    findip($ip, [$trace])

        Matches the IP to an existing network-group. Does not validate it within
        any ACL. If a single group is matched a scalar is returned with the
        name, otherwise an array reference is returned containing all matches.

        * *$ip* is an IP address to look for.

        * *$trace* is an optional reference to a trace buffer. If an IP is found
        in a nested group the trace will allow you to find out where it was
        nested. See tracedump() for more information.

    findport($port, [$trace])

        Matches the PORT to an existing service-group. Does not validate it
        within any ACL. If a single group is matched a scalar is returned with
        the name, otherwise an array reference is returned containing all
        matches.

        * *$port* is the PORT to look for.

        * *$trace* is an optional reference to a trace buffer. If a PORT is
        found in a nested group the trace will allow you to find out where it
        was nested. See tracedump() for more information.

    obj($name)

        Returns an PIX::Object object for the object-group that matches the
        $name given.

    tracedump($trace)

        Prints out the trace dump given. This will allow you to see where IP's
        and PORT's are being matched within their object-groups even if they are
        nested.

                    $matched = $fw->findip($ip, $trace);
                    $fw->tracedump($trace);

AUTHOR
        Jason Morriss, "<lifo at liche.net>"

BUGS
        Please report any bugs or feature requests to "bug-pix-walker at
        rt.cpan.org", or through the web interface at
        <http://rt.cpan.org/NoAuth/ReportBug.html?Queue=PIX-Walker>. I will be
        notified, and then you'll automatically be notified of progress on your
        bug as I make changes.

SUPPORT
        This POD document is the only support you will receive on this module.

ACKNOWLEDGEMENTS
        Peter Vargo - For pushing me to make this module and for supplying me
        with endless ideas.

COPYRIGHT & LICENSE
        Copyright 2006 Jason Morriss, all rights reserved.

        This program is free software; you can redistribute it and/or modify it
        under the same terms as Perl itself.