Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. juniper
Re: [nsp] Announcing aclmaker-1.04rc1, with check for unused ACLs (fwd)
pekkas at netcore
Jan 12, 2004, 5:23 PM
Post #1 of 3 (973 views)
Permalink
Anyone created similar ones for checking extra config for JunOS?

(Yeah, yeah .. just a couple of hours of scripting..:)

---------- Forwarded message ----------
Date: Mon, 5 Jan 2004 08:54:36 -0600
From: John Kristoff <jtk@northwestern.edu>
To: cisco-nsp@puck.nether.net
Subject: Re: [nsp] Announcing aclmaker-1.04rc1, with check for unused ACLs

On Mon, 5 Jan 2004 01:26:19 -0500
Ed Ravin <eravin@panix.com> wrote:

> > I thought someone might find this helpful. Below is a simple script to
> > find unused ACLs in your IOS configs.
>
> Which subsequently grew to be not so simple :-). I've added this test

Inevitably. Others continued to send suggestions including a request to
check for unused route maps. I put my latest copy of the script here:

<http://aharp.ittns.northwestern.edu/software/>

I'll maintain a stand alone shell script version there for now.

Thanks Ed,

John
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [nsp] Announcing aclmaker-1.04rc1, with check for unused ACLs (fwd) [ In reply to ]
jtk at northwestern
Jan 12, 2004, 10:54 PM
Post #2 of 3 (932 views)
Permalink
On Tue, 13 Jan 2004 00:23:40 +0200 (EET)
Pekka Savola <pekkas@netcore.fi> wrote:

> Anyone created similar ones for checking extra config for JunOS?
> (Yeah, yeah .. just a couple of hours of scripting..:)

A few minutes anyway. Here is a start of something. Not well tested,
but public domain for anyone who wants to build off it.

#!/bin/sh
#
# filter-usage - list firewall filters from stored configs that are not in use
#
# requires: perl5 or later in the path
# find, grep, sort and uniq in the path
# Juniper JUNOS stored configs
#
# 2004-01-12,jtk

if [ $# -eq 0 ] ; then
echo " Usage: $0 path-to-router-config-file-directory"
echo " Usage: $0 a-single-router-config-file"
echo "Example: $0 /var/configs"
echo "Example: $0 /var/configs/chicago-confg"
exit 1
fi

search() {

# filter

for filter in `egrep "^ *filter .*{$" $confg | sort | uniq | perl -ne '/^ *filter (\S+) .*{$/ ; print "$1\n"'` ; do

if [ `egrep -c "^ *(input|output) $filter\;$" $confg` = 0 ] ; then

echo $confg:acl=$filter unused

fi
done

}

if test -f "$1" ; then
confg=$1
search
elif test -d "$1" ; then
for confg in `find $1/.* $1/* -prune ! -type d -exec ls {} \;` ; do
search
done
fi

# end script

John
Re: [nsp] Announcing aclmaker-1.04rc1, with check for unused ACLs (fwd) [ In reply to ]
pekkas at netcore
Jan 13, 2004, 10:43 AM
Post #3 of 3 (954 views)
Permalink
On Mon, 12 Jan 2004, John Kristoff wrote:

I augmented this quite a bit:
- add support for RPF checks in filters
- add support for policies
- add support for prefix-lists (this is especially tricky w/ calling
prefix-lists from firewall configs, but should work reasonably well)
- also support more complex policies like ( foo && bar ) and [ unf ort ]

didn't seem to cause false positives (quickly looking) at least in
our network but there are probably some cases where it may fail.

have fun.

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-------------- next part --------------
#!/bin/sh
#
# filter-usage - list firewall filters from stored configs that are not in use
#
# requires: perl5 or later in the path
# find, grep, sort and uniq in the path
# Juniper JUNOS stored configs
#
# 2004-01-12,jtk
#
# psavola 2004-01-13

if [ $# -eq 0 ] ; then
echo " Usage: $0 path-to-router-config-file-directory"
echo " Usage: $0 a-single-router-config-file"
echo "Example: $0 /var/configs"
echo "Example: $0 /var/configs/chicago-confg"
exit 1
fi

search() {

# filter

for filter in `egrep "^ *filter .*{$" $confg | sort | uniq | perl -ne '/^ *filter (\S+) .*{$/ ; print "$1\n"'` ; do

if [ `egrep -c "^ *(input|output|rpf-check fail-filter) $filter(\;|mode loose)$" $confg` = 0 ] ; then

echo $confg:acl=$filter unused

fi
done

# prefix-list

for prefix in `egrep "^ *prefix-list .*{$" $confg | sort | uniq | perl -ne '/^ *prefix-list (\S+) .*{$/ ; print "$1\n"'` ; do

# note: this is nasty stuff: prefix lists can also be seen in firewall configs like:
# from {
# prefix-list {
# foo;
# .. so the only way to even try to catch that is to try to guess it
# using the whitespaces. This kills off some real negatives, but doesn't
# cause false positives
if [ `egrep -c "(((source-|destination-)?prefix-list)| {18,}) $prefix\;$" $confg` = 0 ] ; then

echo $confg:prefix-list=$prefix unused

fi
done

# policy

for policy in `egrep "^ *policy-statement .*{$" $confg | sort | uniq | perl -ne '/^ *policy-statement (\S+) .*{$/ ; print "$1\n"'` ; do
if [ `egrep -c "^ *((bootstrap-)?(import|export)|(from|to) policy) .*$policy.*\;$" $confg` = 0 ] ; then

echo $confg:policy=$policy unused

fi
done

}

if test -f "$1" ; then
confg=$1
search
elif test -d "$1" ; then
for confg in `find $1/.* $1/* -prune ! -type d -exec ls {} \;` ; do
search
done
fi

# end script

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal