#!/usr/bin/perl

# ----------------------------------------------------------------------------
# $Id: fwobjects.pl,v 1.7 1998/09/14 14:31:59 grasboeg Exp $
# ----------------------------------------------------------------------------
#
# fwobjects.pl:
#     Analyze FW-1 objects description file objects.C and print a report
#     of Firewall-1 objects according to the parameters given on the
#     command-line
#
# Type 'fwobjects.pl --help' to get usage information.
#
# ----------------------------------------------------------------------------
#
# Copyright Gerhard Grasboeck 1997,1998
#
#-----------------------------------------------------------------------------

#
# Pragmas
#
#use diagnostics;        # print out verbose compile and runtime diagnostics

#
# Modules
#
use English;            # use nice English names for ugly punctuation variables
use FileHandle;
use Getopt::Long;
use File::Basename;


require 5.000;


#---------------------
# Version information
#---------------------

$StdInfo{Version} = 'FW1-Scripts Version 1.0.1';


#----------------------------------------
# Documentation (both inline and online)
#----------------------------------------

$StdInfo{CommandHelp} = <<EOT;

=head1 NAME

fwobjects.pl - Analyze FW-1 objects description file objects.C and print a report of Firewall-1 objects according to the parameters given on the command-line

=head1 SYNOPSIS

fwobjects.pl { --all | --network-objects [--tn=type-list] |
              --properties | --service-objects
              [--ts=type-list] }
             [ --diff ] object_description_file

fwobjects.pl --help

fwobjects.pl --version

=head1 DESCRIPTION

All options may be abbreviated.

--all: List all objects (network objects, service objects
       and properties)

--diff: Create report usable by the diff command

type-list: comma-separated list of network object types or
           service object types

Network Object Types: domain, gateway, group, host, logical,
                      network, router, switch

Service Object Types: group, icmp, other, rpc, tcp, udp

=head1 EXAMPLES

Print all network objects of type host:

        fwobjects.pl -n -tn=host objects.C

=head1 NOTES

None

=cut
EOT
    ;

#
# Defaults, Constants
#
$TRUE = 1;
$FALSE = 0;

#
# Change $FORMAT_LINE_BREAK_CHARACTERS ($:) to not include the '-' character
# so object names such as net-xxx.xxx.xxx.xxx don't get split in the output.
# The default for $: is ' \n-'.
#
$FORMAT_LINE_BREAK_CHARACTERS = " \n";

@NWO = qw(host gateway router switch network domain logical group);
@SVO = qw(group icmp other rpc tcp udp);



#
# Formats
#
format NW_TOP =
Name                        T L F IP/Netmask/Gateway Comments/Members
--------------------------- - - - ------------------ ---------------------------
.

format NW =
@<<<<<<<<<<<<<<<<<<<<<<<<<< @ @ @ ^<<<<<<<<<<<<<<<<< ^<<<<<<<<<<<<<<<<<<<<<<<<<<
$pName, $pType, $pLocation, $pFwInstalled, $pIpAddress, $pComments
~~                                ^<<<<<<<<<<<<<<<<< ^<<<<<<<<<<<<<<<<<<<<<<<<<<
                                  $pIpAddress,       $pComments
.

format SRV_TOP =
                                      Port Range
Name                 Type  Port       From   To     Members/Expression
-------------------- ----- ---------- ------ ------ ----------------------------
.

format SRV =
@<<<<<<<<<<<<<<<<<<< @<<<< @<<<<<<<<< @<<<<< @<<<<< ^<<<<<<<<<<<<<<<<<<<<<<<<<<<
$pName, $pType, $pPort, $pRangeFrom, $pRangeTo, $pComments
~~                                                  ^<<<<<<<<<<<<<<<<<<<<<<<<<<<
                                                    $pComments
.

format PROP_TOP = 
.

format PROP =
.



#
# Parse and process options
#
&ProcessOptions('version',          # print version info
                'help',             # print command help
		'network-objects',
		'service-objects',
		'properties',
		'types-n|tn=s',
		'types-s|ts=s',
		'all',
		'diff');

if (@ARGV <= 0 ||
    (defined($optctl{'n-types'}) && !defined($optctl{'network-objects'})) ||
    (defined($optctl{'s-types'}) && !defined($optctl{'service-objects'})))
{
    &PrintHelp;
    exit;
}


if (defined($optctl{all})) {
    $optctl{'network-objects'} = $optctl{'service-objects'} = '';
    $optctl{properties} = 1;
}



#
# Parse network object types
#
if (defined($optctl{'network-objects'})) {
    if (defined($optctl{'types-n'})) {
	@nwoTypes = split(/,/, lc($optctl{'types-n'}));
	foreach $type (@nwoTypes) {
	    if (!grep(/^$type$/, @NWO)) {
		die "Error: invalid network object type specified: $type\n";
	    }
	}
    }
    else {
	@nwoTypes = @NWO;
    }
}



#
# Parse service object type
#
if (defined($optctl{'service-objects'})) {
    if (defined($optctl{'types-s'})) {
	@svoTypes = split(/,/, lc($optctl{'types-s'}));
	foreach $type (@svoTypes) {
	    if (!grep(/^$type$/, @SVO)) {
		die "Error: invalid service object type specified: $type\n";
	    }
	}
    }
    else {
	@svoTypes = @SVO;
    }
}



#
# Output processed by diff ?
#
if (defined($optctl{diff})) {
    # Produce only one page of test. A page length of 5000 lines should be
    # enough to reack that goal.
    STDOUT->format_lines_per_page(5000);
}
else {
    # Default page length
    STDOUT->format_lines_per_page(64);
}



#
# Inputfile (z.B. objects.C) in rekursive Hash-Datenstruktur umwandeln
#
if (!open(OBJ, "$ARGV[0]")) {
    die "Error opening file $ARGV[0]: $ERRNO\n";
}
$_ = <OBJ>;
analyze_level(\%objects);
close(OBJ);

$appendToReport = $FALSE;

if (defined($optctl{'network-objects'})) {
    STDOUT->format_name("NW");
    STDOUT->format_top_name("NW_TOP");
    $key_found = $FALSE;
    print_info(\%objects, 'netobj', @nwoTypes);
    $appendToReport = $TRUE;
}

if (defined($optctl{'service-objects'})) {
    if ($appendToReport == $TRUE) {
	STDOUT->format_lines_left(0);
    }
    STDOUT->format_name("SRV");
    STDOUT->format_top_name("SRV_TOP");
    $key_found = $FALSE;
    print_info(\%objects, 'servobj', @svoTypes);
    $appendToReport = $TRUE;
}

if (defined($optctl{'properties'})) {
    if ($appendToReport == $TRUE) {
	STDOUT->format_lines_left(0);
	STDOUT->print($FORMAT_FORMFEED);
    }
    STDOUT->format_name("PROP");
    STDOUT->format_top_name("PROP_TOP");
    $key_found = $FALSE;
    $props = '';
    print_info(\%objects, 'props', 'all');
}



sub analyze_level {
    my ($hash) = @_;

    while (<OBJ>) {

    	chop;
    	s/^\s+//;

    	return if (/^\)$/);

    	if (/^\:([^\s]*) \(([^\)]*)$/) {
    	    $Key = $1; $Key2 = $2;
    	    if ($Key2 eq '') {
    		    $Key2 = $Key;
    	    }
    	    $lcKey = lc($Key2);
    	    $$hash{$lcKey}[0] = $Key2;
    	    analyze_level(\%{$$hash{$lcKey}[1]});
    	}
    	elsif (/^\:([^\s]*) (.*)$/) {

    	    $Key = $1; $Value = $2;
    	    if ($Key eq '') {
		$Key = 'members';
	    }
    	    $lcKey = lc($Key);
            $$hash{$lcKey}[0] = $Key;

    	    if (defined($$hash{$lcKey}[1]) && $$hash{$lcKey}[1] ne '') {
    	        $$hash{$lcKey}[1] .= ', ';
	    }
    	    if ($Value =~ /^\((.*)\)$/) {
    		    $Value = $1;
    	    }
    	    if ($Value =~ /^\"(.*)\"$/) {
    		    $Value = $1;
    	    }
            $$hash{$lcKey}[1] .= $Value;
        }
    }
}



sub print_info (\%$@) {
    my ($hash, $key, @types) = @_;

    my ($k, $actType);

    if ($key_found == $TRUE && $key eq 'props') {
	print_properties($hash, $key);
    }
    else {
	foreach $k (sort keys(%$hash)) {
	    if ($key_found == $TRUE) {
		if ($types[0] ne 'all') {
		    $actType = lc($$hash{$k}[1]{type}[1]);
		    next if (!grep(/^$actType$/, @types));
		}
		if ($key eq 'netobj') {
		    print_network_object($hash, $k);
		}
		elsif ($key eq 'servobj') {
		    print_service_object($hash, $k);
		}
	    }
	    else {
		if (defined($$hash{$k}[0]) && $$hash{$k}[0] eq $key) {
		    $key_found = $TRUE;
		}
		if (ref($$hash{$k}[1])) {
		    print_info($$hash{$k}[1], $key, @types);
		}
	    }
	}
    }
}



sub print_network_object {
    my ($hash, $key) = @_;

    $pLocation = $pFwInstalled = $pIpAddress = $pComments = '';

    # Type
    $pType = lc($$hash{$key}[1]{type}[1]);

    return if (!grep(/^$pType$/, @nwoTypes));

    if ($pType eq 'host') {
	$pType = 'H';
    }
    elsif ($pType eq 'gateway') {
	$pType = 'G';
    }
    elsif ($pType eq 'router') {
	$pType = 'R';
    }
    elsif ($pType eq 'switch') {
	$pType = 'S';
    }
    elsif ($pType eq 'network') {
	$pType = 'N';
    }
    elsif ($pType eq 'domain') {
	$pType = 'D';
    }
    elsif ($pType eq 'logical') {
	$pType = 'L';
    }
    elsif ($pType eq 'group') {
	$pType = 'g';
    }

    # Name
    $pName = $$hash{$key}[0];

    # Location
    if (defined($$hash{$key}[1]{location})) {
	if (lc($$hash{$key}[1]{location}[1]) eq 'external') {
	    $pLocation = 'E';
	}
	elsif (lc($$hash{$key}[1]{location}[1]) eq 'internal') {
	    $pLocation = 'I';
	}
    }
    # Firewall installed?
    if (defined($$hash{$key}[1]{firewall})) {
	if (lc($$hash{$key}[1]{firewall}[1]) eq 'installed') {
	    $pFwInstalled = '*';
	}
    }
    # IP-Address
    if (defined($$hash{$key}[1]{ipaddr})) {
	if ($pIpAddress ne '') {
	    $pIpAddress .= ' ';
	}
	$pIpAddress .= 'IP:' . $$hash{$key}[1]{ipaddr}[1];
    }
    # Netmask
    if (defined($$hash{$key}[1]{netmask})) {
	if ($pIpAddress ne '') {
	    $pIpAddress .= ' ';
	}
	$pIpAddress .= 'NM:' . $$hash{$key}[1]{netmask}[1];
    }
    # Gateway
    if (defined($$hash{$key}[1]{gateways}) &&
	$$hash{$key}[1]{gateways}[1] !~ /^\s*$/)
    {
	if ($pIpAddress ne '') {
	    $pIpAddress .= ' ';
	}
	$pIpAddress .= 'GW:' . $$hash{$key}[1]{gateways}[1];
    }

    # Comments
    if (defined($$hash{$key}[1]{comments})) {
	$pComments = $$hash{$key}[1]{comments}[1];
    }

    # Members
    if (defined($$hash{$key}[1]{members})) {
	$pComments = $$hash{$key}[1]{members}[1];
    }

    write;

    # Interfaces?
    foreach $k (sort keys(%{$$hash{$key}[1]})) {
	$pLocation = $pFwInstalled = $pIpAddress = $pComments = '';
	if (ref($$hash{$key}[1]{$k}[1]) &&
	    defined($$hash{$key}[1]{$k}[1]{iffullname}))
	{
	    $pName = '    ' . $$hash{$key}[1]{$k}[1]{iffullname}[1];
	    $pType = 'i';
	    if (defined($$hash{$key}[1]{$k}[1]{ipaddr})) {
		$pIpAddress = 'IP:' . $$hash{$key}[1]{$k}[1]{ipaddr}[1];
	    }
	    if (defined($$hash{$key}[1]{$k}[1]{netmask})) {
		if ($pIpAddress ne '') {
		    $pIpAddress .= ' ';
		}
		$pIpAddress .= 'NM:' . $$hash{$key}[1]{$k}[1]{netmask}[1];
	    }
	    if (defined($$hash{$key}[1]{$k}[1]{location})) {
		if (lc($$hash{$key}[1]{$k}[1]{location}[1]) eq 'external') {
		    $pLocation = 'E';
		}
		elsif (lc($$hash{$key}[1]{$k}[1]{location}[1]) eq 'internal') {
		    $pLocation = 'I';
		}
	    }
	    write;
	}
    }
}



sub print_service_object {
    my ($hash, $key) = @_;

    $pPort = $pRangeFrom = $pRangeTo = $pComments = '';

    # Name
    $pName = $$hash{$key}[0];

    # Type
    $pType = lc($$hash{$key}[1]{type}[1]);

    return if (!grep(/^$pType$/, @svoTypes));

    # Port
    if (defined($$hash{$key}[1]{port})) {
	$pPort = $$hash{$key}[1]{port}[1];
    }
    # Source port range / from
    if (defined($$hash{$key}[1]{src_port_from})) {
	$pRangeFrom = $$hash{$key}[1]{src_port_from}[1];
    }
    # Source port range / to
    if (defined($$hash{$key}[1]{src_port_to})) {
	$pRangeTo = $$hash{$key}[1]{src_port_to}[1];
    }
    # Members (type group) or expression (type other, icmp, ...)
    if (defined($$hash{$key}[1]{'exp'})) {
	$pComments = $$hash{$key}[1]{'exp'}[1];
    }
    elsif (defined($$hash{$key}[1]{members})) {
	$pComments = $$hash{$key}[1]{members}[1];
    }

    write;
}



sub set_propvar {
    my ($hash, $PropName, $PropVar) = @_;

    if ($$hash{$PropName}[1] eq 'false') {
	$$PropVar = $$hash{$PropName}[1];
    }
    else {
	$$PropVar = $$hash{"${PropName}_p"}[1];
    }
}



sub print_properties {
    my ($hash, $key) = @_;

    set_propvar($hash, 'fw1enable', \$pFw1Control);
    set_propvar($hash, 'udpreply', \$pUdpReply);
    set_propvar($hash, 'outgoing', \$pOutgoing);
    set_propvar($hash, 'rip', \$pRip);
    set_propvar($hash, 'domain_udp', \$pDomainUdp);
    set_propvar($hash, 'domain_tcp', \$pDomainTcp);
    set_propvar($hash, 'icmpenable', \$pIcmpEnable);

    set_propvar($hash, 'ftpdata', \$pFtpData);
    set_propvar($hash, 'ftppasv', \$pFtpPasv);
    set_propvar($hash, 'raudioenable', \$pRAudioEnable);
    set_propvar($hash, 'rshstderr', \$pRshStderr);
    set_propvar($hash, 'rpcenable', \$pRpcEnable);
    set_propvar($hash, 'vdolivenable', \$pVdoLiveEnable);

    set_propvar($hash, 'established_router', \$pEstablishedRouter);
    set_propvar($hash, 'domain_tcp_router', \$pDomainTcpRouter);
    set_propvar($hash, 'domain_udp_router', \$pDomainUdpRouter);
    set_propvar($hash, 'icmpenable_router', \$pIcmpEnableRouter);
    set_propvar($hash, 'rip_router', \$pRipRouter);
    if (defined($$hash{auth})) {
	$pAuthFailureTrack = 'auth';
    }
    elsif (defined($$hash{authalert})) {
	$pAuthFailureTrack = 'authalert';
    }
    else {
	$pAuthFailureTrack = 'none';
    }


    $props = <<EOT;
SECURITY POLICY:
Apply Gateway Rules to Interface Direction:  $$hash{gatewaydir}[1]
TCP Session Timeout (sec):                   $$hash{tcptimeout}[1]
Accept Firewall-1 Control Connections:       $pFw1Control
Accept UDP Replies:                          $pUdpReply
UDP Reply Timeout (sec):                     $$hash{udptimeout}[1]
Accept Outgoing Packets:                     $pOutgoing
Enable Decryption on Accept:                 $$hash{acceptdecrypt}[1]
Use FASTPATH:                                $$hash{enable_fastpath}[1]
Accept RIP:                                  $pRip
Accept Domain Name Queries(UDP):             $pDomainUdp
Accept Domain Name Download(TCP):            $pDomainTcp
Accept ICMP:                                 $pIcmpEnable

SERVICES:
Enable Response of FTP Data Connections:     $pFtpData
Enable FTP PASV Connections:                 $pFtpPasv
Enable Real Audio Reverse Connections:       $pRAudioEnable
Enable RSH/REXEC Reverse stderr Connections: $pRshStderr
Enable RPC Control:                          $pRpcEnable
Enable VDOLive Reverse Connections:          $pVdoLiveEnable
Enable CoolTalk Data Connections (UDP):      $$hash{cooltalkenable}[1]
Enable H.323 Control and Data Connections:   $$hash{iphoneenable}[1]

LOGGING AND ALERTING:
Excessive Log Grace Period (sec):  $$hash{loggrace}[1]
PopUp Alert Command:               $$hash{alertcmd}[1]
Mail Alert Command:                $$hash{mailcmd}[1]
Snmp Trap Alert Command:           $$hash{snmptrapcmd}[1]
User Defined Alert Command:        $$hash{useralertcmd}[1]
Anti Spoof Alert Command:          $$hash{spoofalertcmd}[1]
User Authentication Alert Command: $$hash{userauthalertcmd}[1]
IP Options Drop Track:             $$hash{ipoptslog}[1]
Log Established TCP Packets:       $$hash{log_established_tcp}[1]
Enable Active Connections:         $$hash{liveconns}[1]

NAMES RESOLVING:
Lookup Priorities:              1. $$hash{resolver_4}[1]
                                2. $$hash{resolver_1}[1]
                                3. $$hash{resolver_2}[1]
                                4. $$hash{resolver_3}[1]
BIND Timeout (sec):                $$hash{timeout}[1]
BIND Retries:                      $$hash{retries}[1]
Log Viewer Resolver Properties:
    Page Timeout (sec):            $$hash{pagetimeout}[1]

ROUTER ACCESS LISTS:
Accept Established TCP Connections: $pEstablishedRouter
Accept RIP:                         $pRipRouter
Accept Domain Name Queries(UDP):    $pDomainUdpRouter
Accept Domain Name Download(TCP):   $pDomainTcpRouter
Accept ICMP:                        $pIcmpEnableRouter

AUTHENTICATION:
User Authentication Session Timeout (min): $$hash{au_timeout}[1]
Authentication Failure Track:              $pAuthFailureTrack
AssureNet Pathway Defender Server Setup:
    Server IP Address: $$hash{snk_server_ip}[1]
             Agent ID: $$hash{snk_agent_id}[1]
            Agent Key: $$hash{snk_agent_key}[1]

SECURITY SERVERS:
Security Servers Welcome Message Files:
    Telnet:       $$hash{telnet_msg}[1]
    Rlogin:       $$hash{rlogin_msg}[1]
    FTP:          $$hash{ftp_msg}[1]
    Client Auth.: $$hash{clnt_auth_msg}[1]
HTTP Next Proxy:
      Host: $$hash{http_next_proxy_host}[1]
      Port: $$hash{http_next_proxy_port}[1]

SYN-DEFENDER:
Method:                   $$hash{fwsynatk_method}[1]
Timeout:                  $$hash{fwsynatk_timeout}[1]
Maximum Sessions:         $$hash{fwsynatk_max}[1]
Display Warning Messages: $$hash{fwsynatk_warning}[1]

LOAD BALANCING:
Load Agent Port:                  $$hash{load_service_port}[1]
Load Measurement Intervall (sec): $$hash{lbalanced_period_wakeup_sec}[1]
EOT
    ;
    write;
    STDOUT->print($props);
}



sub ProcessOptions {
    my($GetoptionsResult) = &Getopt::Long::GetOptions(\%optctl, @_);

    if (!$GetoptionsResult) {
        exit;
    }

    if (defined($optctl{version}) || defined($optctl{help})) {
        if (defined($optctl{version})) {
            &PrintVersion;
        }
        if (defined($optctl{help})) {
            &PrintHelp;
        }
        exit;
    }
}



sub PrintVersion {
    my($Name);

    if (!$StdInfo{Version}) {
        print "$0: No version info available\n";
    }
    else {
	print "$0: $StdInfo{Version}\n";
    }
}



sub PrintHelp {
    local($Pager) = $ENV{PAGER} || 'more';

    if (!$StdInfo{CommandHelp}) {
        die 'Command help message $StdInfo{CommandHelp} not set, died';
    }
    else {
        if ($StdInfo{CommandHelp} =~ /^\s*=head1/) {
            chdir(dirname($0));
	    open(TEST, "type nroff 2>&1|");
	    $line = <TEST>;
	    close(TEST);
	    if ($line =~ q#/#) {
		system("pod2man " .
		       "--release='19-01-1998' " .
		       "--center='FW-1 Script Documentation' " .
		       basename($0) . " | nroff -man | $Pager");
	    }
	    else {
		system("pod2text " . basename($0));
	    }
        }
        else {
            print $StdInfo{CommandHelp};
        }
    }
}