Hello,

I am trying to make a bash script that will analyze and document Cisco (router) ACLs that will output a file with the source, destination, protocol, and ports (ports of the destination only) into a text file. The whole reason why all our current ACLs need to be documented is because we are moving over to state full firewalls (PIX), which means you don't need to state anything that was already established. I would also like to keep the remark lines and add that in output along with everything else, but I could probably do that myself once I get an idea about how to approach this. Assuming I get this script done, I could then just hand the output over to the firewall team and they can take it from there.

Example (IPs changed for confidentiality):
permit tcp host x.x.x.x eq smtp y.y.y.y 0.0.0.31 gt 1023 established
permit tcp host x.x.x.x eq 5308 y.y.y.y 0.0.0.31 gt 1023 established
permit tcp host x.x.x.x eq 6802 y.y.y.y 0.0.0.31 gt 1023 established
permit tcp x.x.x.x 0.0.0.31 eq 2049 y.y.y.y 0.0.0.31
permit tcp host x.x.x.x gt 1023 y.y.y.y 0.0.0.31 eq smtp
permit tcp host x.x.x.x gt 1023 y.y.y.y 0.0.0.31 eq 5308
permit tcp host x.x.x.x gt 1023 y.y.y.y 0.0.0.31 eq 6802
permit tcp x.x.x.x 0.0.0.31 y.y.y.y 0.0.0.31 eq 2049

The first four aren't need while the last four are.

Now that you know what I'm trying to do, I'll explain my problem... I'm not too sure where to start and what is the best method for something like this. There are several different types of ACL lines such as:

permit protocol src mask dest mask
permit protocol any desk mask
permit protocol src mask any
permit protocol any any
permit protocol src mask port dest mask port
permit protocol src mask port dest mask portrange
etc...

Anyone have any ideas about how to start a task like this? Or even the way the looping structure should be or the commands I should use? I've been documenting each ACL I have by hand and I have thousands, so I figured that a script would be the best way to tackle this. I do have experience in BASH scripting, although my knowledge of commands such as awk, grep, and many others I probably don't even know about, is very limited.

What I had in mind was to set the spaces as delimiters and set each token as a variable, but that’s all I thought up of and I’m not really sure even how to do that.

So to sum it all up this is what I hope to accomplish:
- To input a text file of (hopefully) all the ACLs in one (as in the show run command on Cisco routers, same output, the whole ACL section pasted in a text file).
- To be able to get rid of the lines that isn’t needed when converting from ACL to state full firewall. This might be easier to this part last, although I'll wait and see what comes up before I decide anything.
- To output to a text file to something that’s easy to read.

Thank you

I would think you need to first determine (best would be to write down on a paper):

1. What you need?
2. The conditions to check what is needed? E.g. do you simply need to exclude anything with "established" in it? Any other include conditions?
3. Is it easier to code for including matching ones or easier to exclude non-matching ones?

Once you have the above logic ready, you can code it yourself. THEN, if you get stuck, post your code.

Theres one thing I have no clue how to do thats essential to all this, given the following line.
permit tcp host x.x.x.x gt 1023 y.y.y.y 0.0.0.31 eq smtp

1) How would I set each field (delimited by a space) as a variable?
2) How do I count the number of fields?
3) Whats the most efficient way to loop through every line in a file?

Thanks.

Input file:
Code:
Output:
Hope this gets you started.