Examining Kerio Control Traffic Rules


2012/11/05

A simple Perl script helps display Kerio Control traffic rules.


I often have to look at customer's Kerio Control Firewall rules. Sometimes I have direct access and can actually log in to their firewall, but that's not always true, so in those cases I ask them to export their configuration and send it to me.

I have sometimes loaded that configuration into my own test firewall, but that's time consuming and annoying. Most of the configuration file is easy enough to just examine in a text editor, with the only real exception being the traffic rules. The problem with the rules is that they are unordered in the file and lack the color grouping that can be very helpful in examining them.

To fix that, I wrote a simple Perl script that reads a Kerio Control winroute.cfg file and outputs html like this:

Example of Control rules script

This script could stand some improvement. I'd like to be able to hover over defined names and see IP addresses, for example. Eventually I might want to expand this to include other parts of the file. I also haven't matched Kerio's colors carefully.

Most importantly, I have not yet tested this with enough samples to be certain that no bugs remain. However, it is certainly a starting point and in some respects is actually preferable to loading the configuration into a working firewall because it emphasizes certain things that you might otherwise not notice. In that respect, it could be helpful to people who are not troubleshooting others configurations.

#!/usr/bin/perl
# Tony Lawrence, http://aplawrence.com November 2012
@colors=("#FFFFFF","#EFFF11","#C9D8ED","#FFCCCC","#C9EEC6","#D3BFEB","#FDE8CA","#E8E8E8");
open(I,"<:crlf","winroute.cfg") or die "No winroute!";
$lastseen="";
while (<I>) {
  chomp;
  s/^\s+//;
  $intraffic=1  if /^<list name="TrafficRules/;
  next if /^<list name="TrafficRules/;
  $intraffic=0 if /^<.list>/;
  next if not $intraffic;
  next if /<listitem>/;
  push @holding,$_;
  store_it() if (/<.listitem>/);
}
print "<html><body><table>\n";
print "<tr><th>Rule ID</th>";
print "<th>Enabled</th>";
print "<th>Rule Name</th>";
print "<th>Description</th>";
print "<th>Allowed_Source(s)</th>";
print "<th>Allowed_Destination(s)</th>";
print "<th>Proxy</th>";
print "<th>Service</th>";
print "<th>Time</th>";
print "<th>Permit</th>";
print "<th>Source_NAT</th>";
print "<th>Destination_NAT</th></tr>";
$x=0;
foreach(@all) {
 $x++;
 @stuff=split /4/;
 push @disp, "\n<tr>";
 $lastn="";
 foreach(@stuff) {
   $value=value($_);
   $name=name($_);
   $colorvalue=$colors[$value - 1] if ($name eq "Color");
   next if ($name eq "Color");
   if ($name eq $lastn and $lastn) {
     push @disp,  "\n<br />$value";
     next;
   }
   if ($name ne $lastn) {
   $lastn=$name; 
     push @disp,  "</td>\n";
   if (not $value) {
     push @disp,  "<td>$name = (unset)"; 
     next;
   }
   push @disp,  "<td>$name = $value";
  }
 }
  
 foreach(@disp) {
   s/Enabled = 1/Yes/;
   s/Enabled.*/<b>NOT ENABLED<\/b>/;
   s/PERMIT/OK/;
   s/DENY/<b>DENY<\/b>/;
   s/Service = .unset./Service = Any/;
   s/Description = .unset./Service = /;
   s/<td>.*=/<td>/;
   s/list://;
   s/ifgroup://;
   s/"//g;
   s/<tr>/<tr style="background-color:$colorvalue">/;
   print;
  }
 print "</td>\n</tr>\n";
 @disp=();
 
}
 print "</td>\n</tr></table>\n\n</body></html>\n";

sub store_it {
$string="";
$lastseen="";
$lname="";
foreach(@holding) {
if (/<variable name="Order">/) {
  $order=value($_);
  next;
 }
 next if /<.listitem>/;
 $name=name($_);
 if ($lastseen =~ /Src/ and $name =~/Proxy/) {
   #print STDERR "Need Dst $lastseen  $name\n";
   $string .= "<variable name=\"Dst\">Any</variable>4";
   #print STDERR "$string\n";
 }
 if ($lastseen =~ /Description/ and $name =~ /Dst/) {
   #print STDERR "Need Src $lastseen  $name\n";
   $string .= "<variable name=\"Src\">Any</variable>4";
 }
 $string.="$_4";
 $lastseen=$name;

 }
$all[$order-1]=$string;
$string=~s/.$//;
@holding=();
}

sub value {
  my @v=/<.*>(.*)<.*>/;
  return $v[0];
}

sub name {
  my @v=/<variable name="(.*)">.*<.*>/;
  return $v[0];
}
 


Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Examining Kerio Control Traffic Rules


3 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Thu Nov 8 20:52:59 2012: 11420   MadsFogAlbrechtslund

gravatar


Hi Anthony

I have some new colors for you.

Kerio Control Color 1 = "#FFFFFF"
Kerio Control Color 2 = "#EFFF11"
Kerio Control Color 3 = "#C9D8ED"
Kerio Control Color 4 = "#FFCCCC"
Kerio Control Color 5 = "#C9EEC6"
Kerio Control Color 6 = "#D3BFEB"
Kerio Control Color 7 = "#FDE8CA"
Kerio Control Color 8 = "#E8E8E8"

But I can't the the order right in the script.
If in change the @colors, so the the list is from 1-8, then it is almost perfect, but the colors are "moved" one stop. So 1 becomes 2, and 2 becomes 3 and so on.



Thu Nov 8 20:57:36 2012: 11421   TonyLawrence

gravatar


Thanks for finding those.. I was being lazy :-)

The array starts at 0 - so the "first" is colors[0], not colors[1]







Thu Nov 8 21:09:24 2012: 11422   TonyLawrence

gravatar


And that means this change:

$colorvalue=$colors[$value - 1] if ($name eq "Color");

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Zawinski's Law: Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can. (Jamie Zawinski)

It is not only that there is no hiding place for the gods from the searching telescope and microscope; there is no such society any more as the gods once supported. (Joseph Campbell)








This post tagged: