Firewall Audit

---

Firewall Audit is a cross-platform command-line tool and for auditing firewall rules against user-defined security criteria. It helps security professionals, system administrators, and auditors automatically check firewall configurations for misconfigurations, policy violations, and best practices.

• Audit firewall rules using flexible, extensible criteria (YAML/JSON)
• Export audit results in HTML, JSON, CSV, or plain text
• Supports Windows (full), Linux (partial), and is extensible

---

Quick Start (CLI)

Installation

cargo install firewall_audit

Usage

Audit your firewall rules using a YAML or JSON criteria file and export the results:

firewall_audit --export html

firewall_audit --criteria audit_criteria.yaml --export html --output result.html

firewall_audit -c audit_criteria.yaml -e html -o result.html

• --criteria / -c: Path to your audit criteria file (YAML or JSON). Optional; if not provided, a default criteria file will be used.
• --export / -e: Output format (csv, html, json, or stdout default: stdout)
• --output / -o: Output file path (optional; auto-generated if omitted)
• --quiet / -q: Do not print anything to stdout

HTML Export Screenshot

Here is an example of the HTML report generated by firewall_audit:

The image above shows how audit results can be viewed in a browser after exporting to HTML format.

---

What Does It Do?

• Loads firewall rules from the local system (Windows Firewall or Linux iptables)
• Loads user-defined audit criteria (YAML or JSON)
• Evaluates each firewall rule against all criteria
• Reports all rules that match any problematic criteria
• Exports results in your chosen format (HTML, JSON, CSV, or text)

---

Example: Audit Criteria (YAML)

Below is a sample of what an audit criteria file can look like. Each rule defines a security check, its logic, and severity:

- id: block-rdp-from-anywhere
  description: Block RDP (3389) from any source (should not be open to the world)
  criteria:
    and:
      - field: local_ports
        operator: matches
        value: 3389
      - field: protocol
        operator: equals
        value: "TCP"
      - field: action
        operator: equals
        value: "Allow"
      - field: remote_addresses
        operator: contains
        value: "0.0.0.0/0"
  severity: critical

- id: block-any-rule-without-description
  description: Detect any rule without a description (should be documented)
  criteria:
    and:
      - field: description
        operator: is_null
  severity: medium

You can also use JSON for your criteria files.

For more examples, see docs/EXAMPLES.md. For a complete reference of all supported fields and operators, see docs/CRITERIA_REFERENCE.md.

---

Platform Support & Limitations

• Windows: Full support (uses Windows Firewall APIs; admin rights may be required)

• Linux: Partial support (parses iptables rules; some fields may be missing or incomplete)

• macOS: Not supported/tested

• Criteria File Format: Only YAML and JSON are supported for criteria files.

• Firewall Modification: This tool does not modify firewall rules; it only audits and reports.

---

Support

For issues and questions:

• Open an issue on GitHub
• Check the documentation

---

License

This project is licensed under either of

• Apache License, Version 2.0, (LICENSE-APACHE or https://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or https://opensource.org/licenses/MIT)

at your option.