Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.
https://github.com/google/capirca
There's several ways to install and run capirca, via docker or using python venv for example.
This example shows installation using python venv:
.
├── def
│ ├── NETWORK.net
│ └── SERVICES.svc
└── policies
├── includes
│ └── untrusted-networks-blocking.inc
└── pol
└── arista_test1.pol |
$ cat def/NETWORK.net
#
# Sample naming defintions for network objects
#
RFC1918 = 10.0.0.0/8 # non-public
172.16.0.0/12 # non-public
192.168.0.0/16 # non-public
|
$ cat policies/pol/arista_test1.pol
header {
comment:: "Server network ingress ACL to be applied to gateway vlan interface"
target:: arista servernet-in
}
term accept-dhcp {
comment:: "Optional - allow forwarding of DHCP requests."
destination-port:: DHCP
protocol:: udp
action:: accept
}
term accept-to-dns {
comment:: "Allow name resolution"
destination-address:: OFFICE_NETS
source-port:: DNS
protocol:: udp
action:: accept
}
term accept-tcp-replies {
comment:: "Allow tcp replies to internal hosts."
destination-address:: OFFICE_NETS
protocol:: tcp
option:: tcp-established
action:: accept
}
term deny-to-internal {
comment:: "Deny access to rfc1918/internal."
destination-address:: INTERNAL
action:: deny
}
term deny-to-bogons {
comment:: "Deny access to bogons"
destination-address:: BOGON
action:: deny
expiration:: 2019-10-01
}
term default-permit {
comment:: "Allow what's left (internet)"
action:: accept
}
|
Run "aclgen" from mypolicies directory and a new file called arista_test1.pol will appear in the directory. This file can be included in a Jinja2 template for example.
Match netflow data with policy definitions to see what policies actually get hits from traffic.