1)   deny (ip)      IP_Block -> 0.0.0.0/0
IP_Block
$VAR1 = [];

##</code><code>##

#!/usr/bin/perl

use strict;
use PIX::Walker;
use Getopt::Std;
use Socket;
use Data::Dumper;

my $usage = "Usage: portproto-rpt.pl -d config directory
-d is required
Output is in CSV format to STDOUT, redirect to a file as required
use portproto-rpt.pl -h to get this help\n\n";
my @internal = ("10.0.0.0\/8","172.16.0.0\/14","192.168.0.0\/16");
my @firewalls = ("east","west","central");
my %protocols = ( tcp => 1,
	udp => 1,
	icmp => 1,
	gre => 1,
	esp => 1,
	ip => 1,
);
my %options;
my %configs;
my %elements;
my (@ports,@dests,@sources,@protos);
my ($fw,$acl);


getopts('hd:', \%options);

if ($options{h}) { die $usage };
foreach (@firewalls) {
	$fw = sprintf "%s\/%s.config",$options{d},$_;
	if (-e $fw) {
		$configs{$_} = new PIX::Walker($fw);
	} else {
		die "Cannot find config file $_ in \n";
	}
}

print "Firewall,Source,Destination,Protocol,Port,Action\n";
foreach $fw (keys %configs) {
	$acl = $configs{$fw}->acl("outside-in") || die "ACL: outside-in does not exist on filewal config $fw\n";
	foreach my $line ($acl->lines) {
		(@ports,@dests,@sources,@protos,%elements) = 0;
		# if ($line->action =~ /deny/) {
			# print $line->print, "\n";
		# }
		if ($protocols{$line->proto_str}) {
			push @protos, $line->proto_str;
		} else { my @protos = $configs{$fw}->obj($line->proto_str) }
		while ($elements{proto} = pop @protos) {
			if (!$line->destport_str) {
				push @ports, "any";
			} elsif ($line->destport_str =~ /^\d/) { 
				push @ports, $line->destport_str;
			} else { my @ports = $configs{$fw}->obj($line->destport_str) }
			unless ($ports[0]) {shift @ports};
			while ($elements{port} = shift @ports) {
				if ($line->dest_str =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) {
					push @dests, $line->dest_str;
				} else { my @dests = $configs{$fw}->obj($line->dest_str) }
				while ($elements{dest} = pop @dests) {
					if ($line->source_str =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) {
						push @sources, $line->source_str;
					} else { 
						print "Help Me\t" . $line->source_str . "\n";
						my @sources = $configs{$fw}->obj($line->source_str);
					}
					# if ($line->action =~ /deny/) {
						# print $line->source_str, "\n";
						# unless ($configs{$fw}->obj($line->source_str)) {print "Cannot find " . $line->source_str, "\n"}
						# print Dumper(@sources);	
					# }
					while ($elements{source} = pop @sources) {
						# if ($line->action =~ /deny/) { print Dumper(%elements) }
						unless (checksource($elements{source})) {
							printf "%s,%s,%s,%s,%s,%s\n", $fw,$elements{source},$elements{dest},$elements{proto},$elements{port},$line->action;
						}
					}
				}	
			}
		}
	}
}
	
sub checksource {
	my $block = shift;
	$block =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/;
	my $ip = $1;
	my $out = 0;
	foreach (@internal) {
		my ($net,$bit) = split('/');
		if (unpack("N",inet_aton($net)) le unpack("N",inet_aton($ip)) && unpack("N",inet_aton($ip)) lt (unpack("N",inet_aton($net))+(2**(32-$bit)))) {
			$out = 1;
		} 
	}
	return $out;
}