<--design ^--Firewall Steve--^ planning, continued-->

Firewall Steve - a visual firewall tool - planning


Graphviz has five different programs that produce different kinds of graphs. Which one is most applicable to rendering a firewall? That's a good question, and one I have yet to answer.

circo attempts to lay child nodes from the parent at an equal distance to their siblings, so that a node with many children ends up encircled. dot lays the graph out as a directed graph, and also allows subgraphs to be delineated. fdp draws nodes out using a masses-and-springs model, something which interests me. neato also uses a spring model, and twopi uses a different circular layout.

The drawing method can, of course, influence how much information is available. With our firewall, having over 900 rules, diagrams can start to get quite messy, no matter which method you use.

The problem is that every rule in a firewall has two possible paths: either it matched or it didn't, and either way, it's going to jump elsewhere or continue through the current chain.

Showing jumps from one rule to another chain is easy enough -- it makes sense that we would want to draw that connection. But it's the path of a non-match -- that is, when a rule doesn't apply -- that can get long and messy.

Do we display a line from every rule in a chain to its successor, showing that these rules are indeed related? By having every node, that is, every rule, have at least two children, we're making a graph that becomes unwieldy with a few dozen rules, let alone 900.

But can we afford to leave out that relationship?

I think we can, if we have the grouping that subgraphs provide. Only the dot and fdp programs support putting a border around them. Unfortunately, dot draws directed graphs, which, while useful for providing the order of the rules within a chain, lead to a very tall and skinny graph (for example). fdp allows for a better distribution around the screen, since it is based on the masses-and-springs, but loses the order within the chains if they are not linked (for example).

I think the chain grouping with the boxes is a requirement, as can be seen in the circo, neato and twopi examples. While they're interesting, they don't really convey much information.

So, dot or fdp. Can we somehow convince dot to spread its directed graphs out a bit more? Can we get fdp to order unlinked nodes in a subgraph?

This is how messy things get if we add inter-chain lines. It may be hard to see much of a difference at this zoomed out scale, but the sheer number of extra links, without any sense of direction from the nodes' orientations, makes it a bit unusable.

Though it may be hard to make out from these pictures, there's still a lot of data missing. Rules have a bit of encoding: color is being used to denote whether it's an ACCEPT, DROP or JUMP rule; their shape denotes other behaviour; their contents are either the IP address they match, or the rule number.

Even with a legend, the current graph isn't very useful. What happens when we add more information per node? And what information would that be?

As I dwell on this, let's take a look at the Firewall Steve's other half.
<--design ^--Firewall Steve--^ planning, continued-->

©2002-2017 Wayne Pearson