netbobr · ~/firewall-validator

Validate firewall rules
before they become a problem.

6 frameworks·154 rules·0 telemetry

[ launch app ] [ quickstart ]
netbobr app showing firewall rule validation with risk scores and compliance findings

the problem

Firewall requests fail review because nobody checks them first.

These land in your approval queue every day. Sound familiar?

0.0.0.0/0 → ANY / TCP ANY
"Just open everything for now, we'll tighten it in production." Spoiler: they never do.
FTP to a public database
"We need to transfer files to the DB server." Plaintext credentials over the internet. PCI violation on arrival.
No zone segmentation
"We don't have network zones yet." Flat network, no blast radius containment, auditor's worst nightmare.
Compliance finding post-deploy
"Nobody told me about NIST 800-53." The rule went live, the audit found it, now it's a P1 remediation ticket.

how it works

Three steps. Zero ambiguity.

[ 01 ]
describe the flow
Enter source, destination, protocol, and port. Or upload a CSV, Terraform plan, or cloud config.
[ 02 ]
get instant findings
Risk score (0–100), compliance violations across 6 frameworks, zone policy verdicts, and actionable remediation.
[ 03 ]
fix before you submit
Tighten the scope, switch protocols, add segmentation. Submit a clean request the first time.

the numbers

0
rules
0
frameworks
0
cloud formats
0
data collected

cli

Add to your CI/CD pipeline.

Fail builds on high-risk firewall requests. Shift left from the terminal.

Install from npm and validate firewall rules in any pipeline. Supports JSON, CSV, SARIF, table, and PDF output. Auto-detects AWS Security Groups, Azure NSG, Kubernetes NetworkPolicy, and Terraform plans.

[ view on npm ]
github actions azure devops gitlab ci jenkins sarif
~/ci · netbobr tty
$ npx @netbobr/cli analyze \ --src 10.0.0.0/8 --dst 203.0.113.5 \ --proto tcp --port 22 Risk: High (68/100) PCI-DSS: 3 findings | NIST: 2 findings Remediation: Restrict source to /24 or narrower $ terraform show -json tfplan | \ npx @netbobr/cli analyze - --cloud-format tf-plan \ --fail-on high --output sarif

compliance

Six frameworks. One analysis.

Every flow is checked against all enabled frameworks simultaneously. No separate scans, no context switching.

PCI-DSS
35 rules
v4.0.1
Insecure protocols, network segmentation, database exposure, remote access, and cardholder data environment controls.
CIS Controls
22 rules
v8 (IG1–IG3)
Overly permissive rules, service exposure, administrative access, DNS policy, and implementation group tiering.
NIST SP 800-53
22 rules
Rev. 5
Information flow enforcement, least functionality, encrypted tunnel visibility, remote access, and baseline mapping.
NIS2 Directive
20 rules
2022/2555
Network segmentation, ICS/SCADA isolation, supply chain security, and incident reporting readiness for essential entities.
DORA
18 rules
2022/2554
Financial sector ICT risk management, third-party oversight, infrastructure resilience, and digital operational testing.
MITRE ATT&CK
25 rules
v18.1
Initial Access, Command & Control, Lateral Movement, Exfiltration, and Discovery tactic detection with technique mapping.

also supports

csv aws-sg azure-nsg k8s-netpol terraform

Stop fixing requests after submission.
Fix them before.

[ launch app ] install cli
// faq
Who is netbobr for?
Infrastructure, network, and application teams who submit firewall change requests - and the security teams who review them. Use it to catch rule violations, overly broad scoping, and compliance gaps before the request reaches the approval queue.
Who is it NOT for?
netbobr is a pre-submission validator, not a firewall management platform. It does not connect to live firewalls, push rules, or replace your change management workflow. If you need to manage rulesets or deploy configurations, look at your firewall vendor tooling.
How does it work?
Enter a source, destination, port, and protocol. netbobr runs the flow against 154 built-in rules across 6 compliance frameworks and returns a composite risk score with specific findings. Everything runs in your browser - no data is sent anywhere.
Want a walkthrough? See How to Use →