netbobr - Shift-Left Firewall Governance

Skip to main content

netbobr Start Here Docs Blog About

Start Here Docs Blog About

ACTIVE RULES

📂

Drop a CSV file here, or

Up to 500 rows · configure zones in the Zones tab for zone-aware analysis

Zone Matrix

Zone name

Default Zone Policies

Intra-zone default action: Inter-zone default action:

Zone Subnets

Rule Catalog

Flow 1

Source IP / Subnet

→

Destination IP / Subnet

Protocol

Ports

ICMP Type ICMP Type

All Echo Request (Type 8) - ping request Echo Reply (Type 0) - ping response Destination Unreachable (Type 3) Time Exceeded (Type 11) - used by traceroute Redirect (Type 5) Parameter Problem (Type 12)

Application / Business Purpose (optional)

Results

Batch Results

Rows per page:

Batch analysis results
#	Source	Destination	Src Zone	Dst Zone	Protocol / Port	Risk Score	Zone Policy	Top Recommendation	PCI Issues	CIS Issues	NIST Issues	NIS2 Issues	DORA Issues	ATT&CK Issues	Custom

netbobr v2.0 - Engineering Stronger Network Dams | Updated: 2026-03-28 15:10 UTC

·

What netbobr is

How to Use

1. Rules and Frameworks

The Rules tab shows every compliance rule organized by framework (NIST, CIS, PCI-DSS, and more). Toggle entire frameworks on or off with the master switch, or drill down for granular per-rule control.

Framework and per-rule toggle controls

Disabled rules are excluded from validation results, letting you focus on the standards that matter for your environment. Your rule configuration is saved with your session file.

Each rule displays its ID, category, and a brief summary so you can quickly decide which rules apply.

2. Zones Configuration

Switch to the Zones tab to define your network segments. Add zones by name, then assign subnets (CIDR notation) to each zone.

Zone creation, subnet assignment, and policy matrix configuration

The zone-to-zone policy matrix lets you set default actions - Allow, Review, or Deny - for traffic between any pair of zones. Use the global toggles to quickly set all intra-zone or inter-zone policies at once.

Zone configuration is saved with your session, so you only need to set it up once per project.

3. Session Management

netbobr is ephemeral by default - nothing is stored on a server and all data lives in your browser session. Use the Save button in the header to download your current configuration as a JSON file.

Session save, load, and reset workflow

To restore a previous session, click Load and select your saved JSON file. This restores zones, policies, rule toggles, and any entered flows. Use Reset to clear everything and start fresh.

Your privacy is guaranteed: 100% browser-side processing means no network traffic leaves your machine during validation.

4. Manual Flow Entry

On the Manual Entry tab, enter a firewall flow by specifying source IP/subnet, destination IP/subnet, protocol, and port. Click Validate Flow to see instant compliance results.

Manual flow entry, validation, and risk score breakdown

You can add multiple flows (up to 20) in a single session and validate them all at once. Each flow gets its own result card with findings, risk score, and recommended actions.

Use the protocol auto-detect feature - selecting a well-known port automatically sets the correct protocol.

5. Exploring Results

After validation, results appear in a sortable table. Sort by source IP, destination IP, port, or verdict to find what you need quickly.

Validation results with risk score breakdown and findings expansion

Click any row to expand findings - each finding shows the triggered rule, severity, and remediation guidance. The overall risk score gives you an at-a-glance assessment of each flow.

Use the Export CSV button to download results for reporting, audits, or further analysis in your preferred spreadsheet tool.

6. CSV Import (Power Users)

For bulk validation, switch to the CSV Import tab. Click Download data template to get a pre-formatted CSV with the correct column headers.

CSV file upload and bulk validation results

Fill in up to 500 rows of firewall flows, then drag and drop your file onto the upload zone (or click to browse). netbobr validates all rows instantly and displays batch results.

Batch results support the same sorting and expansion as manual flows. Click Export findings CSV to get a detailed compliance report for your entire rule set.

Disclaimer

What netbobr does well

netbobr's strength is rule quality assessment. It does not need resolved IPs to do useful work. It evaluates how broad your source and destination networks are and flags when a rule covers more hosts than you might expect. It checks the requested service and port exposure. It looks at the underlying protocol and whether it transmits data in plaintext or relies on weak default authentication. That is how the risk score is calculated.

On the compliance side, over 90% of findings are driven by protocol and port, not by IP address. netbobr catches those violations regardless of how the endpoints are addressed.

Where it falls short

netbobr operates at Layer 3/4 of the OSI model with a limited attempt at Layer 7 through service-name lookups on well-known ports. It cannot resolve FQDNs to IP addresses. A hostname like "api.stripe.com" returns different IPs by region, time of day, and CDN edge. A browser-based tool with no backend cannot perform DNS lookups, so netbobr is a static, client-side firewall request analyzer without FQDN resolution.

The tool also lacks coverage for custom port mappings. If a service runs on a non-standard port, netbobr will not recognise it. Custom port support may ship in a future release using the same principles that drive the existing engine.

What the future may hold

netbobr is a client-side static analyzer. The built-in policies and the scoring engine behind them reflect years of hands-on network security work, tested and refined through daily use by the author.

FQDN support would require a server-side component and is significantly more complex than what netbobr does today. The same applies to cloud-native constructs like Azure service tags, AWS security group IDs, and Kubernetes labels. These are opaque references that mean nothing without querying the platform to resolve the underlying IPs, protocols, and ports. Both capabilities are on the radar if netbobr ever moves toward a commercial offering.

Scope of analysis

netbobr assesses firewall rule configurations, not organizational compliance. Findings identify structural risks in how rules are written - overly broad sources, permissive port ranges, unencrypted protocols - not active threats or confirmed policy violations. A finding means the rule permits a traffic pattern that conflicts with a framework's requirements. Whether that pattern represents actual risk depends on compensating controls, network context, and business justification that a static rule analyzer cannot observe.

About the risk score

The 0-100 risk score is a heuristic indicator of structural exposure. It measures configuration breadth across four factors: source CIDR width, destination CIDR width, port exposure, and zone policy. It does not account for business context, compensating controls, or threat intelligence. A high score means the rule permits a wide attack surface, not that a breach is imminent. A low score means the rule is tightly scoped, not that the underlying service is safe. Treat it as a prioritization signal for rule review, not a definitive risk measurement.

MITRE ATT&CK detection confidence

The 25 MITRE ATT&CK rules across 6 techniques detect structural enablement - the firewall permits a network path that an attacker could use for a given technique. They do not detect actual attacks or active exploitation. Detection confidence varies by technique.

High confidence: T1133 (External Remote Services) - port and direction are directly observable in the rule. Medium confidence: T1021 (Remote Services), T1048 (Exfiltration Over Alternative Protocol), T1071 (Application Layer Protocol) - structural capability is detected but actual exploitation requires additional context. Low confidence: T1018 (Remote System Discovery), T1046 (Network Service Discovery) - the rule permits a broad configuration that could enable reconnaissance, but the tool cannot distinguish intentional broad access from an actual scanning opportunity.

NIS2 and DORA article mapping

NIS2 and DORA findings map firewall rule characteristics to specific directive and regulation articles. Most rules combine flow data (protocol, port, direction) with policy inference from CIDR breadth - for example, a /8 source accessing a database port is flagged as an access control failure. A smaller number of rules are purely protocol-based (detecting cleartext or deprecated protocols), and one rule per framework checks documentation (business justification). NIS2 Art. 21(2) is principles-based; DORA Art. 9 is more prescriptive. In both cases, findings represent the author's interpretation of how firewall rule design relates to regulatory requirements, not a compliance determination. A flagged rule means the permitted traffic pattern may conflict with a requirement - it does not mean the organization is non-compliant.

Change Log

2026-03-28 Documentation site
2026-03-22 Help menu and walkthrough video. Theme toggle.
2026-03-20 MITRE ATT&CK framework, active rules indicator, change log and disclaimer
2026-03-18 Zone policy badges, duplicate flow detection with real-time highlight
2026-03-17 Pre-validation, zone overlap alerts, NIS2 and DORA frameworks
2026-03-14 Blog, About page, TTS player
2026-03-13 Sortable batch results, multi-flow batch view, zone config fieldset
2026-03-12 Rules tab with catalog and toggles, expandable CSV row details, pagination
2026-03-11 NIST SP 800-53 and CIS Controls v8 rules, CSV export with findings
2026-03-10 Manual Entry multi-flow support, zone subnet input validation
2026-03-09 Batch CSV import (500 rows), session save/load, security headers
2026-03-08 Network Zone matrix, user-configurable inter-zone policies, longest-prefix IP matching
2026-03-04 Initial release.

Shame

Facepalm