d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6aa5b10d0c
freebsd-dev/share/examples/ipfilter/mkfilters
Cy Schubert 41edb306f0 ipfilter: Move userland bits to sbin 
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to sbin.

This is the second of three commits of the ipfilter move.

Suggested by glebius on two occaions.

Suggested by and discussed with:	glebius
Reviewed by:				glebius, kp (for #network)
MFC after:				1 month
Differential Revision:		https://reviews.freebsd.org/D33510
2021-12-20 06:16:33 -08:00

117 lines
2.6 KiB
Perl
Raw Blame History

#!/usr/local/bin/perl
# for best results, bring up all your interfaces before running this
if ($^O =~ m/^irix/i)
{
&irix_mkfilters || regular_mkfilters || die $!;
}
else
{
&regular_mkfilters || irix_mkfilters || die $!;
}
foreach $i (keys %ifaces) {
$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
}
#
# print out route suggestions
#
print "#\n";
print "# The following routes should be configured, if not already:\n";
print "#\n";
foreach $i (keys %ifaces) {
next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
print "# route add $inet{$i} localhost 0\n";
}
print "#\n";
#
# print out some generic filters which people should use somewhere near the top
#
print "block in log quick from any to any with ipopts\n";
print "block in log quick proto tcp from any to any with short\n";
$grpi = 0;
foreach $i (keys %ifaces) {
if (!defined($inet{$i})) {
next;
}
$grpi += 100;
$grpo = $grpi + 50;
if ($i !~ /lo/) {
print "pass out on $i all head $grpo\n";
print "block out from 127.0.0.0/8 to any group $grpo\n";
print "block out from any to 127.0.0.0/8 group $grpo\n";
print "block out from any to $inet{$i}/32 group $grpo\n";
print "pass in on $i all head $grpi\n";
print "block in from 127.0.0.0/8 to any group $grpi\n";
print "block in from $inet{$i}/32 to any group $grpi\n";
foreach $j (keys %ifaces) {
if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
print "block in from $net{$j} to any group $grpi\n";
}
}
}
}
sub irix_mkfilters
{
open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
while (defined($line = <NETSTAT>))
{
if ($line =~ m/^Name/)
{
next;
}
elsif ($line =~ m/^(\S+)/)
{
open(I, "/usr/etc/ifconfig $1|") || return 0;
&scan_ifconfig;
close I; # being neat... - Allen
}
}
close NETSTAT; # again, being neat... - Allen
return 1;
}
sub regular_mkfilters
{
open(I, "ifconfig -a|") || return 0;
&scan_ifconfig;
close I; # being neat... - Allen
return 1;
}
sub scan_ifconfig
{
while (<I>) {
chop;
if (/^[a-zA-Z]+\d+:/) {
($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
$ifaces{$iface} = $iface;
next;
}
if (/inet/) {
if (/\-\-\>/) { # PPP, (SLIP?)
($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
} else {
($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
}
}
if (/netmask/) {
($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
$mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
$netmask{$iface} = $mask;
}
if (/broadcast/) {
($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
}
}
}
Reference in New Issue View Git Blame Copy Permalink