Home | History | Annotate | Line # | Download | only in dist 
      1 #!/usr/local/bin/perl
      2 # for best results, bring up all your interfaces before running this
      3 
      4 if ($^O =~ m/^irix/i)
      5 {
      6     &irix_mkfilters || regular_mkfilters || die $!;
      7 }
      8 else
      9 {
     10     &regular_mkfilters || irix_mkfilters || die $!;
     11 }
     12 
     13 foreach $i (keys %ifaces) {
     14 	$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
     15 }
     16 #
     17 # print out route suggestions
     18 #
     19 print "#\n";
     20 print "# The following routes should be configured, if not already:\n";
     21 print "#\n";
     22 foreach $i (keys %ifaces) {
     23 	next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
     24 	print "# route add $inet{$i} localhost 0\n";
     25 }
     26 print "#\n";
     27 
     28 #
     29 # print out some generic filters which people should use somewhere near the top
     30 #
     31 print "block in log quick from any to any with ipopts\n";
     32 print "block in log quick proto tcp from any to any with short\n";
     33 
     34 $grpi = 0;
     35 
     36 foreach $i (keys %ifaces) {
     37 	if (!defined($inet{$i})) {
     38 		next;
     39 	}
     40 
     41 	$grpi += 100;
     42 	$grpo = $grpi + 50;
     43 
     44 	if ($i !~ /lo/) {
     45 		print "pass out on $i all head $grpo\n";
     46 		print "block out from 127.0.0.0/8 to any group $grpo\n";
     47 		print "block out from any to 127.0.0.0/8 group $grpo\n";
     48 		print "block out from any to $inet{$i}/32 group $grpo\n";
     49 		print "pass in on $i all head $grpi\n";
     50 		print "block in from 127.0.0.0/8 to any group $grpi\n";
     51 		print "block in from $inet{$i}/32 to any group $grpi\n";
     52 		foreach $j (keys %ifaces) {
     53 			if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
     54 				print "block in from $net{$j} to any group $grpi\n";
     55 			}
     56 		}
     57 	}
     58 }
     59 
     60 sub irix_mkfilters
     61 {
     62     open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
     63 
     64     while (defined($line = <NETSTAT>))
     65     {
     66 	if ($line =~ m/^Name/)
     67 	{
     68 	    next;
     69 	}
     70 	elsif ($line =~ m/^(\S+)/)
     71 	{
     72 	    open(I, "/usr/etc/ifconfig $1|") || return 0;
     73 	    &scan_ifconfig;
     74 	    close I;		# being neat... - Allen
     75 	}
     76     }
     77     close NETSTAT;			# again, being neat... - Allen
     78     return 1;
     79 }
     80 
     81 sub regular_mkfilters
     82 {
     83     open(I, "ifconfig -a|") || return 0;
     84     &scan_ifconfig;
     85     close I;			# being neat... - Allen
     86     return 1;
     87 }
     88 
     89 sub scan_ifconfig
     90 {
     91     while (<I>) {
     92 	chop;
     93 	if (/^[a-zA-Z]+\d+:/) {
     94 	    ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
     95 	    $ifaces{$iface} = $iface;
     96 	    next;
     97 	}
     98 	if (/inet/) {
     99 	    if (/\-\-\>/) { # PPP, (SLIP?)
    100 			($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
    101 			($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
    102 		    } else {
    103 			($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
    104 		    }
    105 	}
    106 	if (/netmask/) {
    107 	    ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
    108 		    $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
    109 	    $netmask{$iface} = $mask;
    110 	}
    111 	if (/broadcast/) {
    112 	    ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
    113 	}
    114     }
    115 }
    116 
    117