HardenedBSD/contrib/ipfilter/mkfilters
Cy Schubert bfc88dcbf7 Update ipfilter 4.1.28 --> 5.1.2.
Approved by:		glebius (mentor)
BSD Licensed by:	Darren Reed <darrenr@reed.wattle.id.au> (author)
2013-09-06 23:11:19 +00:00

117 lines
2.6 KiB
Perl

#!/usr/local/bin/perl
# for best results, bring up all your interfaces before running this
if ($^O =~ m/^irix/i)
{
&irix_mkfilters || regular_mkfilters || die $!;
}
else
{
&regular_mkfilters || irix_mkfilters || die $!;
}
foreach $i (keys %ifaces) {
$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
}
#
# print out route suggestions
#
print "#\n";
print "# The following routes should be configured, if not already:\n";
print "#\n";
foreach $i (keys %ifaces) {
next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
print "# route add $inet{$i} localhost 0\n";
}
print "#\n";
#
# print out some generic filters which people should use somewhere near the top
#
print "block in log quick from any to any with ipopts\n";
print "block in log quick proto tcp from any to any with short\n";
$grpi = 0;
foreach $i (keys %ifaces) {
if (!defined($inet{$i})) {
next;
}
$grpi += 100;
$grpo = $grpi + 50;
if ($i !~ /lo/) {
print "pass out on $i all head $grpo\n";
print "block out from 127.0.0.0/8 to any group $grpo\n";
print "block out from any to 127.0.0.0/8 group $grpo\n";
print "block out from any to $inet{$i}/32 group $grpo\n";
print "pass in on $i all head $grpi\n";
print "block in from 127.0.0.0/8 to any group $grpi\n";
print "block in from $inet{$i}/32 to any group $grpi\n";
foreach $j (keys %ifaces) {
if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
print "block in from $net{$j} to any group $grpi\n";
}
}
}
}
sub irix_mkfilters
{
open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
while (defined($line = <NETSTAT>))
{
if ($line =~ m/^Name/)
{
next;
}
elsif ($line =~ m/^(\S+)/)
{
open(I, "/usr/etc/ifconfig $1|") || return 0;
&scan_ifconfig;
close I; # being neat... - Allen
}
}
close NETSTAT; # again, being neat... - Allen
return 1;
}
sub regular_mkfilters
{
open(I, "ifconfig -a|") || return 0;
&scan_ifconfig;
close I; # being neat... - Allen
return 1;
}
sub scan_ifconfig
{
while (<I>) {
chop;
if (/^[a-zA-Z]+\d+:/) {
($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
$ifaces{$iface} = $iface;
next;
}
if (/inet/) {
if (/\-\-\>/) { # PPP, (SLIP?)
($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
} else {
($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
}
}
if (/netmask/) {
($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
$mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
$netmask{$iface} = $mask;
}
if (/broadcast/) {
($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
}
}
}