1#!/usr/local/bin/perl 2# for best results, bring up all your interfaces before running this 3 4if ($^O =~ m/^irix/i) 5{ 6 &irix_mkfilters || regular_mkfilters || die $!; 7} 8else 9{ 10 ®ular_mkfilters || irix_mkfilters || die $!; 11} 12 13foreach $i (keys %ifaces) { 14 $net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i})); 15} 16# 17# print out route suggestions 18# 19print "#\n"; 20print "# The following routes should be configured, if not already:\n"; 21print "#\n"; 22foreach $i (keys %ifaces) { 23 next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i})); 24 print "# route add $inet{$i} localhost 0\n"; 25} 26print "#\n"; 27 28# 29# print out some generic filters which people should use somewhere near the top 30# 31print "block in log quick from any to any with ipopts\n"; 32print "block in log quick proto tcp from any to any with short\n"; 33 34$grpi = 0; 35 36foreach $i (keys %ifaces) { 37 if (!defined($inet{$i})) { 38 next; 39 } 40 41 $grpi += 100; 42 $grpo = $grpi + 50; 43 44 if ($i !~ /lo/) { 45 print "pass out on $i all head $grpo\n"; 46 print "block out from 127.0.0.0/8 to any group $grpo\n"; 47 print "block out from any to 127.0.0.0/8 group $grpo\n"; 48 print "block out from any to $inet{$i}/32 group $grpo\n"; 49 print "pass in on $i all head $grpi\n"; 50 print "block in from 127.0.0.0/8 to any group $grpi\n"; 51 print "block in from $inet{$i}/32 to any group $grpi\n"; 52 foreach $j (keys %ifaces) { 53 if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) { 54 print "block in from $net{$j} to any group $grpi\n"; 55 } 56 } 57 } 58} 59 60sub irix_mkfilters 61{ 62 open(NETSTAT, "/usr/etc/netstat -i|") || return 0; 63 64 while (defined($line = <NETSTAT>)) 65 { 66 if ($line =~ m/^Name/) 67 { 68 next; 69 } 70 elsif ($line =~ m/^(\S+)/) 71 { 72 open(I, "/usr/etc/ifconfig $1|") || return 0; 73 &scan_ifconfig; 74 close I; # being neat... - Allen 75 } 76 } 77 close NETSTAT; # again, being neat... - Allen 78 return 1; 79} 80 81sub regular_mkfilters 82{ 83 open(I, "ifconfig -a|") || return 0; 84 &scan_ifconfig; 85 close I; # being neat... - Allen 86 return 1; 87} 88 89sub scan_ifconfig 90{ 91 while (<I>) { 92 chop; 93 if (/^[a-zA-Z]+\d+:/) { 94 ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/; 95 $ifaces{$iface} = $iface; 96 next; 97 } 98 if (/inet/) { 99 if (/\-\-\>/) { # PPP, (SLIP?) 100 ($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/; 101 ($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/; 102 } else { 103 ($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/; 104 } 105 } 106 if (/netmask/) { 107 ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/; 108 $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/); 109 $netmask{$iface} = $mask; 110 } 111 if (/broadcast/) { 112 ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/; 113 } 114 } 115} 116 117