head	1.1;
branch	1.1.1;
access;
symbols
	RELENG_8_4:1.1.1.3.0.76
	RELENG_9_1_0_RELEASE:1.1.1.3
	RELENG_9_1:1.1.1.3.0.74
	RELENG_9_1_BP:1.1.1.3
	RELENG_8_3_0_RELEASE:1.1.1.3
	RELENG_8_3:1.1.1.3.0.72
	RELENG_8_3_BP:1.1.1.3
	RELENG_9_0_0_RELEASE:1.1.1.3
	RELENG_9_0:1.1.1.3.0.70
	RELENG_9_0_BP:1.1.1.3
	RELENG_9:1.1.1.3.0.68
	RELENG_9_BP:1.1.1.3
	RELENG_7_4_0_RELEASE:1.1.1.3
	RELENG_8_2_0_RELEASE:1.1.1.3
	RELENG_7_4:1.1.1.3.0.66
	RELENG_7_4_BP:1.1.1.3
	RELENG_8_2:1.1.1.3.0.64
	RELENG_8_2_BP:1.1.1.3
	RELENG_8_1_0_RELEASE:1.1.1.3
	RELENG_8_1:1.1.1.3.0.62
	RELENG_8_1_BP:1.1.1.3
	RELENG_7_3_0_RELEASE:1.1.1.3
	RELENG_7_3:1.1.1.3.0.60
	RELENG_7_3_BP:1.1.1.3
	RELENG_8_0_0_RELEASE:1.1.1.3
	RELENG_8_0:1.1.1.3.0.58
	RELENG_8_0_BP:1.1.1.3
	RELENG_8:1.1.1.3.0.56
	RELENG_8_BP:1.1.1.3
	RELENG_7_2_0_RELEASE:1.1.1.3
	RELENG_7_2:1.1.1.3.0.54
	RELENG_7_2_BP:1.1.1.3
	RELENG_7_1_0_RELEASE:1.1.1.3
	RELENG_6_4_0_RELEASE:1.1.1.3
	RELENG_7_1:1.1.1.3.0.52
	RELENG_7_1_BP:1.1.1.3
	RELENG_6_4:1.1.1.3.0.50
	RELENG_6_4_BP:1.1.1.3
	RELENG_7_0_0_RELEASE:1.1.1.3
	RELENG_6_3_0_RELEASE:1.1.1.3
	RELENG_7_0:1.1.1.3.0.48
	RELENG_7_0_BP:1.1.1.3
	RELENG_6_3:1.1.1.3.0.46
	RELENG_6_3_BP:1.1.1.3
	v4-1-28:1.1.1.3
	RELENG_7:1.1.1.3.0.44
	RELENG_7_BP:1.1.1.3
	v4-1-23:1.1.1.3
	RELENG_6_2_0_RELEASE:1.1.1.3
	RELENG_6_2:1.1.1.3.0.42
	RELENG_6_2_BP:1.1.1.3
	v4-1-13:1.1.1.3
	RELENG_5_5_0_RELEASE:1.1.1.3
	RELENG_5_5:1.1.1.3.0.40
	RELENG_5_5_BP:1.1.1.3
	RELENG_6_1_0_RELEASE:1.1.1.3
	RELENG_6_1:1.1.1.3.0.38
	RELENG_6_1_BP:1.1.1.3
	v4-1-10:1.1.1.3
	RELENG_6_0_0_RELEASE:1.1.1.3
	RELENG_6_0:1.1.1.3.0.36
	RELENG_6_0_BP:1.1.1.3
	RELENG_6:1.1.1.3.0.34
	RELENG_6_BP:1.1.1.3
	RELENG_5_4_0_RELEASE:1.1.1.3
	v4-1-8:1.1.1.3
	RELENG_5_4:1.1.1.3.0.32
	RELENG_5_4_BP:1.1.1.3
	RELENG_4_11_0_RELEASE:1.1.1.3
	RELENG_4_11:1.1.1.3.0.30
	RELENG_4_11_BP:1.1.1.3
	RELENG_5_3_0_RELEASE:1.1.1.3
	RELENG_5_3:1.1.1.3.0.28
	RELENG_5_3_BP:1.1.1.3
	RELENG_5:1.1.1.3.0.26
	RELENG_5_BP:1.1.1.3
	v3-4-35:1.1.1.3
	RELENG_4_10_0_RELEASE:1.1.1.3
	RELENG_4_10:1.1.1.3.0.24
	RELENG_4_10_BP:1.1.1.3
	RELENG_5_2_1_RELEASE:1.1.1.3
	RELENG_5_2_0_RELEASE:1.1.1.3
	RELENG_5_2:1.1.1.3.0.22
	RELENG_5_2_BP:1.1.1.3
	RELENG_4_9_0_RELEASE:1.1.1.3
	RELENG_4_9:1.1.1.3.0.20
	RELENG_4_9_BP:1.1.1.3
	RELENG_5_1_0_RELEASE:1.1.1.3
	RELENG_5_1:1.1.1.3.0.18
	RELENG_5_1_BP:1.1.1.3
	RELENG_4_8_0_RELEASE:1.1.1.3
	RELENG_4_8:1.1.1.3.0.16
	RELENG_4_8_BP:1.1.1.3
	v3-4-31:1.1.1.3
	RELENG_5_0_0_RELEASE:1.1.1.3
	RELENG_5_0:1.1.1.3.0.14
	RELENG_5_0_BP:1.1.1.3
	RELENG_4_7_0_RELEASE:1.1.1.3
	RELENG_4_7:1.1.1.3.0.12
	RELENG_4_7_BP:1.1.1.3
	v3-4-29:1.1.1.3
	RELENG_4_6_2_RELEASE:1.1.1.3
	RELENG_4_6_1_RELEASE:1.1.1.3
	RELENG_4_6_0_RELEASE:1.1.1.3
	v3-4-28:1.1.1.3
	RELENG_4_6:1.1.1.3.0.10
	RELENG_4_6_BP:1.1.1.3
	v3-4-27:1.1.1.3
	v3-4-26:1.1.1.3
	v3-4-25:1.1.1.3
	RELENG_4_5_0_RELEASE:1.1.1.3
	RELENG_4_5:1.1.1.3.0.8
	RELENG_4_5_BP:1.1.1.3
	RELENG_4_4_0_RELEASE:1.1.1.3
	RELENG_4_4:1.1.1.3.0.6
	RELENG_4_4_BP:1.1.1.3
	v3-4-20:1.1.1.3
	RELENG_4_3_0_RELEASE:1.1.1.3
	RELENG_4_3:1.1.1.3.0.4
	RELENG_4_3_BP:1.1.1.3
	v3-4-16:1.1.1.3
	rev:1.1.1.3
	RELENG_4_2_0_RELEASE:1.1.1.3
	v3-4-13:1.1.1.3
	v3-4-12:1.1.1.3
	RELENG_4_1_1_RELEASE:1.1.1.3
	PRE_SMPNG:1.1.1.3
	v3-4-9:1.1.1.3
	RELENG_4_1_0_RELEASE:1.1.1.3
	v3-4-8:1.1.1.3
	RELENG_3_5_0_RELEASE:1.1.1.2
	v3_4_4:1.1.1.3
	RELENG_4_0_0_RELEASE:1.1.1.3
	RELENG_4:1.1.1.3.0.2
	RELENG_4_BP:1.1.1.3
	v3_3_8:1.1.1.3
	v3_3_6:1.1.1.3
	RELENG_3_4_0_RELEASE:1.1.1.2
	v3_3_3:1.1.1.3
	RELENG_3_3_0_RELEASE:1.1.1.2
	RELENG_3_2_PAO:1.1.1.2.0.4
	RELENG_3_2_PAO_BP:1.1.1.2
	RELENG_3_2_0_RELEASE:1.1.1.2
	RELENG_3_1_0_RELEASE:1.1.1.2
	RELENG_3:1.1.1.2.0.2
	RELENG_3_BP:1.1.1.2
	RELENG_3_0_0_RELEASE:1.1.1.2
	v3_2_7:1.1.1.2
	v3_2_3:1.1.1.2
	v3_2_1:1.1.1.2
	v3-2-a7:1.1.1.1
	V3_2_A4:1.1.1.1
	ipfilter3_1_8:1.1.1.1
	DARRENR:1.1.1
	ipfilter3_1_7:1.1.1.1
	DARRENREED:1.1.1;
locks; strict;
comment	@# @;


1.1
date	97.02.09.22.49.49;	author darrenr;	state Exp;
branches
	1.1.1.1;
next	;

1.1.1.1
date	97.02.09.22.49.49;	author darrenr;	state Exp;
branches;
next	1.1.1.2;

1.1.1.2
date	97.11.16.04.48.21;	author peter;	state Exp;
branches;
next	1.1.1.3;

1.1.1.3
date	99.11.08.20.50.29;	author guido;	state Exp;
branches
	1.1.1.3.76.1;
next	;

1.1.1.3.76.1
date	99.11.08.20.50.29;	author svnexp;	state dead;
branches;
next	1.1.1.3.76.2;

1.1.1.3.76.2
date	2013.03.28.13.01.19;	author svnexp;	state Exp;
branches;
next	;


desc
@@


1.1
log
@Initial revision
@
text
@#!/usr/local/bin/perl
# for best results, bring up all your interfaces before running this
open(I, "ifconfig -a|") || die $!;
while (<I>) {
	chop;
	if (/^[a-zA-Z]+\d+:/) {
		($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
		$ifaces{$iface} = $iface;
		next;
	}
	if (/inet/) {
		if (/\-\-\>/) { # PPP, (SLIP?)
			($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
			($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
		} else {
			($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
		}
	}
	if (/netmask/) {
		($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
		$mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
		$netmask{$iface} = $mask;
	}
	if (/broadcast/) {
		($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
	}
}
foreach $i (keys %ifaces) {
	$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
}
#
# print out route suggestions
#
print "#\n";
print "# The following routes should be configured, if not already:\n";
print "#\n";
foreach $i (keys %ifaces) {
	next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
	print "# route add $inet{$i} localhost 0\n";
}
print "#\n";

#
# print out some generic filters which people should use somewhere near the top
#
print "block in log quick from any to any with ipopts\n";
print "block in log quick proto tcp from any to any with short\n";

foreach $i (keys %ifaces) {
	if (!defined($inet{$i})) {
		next;
	}
	if ($i !~ /lo/) {
		print "block in on $i from 127.0.0.0/8 to any\n";
		print "block out on $i from 127.0.0.0/8 to any\n";
		print "block out on $i from any to 127.0.0.0/8\n";
		print "block in on $i from $inet{$i}/32 to any\n";
		print "block out on $i from any to $inet{$i}/32\n";
		foreach $j (keys %ifaces) {
			if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
				print "block in on $i from $net{$j} to any\n";
			}
		}
	}
}
@


1.1.1.1
log
@Import IP Filter v3.1.7 into FreeBSD tree
@
text
@@


1.1.1.2
log
@Import ipfilter 3.2.1 (update from 3.1.8)
@
text
@a48 2
$grpi = 0;

a52 4

	$grpi += 100;
	$grpo = $grpi + 50;

d54 5
a58 7
		print "pass out on $i all head $grpo\n";
		print "block out from 127.0.0.0/8 to any group $grpo\n";
		print "block out from any to 127.0.0.0/8 group $grpo\n";
		print "block out from any to $inet{$i}/32 group $grpo\n";
		print "pass in on $i all head $grpi\n";
		print "block in from 127.0.0.0/8 to any group $grpi\n";
		print "block in from $inet{$i}/32 to any group $grpi\n";
d61 1
a61 1
				print "block in from $net{$j} to any group $grpi\n";
@


1.1.1.3
log
@Import of ipfilter 3.3.3  in anticipation of its revival.
More to come in the next days.
@
text
@d3 24
a26 8

if ($^O =~ m/^irix/i)
{
    &irix_mkfilters || regular_mkfilters || die $!;
}
else
{
    &regular_mkfilters || irix_mkfilters || die $!;
a27 1

a73 58

sub irix_mkfilters
{
    open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
    
    while (defined($line = <NETSTAT>))
    {
	if ($line =~ m/^Name/)
	{
	    next;
	}
	elsif ($line =~ m/^(\S+)/)
	{
	    open(I, "/usr/etc/ifconfig $1|") || return 0;
	    &scan_ifconfig;
	    close I;		# being neat... - Allen
	}
    }
    close NETSTAT;			# again, being neat... - Allen
    return 1;
}

sub regular_mkfilters
{
    open(I, "ifconfig -a|") || return 0;
    &scan_ifconfig;
    close I;			# being neat... - Allen
    return 1;
}

sub scan_ifconfig
{
    while (<I>) {
	chop;
	if (/^[a-zA-Z]+\d+:/) {
	    ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
	    $ifaces{$iface} = $iface;
	    next;
	}
	if (/inet/) {
	    if (/\-\-\>/) { # PPP, (SLIP?)
			($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
			($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
		    } else {
			($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
		    }
	}
	if (/netmask/) {
	    ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
		    $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
	    $netmask{$iface} = $mask;
	}
	if (/broadcast/) {
	    ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
	}
    }
}
    
@


1.1.1.3.76.1
log
@file mkfilters was added on branch RELENG_8_4 on 2013-03-28 13:01:19 +0000
@
text
@d1 116
@


1.1.1.3.76.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 116
#!/usr/local/bin/perl
# for best results, bring up all your interfaces before running this

if ($^O =~ m/^irix/i)
{
    &irix_mkfilters || regular_mkfilters || die $!;
}
else
{
    &regular_mkfilters || irix_mkfilters || die $!;
}

foreach $i (keys %ifaces) {
	$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
}
#
# print out route suggestions
#
print "#\n";
print "# The following routes should be configured, if not already:\n";
print "#\n";
foreach $i (keys %ifaces) {
	next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
	print "# route add $inet{$i} localhost 0\n";
}
print "#\n";

#
# print out some generic filters which people should use somewhere near the top
#
print "block in log quick from any to any with ipopts\n";
print "block in log quick proto tcp from any to any with short\n";

$grpi = 0;

foreach $i (keys %ifaces) {
	if (!defined($inet{$i})) {
		next;
	}

	$grpi += 100;
	$grpo = $grpi + 50;

	if ($i !~ /lo/) {
		print "pass out on $i all head $grpo\n";
		print "block out from 127.0.0.0/8 to any group $grpo\n";
		print "block out from any to 127.0.0.0/8 group $grpo\n";
		print "block out from any to $inet{$i}/32 group $grpo\n";
		print "pass in on $i all head $grpi\n";
		print "block in from 127.0.0.0/8 to any group $grpi\n";
		print "block in from $inet{$i}/32 to any group $grpi\n";
		foreach $j (keys %ifaces) {
			if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
				print "block in from $net{$j} to any group $grpi\n";
			}
		}
	}
}

sub irix_mkfilters
{
    open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
    
    while (defined($line = <NETSTAT>))
    {
	if ($line =~ m/^Name/)
	{
	    next;
	}
	elsif ($line =~ m/^(\S+)/)
	{
	    open(I, "/usr/etc/ifconfig $1|") || return 0;
	    &scan_ifconfig;
	    close I;		# being neat... - Allen
	}
    }
    close NETSTAT;			# again, being neat... - Allen
    return 1;
}

sub regular_mkfilters
{
    open(I, "ifconfig -a|") || return 0;
    &scan_ifconfig;
    close I;			# being neat... - Allen
    return 1;
}

sub scan_ifconfig
{
    while (<I>) {
	chop;
	if (/^[a-zA-Z]+\d+:/) {
	    ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
	    $ifaces{$iface} = $iface;
	    next;
	}
	if (/inet/) {
	    if (/\-\-\>/) { # PPP, (SLIP?)
			($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
			($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
		    } else {
			($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
		    }
	}
	if (/netmask/) {
	    ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
		    $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
	    $netmask{$iface} = $mask;
	}
	if (/broadcast/) {
	    ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
	}
    }
}
    
@


