1#!/bin/perl
2# for best results, bring up all your interfaces before running this
3
4if ($^O =~ m/^irix/i)
5{
6    &irix_mkfilters || regular_mkfilters || die $!;
7}
8else
9{
10    &regular_mkfilters || irix_mkfilters || die $!;
11}
12
13foreach $i (keys %ifaces) {
14	$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
15}
16#
17# print out route suggestions
18#
19print "#\n";
20print "# The following routes should be configured, if not already:\n";
21print "#\n";
22foreach $i (keys %ifaces) {
23	next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
24	print "# route add $inet{$i} localhost 0\n";
25}
26print "#\n";
27
28#
29# print out some generic filters which people should use somewhere near the top
30#
31print "block in log quick from any to any with ipopts\n";
32print "block in log quick proto tcp from any to any with short\n";
33
34$grpi = 0;
35
36foreach $i (keys %ifaces) {
37	if (!defined($inet{$i})) {
38		next;
39	}
40
41	$grpi += 100;
42	$grpo = $grpi + 50;
43
44	if ($i !~ /lo/) {
45		print "pass out on $i all head $grpo\n";
46		print "block out from 127.0.0.0/8 to any group $grpo\n";
47		print "block out from any to 127.0.0.0/8 group $grpo\n";
48		print "block out from any to $inet{$i}/32 group $grpo\n";
49		print "pass in on $i all head $grpi\n";
50		print "block in from 127.0.0.0/8 to any group $grpi\n";
51		print "block in from $inet{$i}/32 to any group $grpi\n";
52		foreach $j (keys %ifaces) {
53			if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
54				print "block in from $net{$j} to any group $grpi\n";
55			}
56		}
57	}
58}
59
60sub irix_mkfilters
61{
62    open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
63
64    while (defined($line = <NETSTAT>))
65    {
66	if ($line =~ m/^Name/)
67	{
68	    next;
69	}
70	elsif ($line =~ m/^(\S+)/)
71	{
72	    open(I, "/usr/etc/ifconfig $1|") || return 0;
73	    &scan_ifconfig;
74	    close I;		# being neat... - Allen
75	}
76    }
77    close NETSTAT;			# again, being neat... - Allen
78    return 1;
79}
80
81sub regular_mkfilters
82{
83    open(I, "ifconfig -a|") || return 0;
84    &scan_ifconfig;
85    close I;			# being neat... - Allen
86    return 1;
87}
88
89sub scan_ifconfig
90{
91    while (<I>) {
92	chop;
93	if (/^[a-zA-Z]+\d+:/) {
94	    ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
95	    $ifaces{$iface} = $iface;
96	    next;
97	}
98	if (/inet/) {
99	    if (/\-\-\>/) { # PPP, (SLIP?)
100			($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
101			($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
102		    } else {
103			($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
104		    }
105	}
106	if (/netmask/) {
107	    ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
108		    $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
109	    $netmask{$iface} = $mask;
110	}
111	if (/broadcast/) {
112	    ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
113	}
114    }
115}
116
117