1*7c478bd9Sstevel@tonic-gate#!/bin/perl
2*7c478bd9Sstevel@tonic-gate# for best results, bring up all your interfaces before running this
3*7c478bd9Sstevel@tonic-gate
4*7c478bd9Sstevel@tonic-gateif ($^O =~ m/^irix/i)
5*7c478bd9Sstevel@tonic-gate{
6*7c478bd9Sstevel@tonic-gate    &irix_mkfilters || regular_mkfilters || die $!;
7*7c478bd9Sstevel@tonic-gate}
8*7c478bd9Sstevel@tonic-gateelse
9*7c478bd9Sstevel@tonic-gate{
10*7c478bd9Sstevel@tonic-gate    &regular_mkfilters || irix_mkfilters || die $!;
11*7c478bd9Sstevel@tonic-gate}
12*7c478bd9Sstevel@tonic-gate
13*7c478bd9Sstevel@tonic-gateforeach $i (keys %ifaces) {
14*7c478bd9Sstevel@tonic-gate	$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
15*7c478bd9Sstevel@tonic-gate}
16*7c478bd9Sstevel@tonic-gate#
17*7c478bd9Sstevel@tonic-gate# print out route suggestions
18*7c478bd9Sstevel@tonic-gate#
19*7c478bd9Sstevel@tonic-gateprint "#\n";
20*7c478bd9Sstevel@tonic-gateprint "# The following routes should be configured, if not already:\n";
21*7c478bd9Sstevel@tonic-gateprint "#\n";
22*7c478bd9Sstevel@tonic-gateforeach $i (keys %ifaces) {
23*7c478bd9Sstevel@tonic-gate	next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
24*7c478bd9Sstevel@tonic-gate	print "# route add $inet{$i} localhost 0\n";
25*7c478bd9Sstevel@tonic-gate}
26*7c478bd9Sstevel@tonic-gateprint "#\n";
27*7c478bd9Sstevel@tonic-gate
28*7c478bd9Sstevel@tonic-gate#
29*7c478bd9Sstevel@tonic-gate# print out some generic filters which people should use somewhere near the top
30*7c478bd9Sstevel@tonic-gate#
31*7c478bd9Sstevel@tonic-gateprint "block in log quick from any to any with ipopts\n";
32*7c478bd9Sstevel@tonic-gateprint "block in log quick proto tcp from any to any with short\n";
33*7c478bd9Sstevel@tonic-gate
34*7c478bd9Sstevel@tonic-gate$grpi = 0;
35*7c478bd9Sstevel@tonic-gate
36*7c478bd9Sstevel@tonic-gateforeach $i (keys %ifaces) {
37*7c478bd9Sstevel@tonic-gate	if (!defined($inet{$i})) {
38*7c478bd9Sstevel@tonic-gate		next;
39*7c478bd9Sstevel@tonic-gate	}
40*7c478bd9Sstevel@tonic-gate
41*7c478bd9Sstevel@tonic-gate	$grpi += 100;
42*7c478bd9Sstevel@tonic-gate	$grpo = $grpi + 50;
43*7c478bd9Sstevel@tonic-gate
44*7c478bd9Sstevel@tonic-gate	if ($i !~ /lo/) {
45*7c478bd9Sstevel@tonic-gate		print "pass out on $i all head $grpo\n";
46*7c478bd9Sstevel@tonic-gate		print "block out from 127.0.0.0/8 to any group $grpo\n";
47*7c478bd9Sstevel@tonic-gate		print "block out from any to 127.0.0.0/8 group $grpo\n";
48*7c478bd9Sstevel@tonic-gate		print "block out from any to $inet{$i}/32 group $grpo\n";
49*7c478bd9Sstevel@tonic-gate		print "pass in on $i all head $grpi\n";
50*7c478bd9Sstevel@tonic-gate		print "block in from 127.0.0.0/8 to any group $grpi\n";
51*7c478bd9Sstevel@tonic-gate		print "block in from $inet{$i}/32 to any group $grpi\n";
52*7c478bd9Sstevel@tonic-gate		foreach $j (keys %ifaces) {
53*7c478bd9Sstevel@tonic-gate			if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
54*7c478bd9Sstevel@tonic-gate				print "block in from $net{$j} to any group $grpi\n";
55*7c478bd9Sstevel@tonic-gate			}
56*7c478bd9Sstevel@tonic-gate		}
57*7c478bd9Sstevel@tonic-gate	}
58*7c478bd9Sstevel@tonic-gate}
59*7c478bd9Sstevel@tonic-gate
60*7c478bd9Sstevel@tonic-gatesub irix_mkfilters
61*7c478bd9Sstevel@tonic-gate{
62*7c478bd9Sstevel@tonic-gate    open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
63*7c478bd9Sstevel@tonic-gate
64*7c478bd9Sstevel@tonic-gate    while (defined($line = <NETSTAT>))
65*7c478bd9Sstevel@tonic-gate    {
66*7c478bd9Sstevel@tonic-gate	if ($line =~ m/^Name/)
67*7c478bd9Sstevel@tonic-gate	{
68*7c478bd9Sstevel@tonic-gate	    next;
69*7c478bd9Sstevel@tonic-gate	}
70*7c478bd9Sstevel@tonic-gate	elsif ($line =~ m/^(\S+)/)
71*7c478bd9Sstevel@tonic-gate	{
72*7c478bd9Sstevel@tonic-gate	    open(I, "/usr/etc/ifconfig $1|") || return 0;
73*7c478bd9Sstevel@tonic-gate	    &scan_ifconfig;
74*7c478bd9Sstevel@tonic-gate	    close I;		# being neat... - Allen
75*7c478bd9Sstevel@tonic-gate	}
76*7c478bd9Sstevel@tonic-gate    }
77*7c478bd9Sstevel@tonic-gate    close NETSTAT;			# again, being neat... - Allen
78*7c478bd9Sstevel@tonic-gate    return 1;
79*7c478bd9Sstevel@tonic-gate}
80*7c478bd9Sstevel@tonic-gate
81*7c478bd9Sstevel@tonic-gatesub regular_mkfilters
82*7c478bd9Sstevel@tonic-gate{
83*7c478bd9Sstevel@tonic-gate    open(I, "ifconfig -a|") || return 0;
84*7c478bd9Sstevel@tonic-gate    &scan_ifconfig;
85*7c478bd9Sstevel@tonic-gate    close I;			# being neat... - Allen
86*7c478bd9Sstevel@tonic-gate    return 1;
87*7c478bd9Sstevel@tonic-gate}
88*7c478bd9Sstevel@tonic-gate
89*7c478bd9Sstevel@tonic-gatesub scan_ifconfig
90*7c478bd9Sstevel@tonic-gate{
91*7c478bd9Sstevel@tonic-gate    while (<I>) {
92*7c478bd9Sstevel@tonic-gate	chop;
93*7c478bd9Sstevel@tonic-gate	if (/^[a-zA-Z]+\d+:/) {
94*7c478bd9Sstevel@tonic-gate	    ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
95*7c478bd9Sstevel@tonic-gate	    $ifaces{$iface} = $iface;
96*7c478bd9Sstevel@tonic-gate	    next;
97*7c478bd9Sstevel@tonic-gate	}
98*7c478bd9Sstevel@tonic-gate	if (/inet/) {
99*7c478bd9Sstevel@tonic-gate	    if (/\-\-\>/) { # PPP, (SLIP?)
100*7c478bd9Sstevel@tonic-gate			($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
101*7c478bd9Sstevel@tonic-gate			($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
102*7c478bd9Sstevel@tonic-gate		    } else {
103*7c478bd9Sstevel@tonic-gate			($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
104*7c478bd9Sstevel@tonic-gate		    }
105*7c478bd9Sstevel@tonic-gate	}
106*7c478bd9Sstevel@tonic-gate	if (/netmask/) {
107*7c478bd9Sstevel@tonic-gate	    ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
108*7c478bd9Sstevel@tonic-gate		    $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
109*7c478bd9Sstevel@tonic-gate	    $netmask{$iface} = $mask;
110*7c478bd9Sstevel@tonic-gate	}
111*7c478bd9Sstevel@tonic-gate	if (/broadcast/) {
112*7c478bd9Sstevel@tonic-gate	    ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
113*7c478bd9Sstevel@tonic-gate	}
114*7c478bd9Sstevel@tonic-gate    }
115*7c478bd9Sstevel@tonic-gate}
116*7c478bd9Sstevel@tonic-gate
117