1*7c478bd9Sstevel@tonic-gate#!/bin/perl 2*7c478bd9Sstevel@tonic-gate# for best results, bring up all your interfaces before running this 3*7c478bd9Sstevel@tonic-gate 4*7c478bd9Sstevel@tonic-gateif ($^O =~ m/^irix/i) 5*7c478bd9Sstevel@tonic-gate{ 6*7c478bd9Sstevel@tonic-gate &irix_mkfilters || regular_mkfilters || die $!; 7*7c478bd9Sstevel@tonic-gate} 8*7c478bd9Sstevel@tonic-gateelse 9*7c478bd9Sstevel@tonic-gate{ 10*7c478bd9Sstevel@tonic-gate ®ular_mkfilters || irix_mkfilters || die $!; 11*7c478bd9Sstevel@tonic-gate} 12*7c478bd9Sstevel@tonic-gate 13*7c478bd9Sstevel@tonic-gateforeach $i (keys %ifaces) { 14*7c478bd9Sstevel@tonic-gate $net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i})); 15*7c478bd9Sstevel@tonic-gate} 16*7c478bd9Sstevel@tonic-gate# 17*7c478bd9Sstevel@tonic-gate# print out route suggestions 18*7c478bd9Sstevel@tonic-gate# 19*7c478bd9Sstevel@tonic-gateprint "#\n"; 20*7c478bd9Sstevel@tonic-gateprint "# The following routes should be configured, if not already:\n"; 21*7c478bd9Sstevel@tonic-gateprint "#\n"; 22*7c478bd9Sstevel@tonic-gateforeach $i (keys %ifaces) { 23*7c478bd9Sstevel@tonic-gate next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i})); 24*7c478bd9Sstevel@tonic-gate print "# route add $inet{$i} localhost 0\n"; 25*7c478bd9Sstevel@tonic-gate} 26*7c478bd9Sstevel@tonic-gateprint "#\n"; 27*7c478bd9Sstevel@tonic-gate 28*7c478bd9Sstevel@tonic-gate# 29*7c478bd9Sstevel@tonic-gate# print out some generic filters which people should use somewhere near the top 30*7c478bd9Sstevel@tonic-gate# 31*7c478bd9Sstevel@tonic-gateprint "block in log quick from any to any with ipopts\n"; 32*7c478bd9Sstevel@tonic-gateprint "block in log quick proto tcp from any to any with short\n"; 33*7c478bd9Sstevel@tonic-gate 34*7c478bd9Sstevel@tonic-gate$grpi = 0; 35*7c478bd9Sstevel@tonic-gate 36*7c478bd9Sstevel@tonic-gateforeach $i (keys %ifaces) { 37*7c478bd9Sstevel@tonic-gate if (!defined($inet{$i})) { 38*7c478bd9Sstevel@tonic-gate next; 39*7c478bd9Sstevel@tonic-gate } 40*7c478bd9Sstevel@tonic-gate 41*7c478bd9Sstevel@tonic-gate $grpi += 100; 42*7c478bd9Sstevel@tonic-gate $grpo = $grpi + 50; 43*7c478bd9Sstevel@tonic-gate 44*7c478bd9Sstevel@tonic-gate if ($i !~ /lo/) { 45*7c478bd9Sstevel@tonic-gate print "pass out on $i all head $grpo\n"; 46*7c478bd9Sstevel@tonic-gate print "block out from 127.0.0.0/8 to any group $grpo\n"; 47*7c478bd9Sstevel@tonic-gate print "block out from any to 127.0.0.0/8 group $grpo\n"; 48*7c478bd9Sstevel@tonic-gate print "block out from any to $inet{$i}/32 group $grpo\n"; 49*7c478bd9Sstevel@tonic-gate print "pass in on $i all head $grpi\n"; 50*7c478bd9Sstevel@tonic-gate print "block in from 127.0.0.0/8 to any group $grpi\n"; 51*7c478bd9Sstevel@tonic-gate print "block in from $inet{$i}/32 to any group $grpi\n"; 52*7c478bd9Sstevel@tonic-gate foreach $j (keys %ifaces) { 53*7c478bd9Sstevel@tonic-gate if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) { 54*7c478bd9Sstevel@tonic-gate print "block in from $net{$j} to any group $grpi\n"; 55*7c478bd9Sstevel@tonic-gate } 56*7c478bd9Sstevel@tonic-gate } 57*7c478bd9Sstevel@tonic-gate } 58*7c478bd9Sstevel@tonic-gate} 59*7c478bd9Sstevel@tonic-gate 60*7c478bd9Sstevel@tonic-gatesub irix_mkfilters 61*7c478bd9Sstevel@tonic-gate{ 62*7c478bd9Sstevel@tonic-gate open(NETSTAT, "/usr/etc/netstat -i|") || return 0; 63*7c478bd9Sstevel@tonic-gate 64*7c478bd9Sstevel@tonic-gate while (defined($line = <NETSTAT>)) 65*7c478bd9Sstevel@tonic-gate { 66*7c478bd9Sstevel@tonic-gate if ($line =~ m/^Name/) 67*7c478bd9Sstevel@tonic-gate { 68*7c478bd9Sstevel@tonic-gate next; 69*7c478bd9Sstevel@tonic-gate } 70*7c478bd9Sstevel@tonic-gate elsif ($line =~ m/^(\S+)/) 71*7c478bd9Sstevel@tonic-gate { 72*7c478bd9Sstevel@tonic-gate open(I, "/usr/etc/ifconfig $1|") || return 0; 73*7c478bd9Sstevel@tonic-gate &scan_ifconfig; 74*7c478bd9Sstevel@tonic-gate close I; # being neat... - Allen 75*7c478bd9Sstevel@tonic-gate } 76*7c478bd9Sstevel@tonic-gate } 77*7c478bd9Sstevel@tonic-gate close NETSTAT; # again, being neat... - Allen 78*7c478bd9Sstevel@tonic-gate return 1; 79*7c478bd9Sstevel@tonic-gate} 80*7c478bd9Sstevel@tonic-gate 81*7c478bd9Sstevel@tonic-gatesub regular_mkfilters 82*7c478bd9Sstevel@tonic-gate{ 83*7c478bd9Sstevel@tonic-gate open(I, "ifconfig -a|") || return 0; 84*7c478bd9Sstevel@tonic-gate &scan_ifconfig; 85*7c478bd9Sstevel@tonic-gate close I; # being neat... - Allen 86*7c478bd9Sstevel@tonic-gate return 1; 87*7c478bd9Sstevel@tonic-gate} 88*7c478bd9Sstevel@tonic-gate 89*7c478bd9Sstevel@tonic-gatesub scan_ifconfig 90*7c478bd9Sstevel@tonic-gate{ 91*7c478bd9Sstevel@tonic-gate while (<I>) { 92*7c478bd9Sstevel@tonic-gate chop; 93*7c478bd9Sstevel@tonic-gate if (/^[a-zA-Z]+\d+:/) { 94*7c478bd9Sstevel@tonic-gate ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/; 95*7c478bd9Sstevel@tonic-gate $ifaces{$iface} = $iface; 96*7c478bd9Sstevel@tonic-gate next; 97*7c478bd9Sstevel@tonic-gate } 98*7c478bd9Sstevel@tonic-gate if (/inet/) { 99*7c478bd9Sstevel@tonic-gate if (/\-\-\>/) { # PPP, (SLIP?) 100*7c478bd9Sstevel@tonic-gate ($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/; 101*7c478bd9Sstevel@tonic-gate ($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/; 102*7c478bd9Sstevel@tonic-gate } else { 103*7c478bd9Sstevel@tonic-gate ($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/; 104*7c478bd9Sstevel@tonic-gate } 105*7c478bd9Sstevel@tonic-gate } 106*7c478bd9Sstevel@tonic-gate if (/netmask/) { 107*7c478bd9Sstevel@tonic-gate ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/; 108*7c478bd9Sstevel@tonic-gate $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/); 109*7c478bd9Sstevel@tonic-gate $netmask{$iface} = $mask; 110*7c478bd9Sstevel@tonic-gate } 111*7c478bd9Sstevel@tonic-gate if (/broadcast/) { 112*7c478bd9Sstevel@tonic-gate ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/; 113*7c478bd9Sstevel@tonic-gate } 114*7c478bd9Sstevel@tonic-gate } 115*7c478bd9Sstevel@tonic-gate} 116*7c478bd9Sstevel@tonic-gate 117