Sync usage with man page.
[netbsd-mini2440.git] / dist / ipf / mkfilters
blob3c22836a19942aba7542e27788b98556fc90a0e3
1 #!/usr/pkg/bin/perl
2 # for best results, bring up all your interfaces before running this
4 if ($^O =~ m/^irix/i)
6 &irix_mkfilters || regular_mkfilters || die $!;
8 else
10 &regular_mkfilters || irix_mkfilters || die $!;
13 foreach $i (keys %ifaces) {
14 $net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
17 # print out route suggestions
19 print "#\n";
20 print "# The following routes should be configured, if not already:\n";
21 print "#\n";
22 foreach $i (keys %ifaces) {
23 next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
24 print "# route add $inet{$i} localhost 0\n";
26 print "#\n";
29 # print out some generic filters which people should use somewhere near the top
31 print "block in log quick from any to any with ipopts\n";
32 print "block in log quick proto tcp from any to any with short\n";
34 $grpi = 0;
36 foreach $i (keys %ifaces) {
37 if (!defined($inet{$i})) {
38 next;
41 $grpi += 100;
42 $grpo = $grpi + 50;
44 if ($i !~ /lo/) {
45 print "pass out on $i all head $grpo\n";
46 print "block out from 127.0.0.0/8 to any group $grpo\n";
47 print "block out from any to 127.0.0.0/8 group $grpo\n";
48 print "block out from any to $inet{$i}/32 group $grpo\n";
49 print "pass in on $i all head $grpi\n";
50 print "block in from 127.0.0.0/8 to any group $grpi\n";
51 print "block in from $inet{$i}/32 to any group $grpi\n";
52 foreach $j (keys %ifaces) {
53 if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
54 print "block in from $net{$j} to any group $grpi\n";
60 sub irix_mkfilters
62 open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
64 while (defined($line = <NETSTAT>))
66 if ($line =~ m/^Name/)
68 next;
70 elsif ($line =~ m/^(\S+)/)
72 open(I, "/usr/etc/ifconfig $1|") || return 0;
73 &scan_ifconfig;
74 close I; # being neat... - Allen
77 close NETSTAT; # again, being neat... - Allen
78 return 1;
81 sub regular_mkfilters
83 open(I, "ifconfig -a|") || return 0;
84 &scan_ifconfig;
85 close I; # being neat... - Allen
86 return 1;
89 sub scan_ifconfig
91 while (<I>) {
92 chop;
93 if (/^[a-zA-Z]+\d+:/) {
94 ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
95 $ifaces{$iface} = $iface;
96 next;
98 if (/inet/) {
99 if (/\-\-\>/) { # PPP, (SLIP?)
100 ($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
101 ($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
102 } else {
103 ($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
106 if (/netmask/) {
107 ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
108 $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
109 $netmask{$iface} = $mask;
111 if (/broadcast/) {
112 ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;