122514Sdarrenr#!/usr/local/bin/perl
222514Sdarrenr# for best results, bring up all your interfaces before running this
353024Sguido
453024Sguidoif ($^O =~ m/^irix/i)
553024Sguido{
653024Sguido    &irix_mkfilters || regular_mkfilters || die $!;
722514Sdarrenr}
853024Sguidoelse
953024Sguido{
1053024Sguido    &regular_mkfilters || irix_mkfilters || die $!;
1153024Sguido}
1253024Sguido
1322514Sdarrenrforeach $i (keys %ifaces) {
1422514Sdarrenr	$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
1522514Sdarrenr}
1622514Sdarrenr#
1722514Sdarrenr# print out route suggestions
1822514Sdarrenr#
1922514Sdarrenrprint "#\n";
2022514Sdarrenrprint "# The following routes should be configured, if not already:\n";
2122514Sdarrenrprint "#\n";
2222514Sdarrenrforeach $i (keys %ifaces) {
2322514Sdarrenr	next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
2422514Sdarrenr	print "# route add $inet{$i} localhost 0\n";
2522514Sdarrenr}
2622514Sdarrenrprint "#\n";
2722514Sdarrenr
2822514Sdarrenr#
2922514Sdarrenr# print out some generic filters which people should use somewhere near the top
3022514Sdarrenr#
3122514Sdarrenrprint "block in log quick from any to any with ipopts\n";
3222514Sdarrenrprint "block in log quick proto tcp from any to any with short\n";
3322514Sdarrenr
3431183Speter$grpi = 0;
3531183Speter
3622514Sdarrenrforeach $i (keys %ifaces) {
3722514Sdarrenr	if (!defined($inet{$i})) {
3822514Sdarrenr		next;
3922514Sdarrenr	}
4031183Speter
4131183Speter	$grpi += 100;
4231183Speter	$grpo = $grpi + 50;
4331183Speter
4422514Sdarrenr	if ($i !~ /lo/) {
4531183Speter		print "pass out on $i all head $grpo\n";
4631183Speter		print "block out from 127.0.0.0/8 to any group $grpo\n";
4731183Speter		print "block out from any to 127.0.0.0/8 group $grpo\n";
4831183Speter		print "block out from any to $inet{$i}/32 group $grpo\n";
4931183Speter		print "pass in on $i all head $grpi\n";
5031183Speter		print "block in from 127.0.0.0/8 to any group $grpi\n";
5131183Speter		print "block in from $inet{$i}/32 to any group $grpi\n";
5222514Sdarrenr		foreach $j (keys %ifaces) {
5322514Sdarrenr			if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
5431183Speter				print "block in from $net{$j} to any group $grpi\n";
5522514Sdarrenr			}
5622514Sdarrenr		}
5722514Sdarrenr	}
5822514Sdarrenr}
5953024Sguido
6053024Sguidosub irix_mkfilters
6153024Sguido{
6253024Sguido    open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
63255332Scy
6453024Sguido    while (defined($line = <NETSTAT>))
6553024Sguido    {
6653024Sguido	if ($line =~ m/^Name/)
6753024Sguido	{
6853024Sguido	    next;
6953024Sguido	}
7053024Sguido	elsif ($line =~ m/^(\S+)/)
7153024Sguido	{
7253024Sguido	    open(I, "/usr/etc/ifconfig $1|") || return 0;
7353024Sguido	    &scan_ifconfig;
7453024Sguido	    close I;		# being neat... - Allen
7553024Sguido	}
7653024Sguido    }
7753024Sguido    close NETSTAT;			# again, being neat... - Allen
7853024Sguido    return 1;
7953024Sguido}
8053024Sguido
8153024Sguidosub regular_mkfilters
8253024Sguido{
8353024Sguido    open(I, "ifconfig -a|") || return 0;
8453024Sguido    &scan_ifconfig;
8553024Sguido    close I;			# being neat... - Allen
8653024Sguido    return 1;
8753024Sguido}
8853024Sguido
8953024Sguidosub scan_ifconfig
9053024Sguido{
9153024Sguido    while (<I>) {
9253024Sguido	chop;
9353024Sguido	if (/^[a-zA-Z]+\d+:/) {
9453024Sguido	    ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
9553024Sguido	    $ifaces{$iface} = $iface;
9653024Sguido	    next;
9753024Sguido	}
9853024Sguido	if (/inet/) {
9953024Sguido	    if (/\-\-\>/) { # PPP, (SLIP?)
10053024Sguido			($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
10153024Sguido			($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
10253024Sguido		    } else {
10353024Sguido			($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
10453024Sguido		    }
10553024Sguido	}
10653024Sguido	if (/netmask/) {
10753024Sguido	    ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
10853024Sguido		    $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
10953024Sguido	    $netmask{$iface} = $mask;
11053024Sguido	}
11153024Sguido	if (/broadcast/) {
11253024Sguido	    ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
11353024Sguido	}
11453024Sguido    }
11553024Sguido}
116255332Scy
117