From owner-freebsd-isp Tue Aug 25 05:39:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA21688 for freebsd-isp-outgoing; Tue, 25 Aug 1998 05:39:40 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA21683 for ; Tue, 25 Aug 1998 05:39:36 -0700 (PDT) (envelope-from kpielorz@tdx.co.uk) Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242]) by caladan.tdx.co.uk (8.9.1/8.9.1) with ESMTP id NAA29346 for ; Tue, 25 Aug 1998 13:38:47 +0100 (BST) Message-ID: <35E2B05E.6841AE1A@tdx.co.uk> Date: Tue, 25 Aug 1998 13:38:54 +0100 From: Karl Pielorz Organization: TDX - The Digital eXchange X-Mailer: Mozilla 4.5b1 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: isp@FreeBSD.ORG Subject: Macro processing? - Firewall configs... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, Does anyone know of a simple 'language' I can use to help look after our firewall configs? I've looked at M4, but it's a bit complex - all I need is some kind of pre-processor that can go through a config file containing statements like: "allow tcp from anywhere to me.primary http allow tcp from me.primary for http to anywhere established" And translate it to, "allow tcp from any to 192.168.0.1 80 allow tcp form 192.168.0.1 80 to any established" If possible I'd love to be able to put 'special' tokens in so that I can get away with something like: "allow tcpservice from anywhere to me.primary http" And have something expand this out, creating the initial 'inbound' rule, and an equivalent reversed rule with the 'established' flag set... Someone mentioned firewall control languages in the past (with reference to having one config which can be turned into a Cisco IOS configuration, or a FreeBSD ipfw configuration) - This doesn't bother me too much, as all our firewalls are FreeBSD based... At the moment I'm using shell scripts with ${} expansion's, which is bad - leaves me open to typos (e.g. $something expands to ""), and means the config files are hard to read (mainly because of all the '$'s ;-) Can anyone suggest anything? Regards, Karl Pielorz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message