From owner-freebsd-isp  Tue Feb 22 18:43:35 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from laurel.us.net (laurel.us.net [198.240.72.4])
	by hub.freebsd.org (Postfix) with ESMTP id 6626237B883
	for <freebsd-isp@freebsd.org>; Tue, 22 Feb 2000 18:43:32 -0800 (PST)
	(envelope-from jjw@laurel.us.net)
Received: (from jjw@localhost)
	by laurel.us.net (8.9.3/8.9.3) id VAA45061;
	Tue, 22 Feb 2000 21:43:22 -0500 (EST)
X-Provider: US Net - Where Business Connects! (tm) - 301-361-USNET
	    US Net Web Site: http://www.us.net/ or via Email: info@us.net
From: John Woodruff <jjw@us.net>
Message-Id: <200002230243.VAA45061@laurel.us.net>
Subject: Re: `higer level' packet filter rules language/editor to ease maintainance?
In-Reply-To: <20000219003334.A1117@saturn.kn-bremen.de> from Juergen Lock at
 "Feb 19, 2000 00:33:34 am"
To: Juergen Lock <nox@jelal.kn-bremen.de>
Date: Tue, 22 Feb 2000 21:43:22 -0500 (EST)
Cc: freebsd-isp@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Is there such a thing as in the subject? [...]
> I currently need something for ipfw [...]

I've got 93 lines of Perl I used with 2.2.8's ipfw:
  Preprocessor for ipfw(8) rules, or anything else that
  uses line-oriented statements.  Functionality:
       - Removes #-style comments and blank lines
       - Compresses all white space
       - Replaces macros, which are any line with an = sign, as in:
               name = value containing spaces
       - Append to macro values using +=, as in
               longmacro = A macro with lots of
               longmacro += added words.
         Note that *no* whitespace is added between parts
       - Special multi-line macros.  Any input line containing
         a macro that was defined with '==' gets generated once
         for each word in the macro definition
  Note that macros don't have arguments at all.

so you can say something like:
  Ifc    =    ed1                   # Card facing outside world
  MyNet  ==   198.240.64.0/18       # List of subnets
  MyNet  +==  206.225.0.0/19
  Any    =    from any to any
  # Branch on direction
  add skipto 1000 ip Any recv Ifc   # Recieved from outside world
  add skipto 4000 ip Any xmit Ifc   # Sent to outside world
  add permit      ip Any
  # Recieve rules
  add 1000 deny log ip from MyNet to any

It made a 170-line ipfw filter much more understandable and
maintainable, since the critical address ranges could easily
be edited into several different rules.

I also wrote a version of this for Cisco configs; it expanded
CIDR notation addresses in several different ways, like:
  PRIVIP == 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
  access-list 112 deny ip any PRIVIP # No private nets leaking out

Ask and ye shall recieve.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message