Date: Mon, 21 Feb 2000 19:32:52 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Juergen Lock <nox@jelal.kn-bremen.de> Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: `higer level' packet filter rules language/editor to ease maintainance? Message-ID: <200002220333.TAA56292@cwsys.cwsent.com> In-Reply-To: Your message of "Sat, 19 Feb 2000 00:33:34 %2B0100." <20000219003334.A1117@saturn.kn-bremen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20000219003334.A1117@saturn.kn-bremen.de>, Juergen Lock
writes:
> Hi!
>
> Is there such a thing as in the subject? Something that lets me,
> say, put rules in groups, easily move around or clone groups, apply
> global changes to groups like search/replace addresses/netmasks?
> sure i can hack something up with a bit of perl/whatever for my
> specific problem, but maybe there is something more general out
> there...
>
> I currently need something for ipfw but even if what you use only
> knows ipfilter (or something else?) i'd like to hear about it,
> i may happen to like it so much that i'd just add ipfw
> support... :) (as long as source is available, obviously.)
>
> I have seen `flc' that was linked on (i think) the ipfilter homepage
> but decided to ask here first as it seems no longer maintained and
> would need to be updated (its from 1995!) to at least add all the
> ipfw features that are new since then. The idea to be able to
> generate rules for several different packet filters from the same
> input file certainly looked interesting tho and it would seem a
> bit strange to assume that really noone uses it anymore...
> (or is there a successor maybe?)
When I used IPFW and on the boxes that I still use IPFW on, I had a
shell script that would build "firewall.conf" files, or in the case of
my network at home, that would bring up a firewall for an interface
when I dialled into work or my friend's ISP.
My firewall scripts contained something on the lines of the following.
KRB5_CLIENTS="host1 host2 host3"
KRB_SRVRS="krb1 krb2"
KRB_PORTS="88,750"
TRUSTED_HOSTS="host1 1.2.3.0/24 host5"
for SYSTEM in $KRB5_CLIENTS; do
for KRB in $KRB_SRVRS; do
fw allow udp from $SYSTEM to $KRB $KRB_PORTS
fw allow udp from $KRB $KRB_PORTS to $SYSTEM
done
done
for SYSTEM in $TRUSTED_HOSTS; do ....
fw deny log ip from any to any
Once a script has been created for a firewall, maintaining the
definitions section of the script was easy.
To expand on this idea, one could apply this concept to IP Filter
rules, thought the syntax would be different. The fw function could
become a generic routine that would transform arguments into input for
various firewalls.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca
UNIX Group, ITSD, ISTA
Province of BC
"COBOL IS A WASTE OF CARDS."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002220333.TAA56292>