#!/usr/bin/perl # ipfrule.pl # June 5th, 2009 # dave@darkcode.info # #################### # # ipfrule.pl is a simple perl script # that will write ipf firewall rules. # # Usage: # ./ipfrule.pl -pass | -block -in | -out -tcp [-udp] [-port PORTNUM] # [-from (IP Address)] [-to (IP Address)] [-interface dc0] [-f /path/to/rules] # #################### print " _ ___ ____ ____ _ _ _ ____ | |__] |___ |__/ | | | |___ | | | | \\ |__| |___ |___ \n"; # -pass OR -block $pass = 'default'; $block = 'default'; # -in OR -out $in = 'default'; $out = 'default'; # -tcp or udp or BOTH $tcp = 'default'; $udp = 'default'; # port number (optional); $port = 0; $loc = 0; $from = 'any'; $to = 'any'; $rules = 'no'; $help = 'no'; $file = '/etc/ipf.rules'; $newrule = ''; $device = 'default'; # handle command line arguments $ctr = 0; while ($ctr <= $#ARGV) { if($ARGV[$ctr] eq '-pass') { $pass = 'TRUE'; } if($ARGV[$ctr] eq '-block') { $block = 'TRUE'; } if($ARGV[$ctr] eq '-in') { $in = 'TRUE'; } if($ARGV[$ctr] eq '-out') { $out = 'TRUE'; } if($ARGV[$ctr] eq '-tcp') { $tcp = 'TRUE'; } if($ARGV[$ctr] eq '-interface') { if($#ARGV > $ctr) { $loc = $ctr + 1; $device = $ARGV[$loc]; } } if($ARGV[$ctr] eq '-from') { if($#ARGV > $ctr) { $loc = $ctr + 1; $from = $ARGV[$loc]; } } if($ARGV[$ctr] eq '-to') { if($#ARGV > $ctr) { $loc = $ctr + 1; $to = $ARGV[$loc]; } } if($ARGV[$ctr] eq '-udp') { $udp = 'TRUE'; } if($ARGV[$ctr] eq '-port') { if($#ARGV > $ctr) { $loc = $ctr + 1; $port = $ARGV[$loc]; } } if($ARGV[$ctr] eq '-rules') { $rules = 'yes'; } if($ARGV[$ctr] eq '-help') { $help = 'yes'; } if($ARGV[$ctr] eq '-file') { if($#ARGV > $ctr) { $loc = $ctr + 1; $file = $ARGV[$loc]; } } $ctr = $ctr + 1; } if($help eq 'yes') { die "\n\tipfrule.pl USAGE:\n\n./ipfrule.pl -pass | -block -in | -out -tcp [-udp] [-port PORTNUM] [-from (IP Address)] [-to (IP Address)] [-interface dc0] [-f /path/to/rules]\n\n\n"; } if($rules eq 'yes') { open(RULES, $file) or die("can't open rule file"); @ruleset = ; print @ruleset; close(RULES); die; } # pass/block if($pass eq 'TRUE' and $block eq 'default') { $newrule = $newrule . 'pass '; } elsif($pass eq 'default' and $block eq 'TRUE') { $newrule = $newrule . 'block '; } elsif($pass eq 'default' and $block eq 'default') { die 'You must choose either -pass or -block'; } elsif($pass eq 'TRUE' and $block eq 'TRUE') { die '-pass and -block are mutually exclusive'; } # in / out if($in eq 'TRUE' and $out eq 'default') { $newrule = $newrule . 'in quick '; } if($in eq 'default' and $out eq 'TRUE') { $newrule = $newrule . 'out quick '; } if($in eq 'TRUE' and $out eq 'TRUE') { die 'You can only create one new rule at a time! -in and -out are mutually exclusive!'; } if($in eq 'default' and $out eq 'default') { die 'You must specify -in or -out'; } # on device if($device ne 'default') { $newrule = $newrule . 'on ' . $device . ' '; } # proto if($tcp eq 'TRUE' and $udp eq 'TRUE') { $newrule = $newrule . 'proto tcp/udp '; } if($tcp eq 'TRUE' and $udp eq 'default') { $newrule = $newrule . 'proto tcp '; } if($tcp eq 'default' and $udp eq 'TRUE') { $newrule = $newrule . 'proto udp '; } # add from / to field $newrule = $newrule . 'from ' . $from . ' to ' . $to . ' '; # add port if specified if($port != 0) { $newrule = $newrule . 'port = ' . $port . ' '; } # add keep state for added security $newrule = $newrule . 'keep state'; $file = ">>" . $file; open(IPFRULES, $file) or die('can\'t open rule file ' . $file); print IPFRULES "\n"; print IPFRULES $newrule; print IPFRULES "\n"; close(IPFRULES); print "\nSuccessfully created and wrote new rule to " . $file . "!\n"; print "The new rule is:\n" . $newrule . "\n";