From owner-freebsd-isp Mon Feb 21 19:34:46 2000 Delivered-To: freebsd-isp@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3FA1E37B966; Mon, 21 Feb 2000 19:34:39 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id TAA02976; Mon, 21 Feb 2000 19:34:05 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda02974; Mon Feb 21 19:33:54 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id TAA62598; Mon, 21 Feb 2000 19:33:54 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdh62596; Mon Feb 21 19:33:09 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id TAA56292; Mon, 21 Feb 2000 19:33:08 -0800 (PST) Message-Id: <200002220333.TAA56292@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdj56281; Mon Feb 21 19:32:53 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.4-RELEASE X-Sender: cy To: Juergen Lock Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: `higer level' packet filter rules language/editor to ease maintainance? In-reply-to: Your message of "Sat, 19 Feb 2000 00:33:34 +0100." <20000219003334.A1117@saturn.kn-bremen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 21 Feb 2000 19:32:52 -0800 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000219003334.A1117@saturn.kn-bremen.de>, Juergen Lock writes: > Hi! > > Is there such a thing as in the subject? Something that lets me, > say, put rules in groups, easily move around or clone groups, apply > global changes to groups like search/replace addresses/netmasks? > sure i can hack something up with a bit of perl/whatever for my > specific problem, but maybe there is something more general out > there... > > I currently need something for ipfw but even if what you use only > knows ipfilter (or something else?) i'd like to hear about it, > i may happen to like it so much that i'd just add ipfw > support... :) (as long as source is available, obviously.) > > I have seen `flc' that was linked on (i think) the ipfilter homepage > but decided to ask here first as it seems no longer maintained and > would need to be updated (its from 1995!) to at least add all the > ipfw features that are new since then. The idea to be able to > generate rules for several different packet filters from the same > input file certainly looked interesting tho and it would seem a > bit strange to assume that really noone uses it anymore... > (or is there a successor maybe?) When I used IPFW and on the boxes that I still use IPFW on, I had a shell script that would build "firewall.conf" files, or in the case of my network at home, that would bring up a firewall for an interface when I dialled into work or my friend's ISP. My firewall scripts contained something on the lines of the following. KRB5_CLIENTS="host1 host2 host3" KRB_SRVRS="krb1 krb2" KRB_PORTS="88,750" TRUSTED_HOSTS="host1 1.2.3.0/24 host5" for SYSTEM in $KRB5_CLIENTS; do for KRB in $KRB_SRVRS; do fw allow udp from $SYSTEM to $KRB $KRB_PORTS fw allow udp from $KRB $KRB_PORTS to $SYSTEM done done for SYSTEM in $TRUSTED_HOSTS; do .... fw deny log ip from any to any Once a script has been created for a firewall, maintaining the definitions section of the script was easy. To expand on this idea, one could apply this concept to IP Filter rules, thought the syntax would be different. The fw function could become a generic routine that would transform arguments into input for various firewalls. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@uumail.gov.bc.ca UNIX Group, ITSD, ISTA Province of BC "COBOL IS A WASTE OF CARDS." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message