BSD::Ipfwgen 1.5 review
DownloadBSD::Ipfwgen is a Perl module to aid in the creation of ipfw-based firewalls. SYNOPSIS use BSD::Ipfwgen; out
|
|
BSD::Ipfwgen is a Perl module to aid in the creation of ipfw-based firewalls.
SYNOPSIS
use BSD::Ipfwgen;
outside qw(**interface list**);
leaf qw(**interface list**);
consolidate qw(**network list**);
us qw(**network list**);
not_us qw(**network list**);
to_us qw(**network list**);
from_us qw(**network list**);
symmetric qw(**network list**);
count_by_interface();
count_by_address qw(**network list**);
count_by_udp qw(**port list**);
count_by_tcp qw(**port list**);
no_looping()
no_spoofing_us()
no_spoofing_by_us()
no_leaf_spoofing()
tcp_from_rules($port, $rules);
tcp_to_rules($port, $rules);
udp_from_rules($port, $rules);
udp_to_rules($port, $rules);
from_net_rules($network, $rules);
to_net_rules($network, $rules);
to_me_rules($rules)
not_to_me_rules($rules)
from_me_rules($rules)
not_from_me_rules($rules)
in_interface_rules($interface, $rules);
out_interface_rules($interface, $rules);
drop_unwanted qw(**network list**);
generate qw(**options**)
**port list** is a list of integers. 80, 23, etc.
**network list** is a list of network address. 207.33.90.32/27 etc.
**interface list** is a list of interface names. de0, fxp1 etc
**options** is a list of the valid options: DEFAULT-ACCEPT, INSECURE
$rules is a newline separated set of L< ipfw > rules.
Ipfwgen is designed to make writing complex firewalls easier and safer. It handles generating some of the harder rulesets: anti-spoofing, anti-looping, and anti land-attack.
Ipfwgen does not try to reduce the complexity of firewall building. What it does do is allow you to write a perl program which generates a firewal. It's expected that the firewalls generated by Ipfwgen will be examined by a human and installed manually.
Ipfwgen commands must be given in a particular sequence. First are the declaritive commands: outside, leaf, consolidate, us, not_us, and symmetric.
Then the rule-specification commands: almost everything else. Ipfwgen keeps an internal database of the rules that are in progress. After all the rule-specification commands are done, then the firewall gets compiled.
The generate command compiles the specifications into actuall ipfw commands and dumps them on STDOUT.
Requirements:
Perl
BSD::Ipfwgen 1.5 search tags