BSD::Ipfwgen 1.5 review

Download
by rbytes.net on

BSD::Ipfwgen is a Perl module to aid in the creation of ipfw-based firewalls. SYNOPSIS use BSD::Ipfwgen; out

License: Perl Artistic License
File size: 12K
Developer: David Muir Sharnoff
0 stars award from rbytes.net

BSD::Ipfwgen is a Perl module to aid in the creation of ipfw-based firewalls.

SYNOPSIS

use BSD::Ipfwgen;

outside qw(**interface list**);
leaf qw(**interface list**);

consolidate qw(**network list**);
us qw(**network list**);
not_us qw(**network list**);
to_us qw(**network list**);
from_us qw(**network list**);
symmetric qw(**network list**);

count_by_interface();
count_by_address qw(**network list**);
count_by_udp qw(**port list**);
count_by_tcp qw(**port list**);

no_looping()
no_spoofing_us()
no_spoofing_by_us()
no_leaf_spoofing()

tcp_from_rules($port, $rules);
tcp_to_rules($port, $rules);
udp_from_rules($port, $rules);
udp_to_rules($port, $rules);

from_net_rules($network, $rules);
to_net_rules($network, $rules);

to_me_rules($rules)
not_to_me_rules($rules)
from_me_rules($rules)
not_from_me_rules($rules)

in_interface_rules($interface, $rules);
out_interface_rules($interface, $rules);

drop_unwanted qw(**network list**);

generate qw(**options**)

**port list** is a list of integers. 80, 23, etc.
**network list** is a list of network address. 207.33.90.32/27 etc.
**interface list** is a list of interface names. de0, fxp1 etc
**options** is a list of the valid options: DEFAULT-ACCEPT, INSECURE
$rules is a newline separated set of L< ipfw > rules.

Ipfwgen is designed to make writing complex firewalls easier and safer. It handles generating some of the harder rulesets: anti-spoofing, anti-looping, and anti land-attack.

Ipfwgen does not try to reduce the complexity of firewall building. What it does do is allow you to write a perl program which generates a firewal. It's expected that the firewalls generated by Ipfwgen will be examined by a human and installed manually.

Ipfwgen commands must be given in a particular sequence. First are the declaritive commands: outside, leaf, consolidate, us, not_us, and symmetric.

Then the rule-specification commands: almost everything else. Ipfwgen keeps an internal database of the rules that are in progress. After all the rule-specification commands are done, then the firewall gets compiled.

The generate command compiles the specifications into actuall ipfw commands and dumps them on STDOUT.

Requirements:
Perl

BSD::Ipfwgen 1.5 search tags