#!/usr/bin/perl # Version 1.0 $ifconfig = `ifconfig`; sub hashbar() { print "########################################################\n"; } $hashbar = "########################################################\n"; $clear = `clear`; print "$clear"; print "####################################################################\n"; print "Ipfilter and Ipnat AutoMagic setup (un-ideal) perl script\n"; print "Get latest version of this script at http://roq.com/bsd/ coded by mikebsd\@roq.com\n"; print "####################################################################\n"; print "This script assumes:\n"; print "You have installed FreeBSD 4.3 or newer (tested on 4.6).\n"; print "You have 2 Network cards in your server (1 for internal and 1 for external).\n"; print "####################################################################\n"; print "This will:\n"; print "Ask you for your internal and external Network card internface names (eg rl0,fxp0).\n"; print "Ask for the settings of these Nics, Either DHCP or the IP and netmask.\n"; print "Install and setup a stateful firewall with those settings.\n"; print "Setup NAT for all ips on the internal NIC.\n"; print "The firewall will be a statefull \"black hole\" type, where if you didn't initiate the connection\n"; print "then it will just \"suck in\" those packets\n"; print "####################################################################\n"; print "\n"; print "$ifconfig"; print "$hashbar choose your external Nic, eg \"fxp0\"\n$hashbar"; $extnic = ; chomp($extnic); #print "$extnic"; print "$hashbar choose your internal Nic, eg \"rl0\"\n$hashbar"; $intnic = ; chomp($intnic); #print "$intnic"; print "$hashbar Internal nic IP, Recommended 192.168.1.1\n$hashbar"; $intnicip = ; chomp($intnicip); if ("$intnicip" eq "") { $intnicip="192.168.1.1"; print "Setting Internal nic IP to 192.168.1.1\n"; } print "$hashbar External nic IP, or hit enter for DHCP\n$hashbar"; $extnicip = ; chomp($extnicip); if ("$extnicip" eq "") { $extnicip="DHCP"; } print "Setting External nic IP to $extnicip\n"; chomp($extnicip); if ("$extnicip" eq "DHCP") { } else { print "$hashbar External nic netmask, eg 255.255.255.0 \n$hashbar"; $extnicnetmask = ; chomp($extnicnetmask); } print "$hashbar Do you want statefull firewall or just allow everything and rely on IPNAT to protect you\n"; print "Choose: \"y\" for statefull firewall or \"n\" for allow everything\n"; $firewall =; chomp($firewall); while (1) { if ($firewall =~ /[Yy]/ || $firewall =~ /[Nn]/) { last; } else { print "Choose: \"y\" for statefull firewall or \"n\" for allow everything\n"; $firewall =; chomp($firewall); } } #print "$firewall\n"; $rules = " ################################################################# # Outside Interface ################################################################# pass out quick on $extnic proto tcp from any to any flags S keep frags keep state pass out quick on $extnic proto udp from any to any keep state keep frags pass out quick on $extnic proto icmp from any to any keep state block out quick on $extnic all #---------------------------------------------------------------- # Allow bootp traffic in from your ISP's DHCP server only. pass in log quick on $extnic proto udp from any to any port = 68 keep state block in log quick on $extnic all ################################################################# # Inside Interface ################################################################# pass in quick on $intnic all pass out quick on $intnic all ################################################################# # Loopback Interface ################################################################# pass in quick on lo0 all pass out quick on lo0 all"; print "Going to write the data to these files\n/etc/rc.conf\n/etc/ipf.rules\n/etc/ipnat.rules\n\nhit ctrl+c to abort\n"; $ok = ; `echo "" >> /etc/rc.conf`; `echo "###Ipnat and Ipfilter automagic setup script generated additions" >> /etc/rc.conf`; `echo "ipfilter_enable=\\"YES\\"" >> /etc/rc.conf`; `echo "ipnat_enable=\\"YES\\"" >> /etc/rc.conf`; `echo "gateway_enable=\\"YES\\"" >> /etc/rc.conf`; `echo "ipfilter_rules=\\"/etc/ipf.rules\\"" >> /etc/rc.conf`; #internal nic rc.conf addition `echo "ifconfig_${intnic}=\\"inet $intnicip netmask 255.255.255.0\\"" >> /etc/rc.conf`; #External nic rc.conf addition if ("$extnicip" eq "DHCP") { `echo "ifconfig_${extnic}=\\"DHCP\\"" >> /etc/rc.conf`; } else { `echo "ifconfig_${extnic}=\\"inet $extnicip netmask $extnicnetmask\\"" >> /etc/rc.conf`; } if ($firewall =~ /[Nn]/) { $rules = " pass in quick all pass out quick all"; } `echo "$rules" > /etc/ipf.rules`; `echo "map $extnic ${intnicip}/24 -> 0/32" > /etc/ipnat.rules`; print "All done, type \"reboot\" and it should all work\n"; print "Note: be sure to check and edit (ee /etc/rc.conf) for repetitive ifconfigs if you have\nrun this script more then once (can confuse start up scripts)\n"; print "Listed the bad ones here if any\n"; $data = `grep "^ifconfig.*${intnic}" /etc/rc.conf`; print "$data"; $data = `grep "^ifconfig.*${extnic}" /etc/rc.conf`; print "$data";