1 /* firewall_rules_dlg.c
3 * This program is free software; you can redistribute it and/or
4 * modify it under the terms of the GNU General Public License
5 * as published by the Free Software Foundation; either version 2
6 * of the License, or (at your option) any later version.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License
14 * along with this program; if not, write to the Free Software
15 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 * Generate firewall ACL rules based on packet addresses and ports.
20 * For directional rules, an outside interface is assumed.
22 * There may be better ways to present the information, e.g. all rules
23 * in one huge text window, or some sort of tree view.
27 * To add a new product, add syntax functions modify the products[] array.
29 * To add a new syntax function, add its prototype above the products[]
30 * array, and add the function below with all the others.
33 /* Copied from gtk/firewall_rules.c */
39 #include "epan/address.h"
41 #include "firewall_rules.h"
43 static void sf_ipfw_mac(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
44 static void sf_netfilter_mac(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
46 static void sf_ios_std_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
47 static void sf_ios_ext_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
48 static void sf_ipfilter_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
49 static void sf_ipfw_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
50 static void sf_netfilter_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
51 static void sf_pf_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
52 /* XXX - Can you addresses-only filters using WFW/netsh? */
54 static void sf_ios_ext_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
55 static void sf_ipfilter_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
56 static void sf_ipfw_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
57 static void sf_netfilter_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
58 static void sf_pf_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
59 static void sf_netsh_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
61 static void sf_ios_ext_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
62 static void sf_ipfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
63 static void sf_ipfw_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
64 static void sf_netfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
65 static void sf_pf_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
66 static void sf_netsh_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny);
68 typedef struct _fw_product_t {
70 const char *rule_hint;
71 const char *comment_pfx;
73 syntax_func ipv4_func;
74 syntax_func port_func;
75 syntax_func ipv4_port_func;
76 gboolean does_inbound;
79 static fw_product products[] = {
80 { "Cisco IOS (standard)", "Change NUMBER to a valid ACL number.", "!",
81 NULL, sf_ios_std_ipv4, NULL, NULL, FALSE },
82 { "Cisco IOS (extended)", "Change NUMBER to a valid ACL number.", "!",
83 NULL, sf_ios_ext_ipv4, sf_ios_ext_port, sf_ios_ext_ipv4_port, TRUE },
84 { "IP Filter (ipfilter)", "Change le0 to a valid interface if needed.", "#",
85 NULL, sf_ipfilter_ipv4, sf_ipfilter_port, sf_ipfilter_ipv4_port, TRUE },
86 { "IPFirewall (ipfw)", "", "#",
87 sf_ipfw_mac, sf_ipfw_ipv4, sf_ipfw_port, sf_ipfw_ipv4_port, TRUE },
88 { "Netfilter (iptables)", "Change eth0 to a valid interface if needed.", "#",
89 sf_netfilter_mac, sf_netfilter_ipv4, sf_netfilter_port,
90 sf_netfilter_ipv4_port, TRUE },
91 { "Packet Filter (pf)", "$ext_if should be set to a valid interface.", "#",
92 NULL, sf_pf_ipv4, sf_pf_port, sf_pf_ipv4_port, TRUE },
93 { "Windows Firewall (netsh)", "", "#",
94 NULL, NULL, sf_netsh_port, sf_netsh_ipv4_port, FALSE }
96 #define NUM_PRODS (sizeof(products) / sizeof(fw_product))
99 size_t firewall_product_count(void)
104 const char *firewall_product_name(size_t product_idx)
106 if (product_idx >= NUM_PRODS) return "Unknown";
107 return products[product_idx].name;
110 const char *firewall_product_rule_hint(size_t product_idx)
112 if (product_idx >= NUM_PRODS) return "";
113 return products[product_idx].rule_hint;
116 const char *firewall_product_comment_prefix(size_t product_idx)
118 if (product_idx >= NUM_PRODS) return "";
119 return products[product_idx].comment_pfx;
122 syntax_func firewall_product_mac_func(size_t product_idx)
124 if (product_idx >= NUM_PRODS) return NULL;
125 return products[product_idx].mac_func;
129 syntax_func firewall_product_ipv4_func(size_t product_idx)
131 if (product_idx >= NUM_PRODS) return NULL;
132 return products[product_idx].ipv4_func;
136 syntax_func firewall_product_port_func(size_t product_idx)
138 if (product_idx >= NUM_PRODS) return NULL;
139 return products[product_idx].port_func;
143 syntax_func firewall_product_ipv4_port_func(size_t product_idx)
145 if (product_idx >= NUM_PRODS) return NULL;
146 return products[product_idx].ipv4_port_func;
149 gboolean firewall_product_does_inbound(size_t product_idx)
151 if (product_idx >= NUM_PRODS) return FALSE;
152 return products[product_idx].does_inbound;
157 #define IPFW_DENY (deny ? "deny" : "allow")
158 #define IPFW_IN (inbound ? "in" : "out")
159 static void sf_ipfw_mac(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) {
160 g_string_append_printf(rtxt, "add %s MAC %s any %s",
161 IPFW_DENY, addr, IPFW_IN);
164 #define NF_DROP (deny ? "DROP" : "ACCEPT")
165 #define NF_INPUT (inbound ? "INPUT" : "OUTPUT")
166 static void sf_netfilter_mac(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) {
167 g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --mac-source %s --jump %s",
168 NF_INPUT, addr, NF_DROP);
172 #define IOS_DENY (deny ? "deny" : "permit")
173 static void sf_ios_std_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound _U_, gboolean deny) {
174 g_string_append_printf(rtxt, "access-list NUMBER %s host %s", IOS_DENY, addr);
177 static void sf_ios_ext_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) {
179 g_string_append_printf(rtxt, "access-list NUMBER %s ip host %s any", IOS_DENY, addr);
181 g_string_append_printf(rtxt, "access-list NUMBER %s ip any host %s", IOS_DENY, addr);
184 #define IPFILTER_DENY (deny ? "block" : "pass")
185 #define IPFILTER_IN (inbound ? "in" : "out")
186 static void sf_ipfilter_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) {
187 g_string_append_printf(rtxt, "%s %s on le0 from %s to any",
188 IPFILTER_DENY, IPFILTER_IN, addr);
191 static void sf_ipfw_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) {
192 g_string_append_printf(rtxt, "add %s ip from %s to any %s",
193 IPFW_DENY, addr, IPFW_IN);
196 #define NF_ADDR_DIR (inbound ? "--source" : "--destination")
197 static void sf_netfilter_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) {
198 g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 %s %s/32 --jump %s",
199 NF_INPUT, NF_ADDR_DIR, addr, NF_DROP);
202 #define PF_DENY (deny ? "block" : "pass")
203 #define PF_IN (inbound ? "in" : "out")
204 static void sf_pf_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) {
205 g_string_append_printf(rtxt, "%s %s quick on $ext_if from %s to any",
206 PF_DENY, PF_IN, addr);
210 #define RT_TCP_UDP (ptype == PT_TCP ? "tcp" : "udp")
211 static void sf_ios_ext_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound _U_, gboolean deny) {
212 g_string_append_printf(rtxt, "access-list NUMBER %s %s any any eq %u",
213 IOS_DENY, RT_TCP_UDP, port);
216 static void sf_ipfilter_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) {
217 g_string_append_printf(rtxt, "%s %s on le0 proto %s from any to any port = %u",
218 IPFILTER_DENY, IPFILTER_IN, RT_TCP_UDP, port);
221 static void sf_ipfw_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) {
222 g_string_append_printf(rtxt, "add %s %s from any to any %u %s",
223 IPFW_DENY, RT_TCP_UDP, port, IPFW_IN);
226 #define NF_PORT_DIR (inbound ? "--source-port" : "--destination-port")
227 static void sf_netfilter_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) {
228 g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --protocol %s %s %u --jump %s",
229 NF_INPUT, RT_TCP_UDP, NF_PORT_DIR, port, NF_DROP);
232 static void sf_pf_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) {
233 g_string_append_printf(rtxt, "%s %s quick on $ext_if proto %s from any to any port %u",
234 PF_DENY, PF_IN, RT_TCP_UDP, port);
237 #define NETSH_DENY (deny ? "DISABLE" : "ENABLE")
238 static void sf_netsh_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound _U_, gboolean deny) {
239 g_string_append_printf(rtxt, "add portopening %s %u Wireshark %s",
240 RT_TCP_UDP, port, NETSH_DENY);
244 static void sf_ios_ext_ipv4_port(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype, gboolean inbound, gboolean deny) {
246 g_string_append_printf(rtxt, "access-list NUMBER %s %s host %s any eq %u", IOS_DENY, RT_TCP_UDP, addr, port);
248 g_string_append_printf(rtxt, "access-list NUMBER %s %s any host %s eq %u", IOS_DENY, RT_TCP_UDP, addr, port);
251 static void sf_ipfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) {
253 g_string_append_printf(rtxt, "%s %s on le0 proto %s from %s to any port = %u",
254 IPFILTER_DENY, IPFILTER_IN, RT_TCP_UDP, addr, port);
256 g_string_append_printf(rtxt, "%s %s on le0 proto %s from any to %s port = %u",
257 IPFILTER_DENY, IPFILTER_IN, RT_TCP_UDP, addr, port);
260 static void sf_ipfw_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) {
261 g_string_append_printf(rtxt, "add %s %s from %s to any %u %s",
262 IPFW_DENY, RT_TCP_UDP, addr, port, IPFW_IN);
265 static void sf_pf_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) {
266 g_string_append_printf(rtxt, "%s %s quick on $ext_if proto %s from %s to any port %u",
267 PF_DENY, PF_IN, RT_TCP_UDP, addr, port);
270 static void sf_netfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) {
271 g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --protocol %s %s %s/32 %s %u --jump %s",
272 NF_INPUT, RT_TCP_UDP, NF_ADDR_DIR, addr, NF_PORT_DIR, port, NF_DROP);
275 static void sf_netsh_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound _U_, gboolean deny) {
276 g_string_append_printf(rtxt, "add portopening %s %u Wireshark %s %s",
277 RT_TCP_UDP, port, NETSH_DENY, addr);
282 * Editor modelines - http://www.wireshark.org/tools/modelines.html
287 * indent-tabs-mode: nil
290 * vi: set shiftwidth=4 tabstop=8 expandtab:
291 * :indentSize=4:tabSize=8:noTabs=true: