Re: perl interface to pf?
[EMAIL PROTECTED] schrieb: [snip] One problem is parsing and syntax checking of pf rules so that garbage isn't fed to for example pfctl if that is the method one chooses. [snip] that's where the -n option of pfctl is for, isn't it?
Re: perl interface to pf?
John N. Brahy wrote: Is there a perl interface to pf? No, and it would be totally insane to build one. PF is not a low-level assembly language for expressing ioctl(2) calls. It is an LALR(1) grammar for specifying firewall policies. Because of its high abstraction level compared to said assembly languages, chances are you do not need perl(1) at all for anything. Hopefully, this shuts up the thread.
Re: perl interface to pf?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesper Louis Andersen wrote: John N. Brahy wrote: Is there a perl interface to pf? No, and it would be totally insane to build one. Well, the only use that came to my mind was a perl daemon running on the FW that accepts rule updates from a remote client. While that can be done with other means (ssh, sh scripts), i can imagine that a perl class for manipulating pf rules would come in handy for that. /m iD8DBQFDag3a8BX/d8pVi/cRAlftAKCv+6AfnHbabfPk3NV7ixi7BHsmwQCfQzEa vR9EvOJvXz6nFqS4r+CD5Jg= =oCHu -END PGP SIGNATURE-
Re: perl interface to pf?
On Nov 3, 2005, at 8:17 AM, Markus Wernig wrote: Well, the only use that came to my mind was a perl daemon running on the FW that accepts rule updates from a remote client. While that can be done with other means (ssh, sh scripts), i can imagine that a perl class for manipulating pf rules would come in handy for that. /m Putting something listening on the network means now you've got to do encryption, authentication, verification, etc.. Seems like a lot of work for potentially not a lot of gain, at least IMO. I'd rather rely on ssh, keys, sudo, and scripts to do it. -Chad
Re: perl interface to pf?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Wernig Sent: den 3 november 2005 14:17 To: Jesper Louis Andersen Cc: John N. Brahy; misc@openbsd.org Subject: Re: perl interface to pf? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jesper Louis Andersen wrote: John N. Brahy wrote: Is there a perl interface to pf? No, and it would be totally insane to build one. Well, the only use that came to my mind was a perl daemon running on the FW that accepts rule updates from a remote client. While that can be done with other means (ssh, sh scripts), i can imagine that a perl class for manipulating pf rules would come in handy for that. /m iD8DBQFDag3a8BX/d8pVi/cRAlftAKCv+6AfnHbabfPk3NV7ixi7BHsmwQCfQzEa vR9EvOJvXz6nFqS4r+CD5Jg= =oCHu -END PGP SIGNATURE- Hello, I am working on a program similar to that but written in c++ and php. However slightly different functionality, uses token based OTP authentication via SMS, and and a PHP interface to create the new rules. However the reason I am doing this is not because there is a need but more to learn c++ and encryption. There are much simpler and safer ways to achieve this with pre-existing tools, but sure it's possible although maybe not wise. One problem is parsing and syntax checking of pf rules so that garbage isn't fed to for example pfctl if that is the method one chooses. One problem of many. Like a previous poster said, it'a a lot of work for very little gain, but if like me you have the extra time and have something else to gain from the excerise then it could be worthwhile. // jpb ** Jorgen Boberg ** ** Managing Director Senior Consultant ** ** Intellibit Consulting SIA ** ** Krisjana Barona Iela 37/30 ** ** LV-1011, Riga ** ** Latvia ** ** Tel: +371 83 80 803**
Re: perl interface to pf?
On Thursday 03 November 2005 13:49, you wrote: I'd rather rely on ssh, keys, sudo, and scripts to do it. Erm, perl scripts ARE scripts!
Re: perl interface to pf?
This is the weirdest thing I have heard all week. On Tue, Nov 01, 2005 at 08:36:59AM -0800, John N. Brahy wrote: Is there a perl interface to pf?
Re: perl interface to pf?
* Marco Peereboom [EMAIL PROTECTED] [2005-11-01 10:11]: This is the weirdest thing I have heard all week. On Tue, Nov 01, 2005 at 08:36:59AM -0800, John N. Brahy wrote: Is there a perl interface to pf? 8 #!/usr/bin/perl if ((not 0 not 1) != (!0 !1)) { print No, just exec pfctl from within perl.\n; print But feed it carefully, and know how perl works.\n; } else { print Of course, that's a great idea! everyone groks perl!\n; }
Re: perl interface to pf?
On Tue, 1 Nov 2005, Bob Beck wrote: * Marco Peereboom [EMAIL PROTECTED] [2005-11-01 10:11]: This is the weirdest thing I have heard all week. On Tue, Nov 01, 2005 at 08:36:59AM -0800, John N. Brahy wrote: Is there a perl interface to pf? 8 #!/usr/bin/perl if ((not 0 not 1) != (!0 !1)) { print No, just exec pfctl from within perl.\n; print But feed it carefully, and know how perl works.\n; } else { print Of course, that's a great idea! everyone groks perl!\n; } But, I need it in Ruby said the Whiney User.
Re: perl interface to pf?
On Tue, Nov 01, 2005 at 08:36:59AM -0800, John N. Brahy wrote: Is there a perl interface to pf? Perl is able to play with ioctl(2), maybe this fits your needs. If not go ahead, learn XS and write your own libs for that. But i hardly see any sense behind it : Regards Simon
Re: perl interface to pf?
But, I need it in Ruby said the Whiney User. But I think Mauve has more RAM.
Re: perl interface to pf?
On Nov 1, 2005, at 1:02 PM, Simon Dassow wrote: On Tue, Nov 01, 2005 at 08:36:59AM -0800, John N. Brahy wrote: Is there a perl interface to pf? Perl is able to play with ioctl(2), maybe this fits your needs. If not go ahead, learn XS and write your own libs for that. But i hardly see any sense behind it : use PF::Filter; my $rule = PF::Filter-new( -interface = 'em0', -log = 1, -src_addr = '10.0.0.2', -dst_addr = '192.168.0.1', -dst_port = 80, -action = 'block' ); $rule-param( flags = 'S/SA' ); $rule-param( label = 'api\'s r0x0r!!!' ); $rule-activate; How can you not see the value in that? ;-) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: perl interface to pf?
You're totally correct and I replied to him and apologized. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Thomas Sent: Tuesday, November 01, 2005 1:09 PM To: OpenBSD-Misc Subject: Re: perl interface to pf? On 11/1/05, John Brahy [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diana Eichert Sent: Tuesday, November 01, 2005 9:47 AM To: misc@openbsd.org Subject: Re: perl interface to pf? On Tue, 1 Nov 2005, Bob Beck wrote: * Marco Peereboom [EMAIL PROTECTED] [2005-11-01 10:11]: This is the weirdest thing I have heard all week. On Tue, Nov 01, 2005 at 08:36:59AM -0800, John N. Brahy wrote: Is there a perl interface to pf? 8 #!/usr/bin/perl if ((not 0 not 1) != (!0 !1)) { print No, just exec pfctl from within perl.\n; print But feed it carefully, and know how perl works.\n; } else { print Of course, that's a great idea! everyone groks perl!\n; } But, I need it in Ruby said the Whiney User. I can't believe all the stupid responses I received due to this email. They were much smarter and better informed than your reply to Bob Ababurko. Greg
Re: perl interface to pf?
Maybe you should look at the question again. On Nov 1, 2005, at 2:16 PM, John Brahy wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diana Eichert Sent: Tuesday, November 01, 2005 9:47 AM To: misc@openbsd.org Subject: Re: perl interface to pf? On Tue, 1 Nov 2005, Bob Beck wrote: * Marco Peereboom [EMAIL PROTECTED] [2005-11-01 10:11]: This is the weirdest thing I have heard all week. On Tue, Nov 01, 2005 at 08:36:59AM -0800, John N. Brahy wrote: Is there a perl interface to pf? 8 #!/usr/bin/perl if ((not 0 not 1) != (!0 !1)) { print No, just exec pfctl from within perl.\n; print But feed it carefully, and know how perl works.\n; } else { print Of course, that's a great idea! everyone groks perl!\n; } But, I need it in Ruby said the Whiney User. I can't believe all the stupid responses I received due to this email.