marmarek/firewall-learn.pl

## firewall-learn.pl
#!/usr/bin/perl

# usage:
#  sudo tcpdump -vni eth0 port 53 or icmp | perl ./firewall-learn.pl

use strict;
use Data::Dumper;
use Sys::Hostname;


my %dns_cache;
my $host = hostname();

if (defined($ARGV[0])) {
	$host = $ARGV[0];
}

my $denied_ip = undef;
my $denied_host = undef;

while (<>) {
	if (defined($denied_ip)) {
		if (m/ > $denied_ip\.(\S+): Flags/) {
			print "qvm-firewall -a $host $denied_host tcp $1\n";
			$denied_ip = undef;
		} elsif (m/^[0-9]/) {
			# next packet
			print STDERR "Unrecognised packet to $denied_ip ($denied_host)\n";
			$denied_ip = undef;
		}
	}
	if (m/\.domain > 10\..*: \d+ \d+\/\d+\/\d+ (.*) \(\d+\)$/) {
		# DNS response
		foreach (split(/, /, $1)) {
			if (m/(\S+) A ([0-9.]+)/) {
				$dns_cache{$2} = $1;
			}
		}
	}
	if (m/ICMP host ([0-9.]+) unreachable - admin prohibited/) {
		$denied_ip = $1;
		if (defined($dns_cache{$1})) {
			$denied_host = $dns_cache{$1};
		} else {
			$denied_host = $denied_ip;
		}
	}

}

#print Dumper(%dns_cache);
	#!/usr/bin/perl

	# usage:
	# sudo tcpdump -vni eth0 port 53 or icmp \| perl ./firewall-learn.pl

	use strict;
	use Data::Dumper;
	use Sys::Hostname;


	my %dns_cache;
	my $host = hostname();

	if (defined($ARGV[0])) {
	$host = $ARGV[0];
	}

	my $denied_ip = undef;
	my $denied_host = undef;

	while (<>) {
	if (defined($denied_ip)) {
	if (m/ > $denied_ip\.(\S+): Flags/) {
	print "qvm-firewall -a $host $denied_host tcp $1\n";
	$denied_ip = undef;
	} elsif (m/^[0-9]/) {
	# next packet
	print STDERR "Unrecognised packet to $denied_ip ($denied_host)\n";
	$denied_ip = undef;
	}
	}
	if (m/\.domain > 10\..: \d+ \d+\/\d+\/\d+ (.) \(\d+\)$/) {
	# DNS response
	foreach (split(/, /, $1)) {
	if (m/(\S+) A ([0-9.]+)/) {
	$dns_cache{$2} = $1;
	}
	}
	}
	if (m/ICMP host ([0-9.]+) unreachable - admin prohibited/) {
	$denied_ip = $1;
	if (defined($dns_cache{$1})) {
	$denied_host = $dns_cache{$1};
	} else {
	$denied_host = $denied_ip;
	}
	}

	}

	#print Dumper(%dns_cache);