-
Notifications
You must be signed in to change notification settings - Fork 3
/
filtergen.8
102 lines (70 loc) · 3.59 KB
/
filtergen.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
.\" -*- nroff -*-
.TH FILTERGEN 8 "January 20, 2005"
.SH NAME
filtergen \- packet filter compiler
.SH SYNOPSIS
\fBfiltergen\fR [ \fB-h\fR | \fB--help\fR ] [ \fB-V\fR | \fB--version\fR ] [ \fB-c\fR | \fB--compile\fR ] [ \fB-r\fR | \fB--no-resolve\fR ] [ \fB-s \fIsource\fB\fR | \fB--source=\fIsource\fB\fR ] [ \fB-t \fItarget\fB\fR | \fB--target=\fItarget\fB\fR ] [ \fB-o \fIoutfile\fB\fR | \fB--output=\fIoutfile\fB\fR ] \fIinfile\fR
\fBfiltergen\fR [ \fB-h\fR | \fB--help\fR ] [ \fB-V\fR | \fB--version\fR ] [ \fB-c\fR | \fB--compile\fR ] [ \fB-r\fR | \fB--no-resolve\fR ] [ \fB-s \fIsource\fB\fR | \fB--source=\fIsource\fB\fR ] [ \fB-t \fItarget\fB\fR | \fB--target=\fItarget\fB\fR ] [ \fB-o \fIoutfile\fB\fR | \fB--output=\fIoutfile\fB\fR ] [ \fB-F \fIpolicy\fB\fR | \fB--flush=\fIpolicy\fB\fR ]
.SH DESCRIPTION
\fBfiltergen\fR compiles a high-level filtering description language into a
variety of target formats.
.SH USAGE
\fBfiltergen\fR reads the ruleset from the \fIinfile\fR specified on the
command line (or standard input if \fIinfile\fR is "\-") and outputs to
standard output (or \fIoutfile\fR) via an optionally specified backend.
.PP
Both short and GNU-style long options are accepted:
.TP
\fB-c, --compile\fR
Only try to "compile" the input, and do not generate any output. This may be
useful to check that an input file has no syntax errors in it before one
attempts to use the result on a live server.
.TP
\fB-R, --no-resolve\fR
Don't try to resolve hostnames, protocol names, port names, icmp type
names, or any other human-readable names. This is useful for
debugging where you can't guarantee the resolver will correctly
mogrify each name. One side-effect of this option is that names that
resolve to two or more numbers normally won't be expanded, which may
affect what you let through or block on your packet filter. Use with
caution.
.TP
\fB-s \fIsource\fB, --source=\fIsource\fB\fR
If specified, \fBfiltergen\fR will use the \fIsource\fR language
parser to read the input file, otherwise the default of
\fBfiltergen\fR will be used. Supported source languages are
\fBfiltergen\fR.
.TP
\fB-t \fItarget-filter\fB, --target=\fItarget-filter\fB\fR
If specified, \fItarget-filter\fR will be used to select an output filter type,
otherwise the default of \fBiptables\fR will be used. Supported backends
are \fBiptables\fR, \fBip6tables\fR, \fBiptables-restore\fR, \fBip6tables-restore\fR,
\fBipchains\fR, \fBipfilter\fR, \fBcisco\fR (for Cisco IOS access-lists), and \fBfiltergen\fR (to
re-emit the input in \fBfiltergen\fR's native syntax).
.TP
\fB-F \fIpolicy\fB, --flush=\fIpolicy\fB\fR
Flush mode. Generate a set of rules for clearing all rules from the packet
filter. Useful for firewall scripts that need to `shutdown' the firewall.
You can supply a \fIpolicy\fR argument in place of the usual filename, to
specify whether the flushed filter should default to \fBaccept\fR,
\fBreject\fR, or \fBdrop\fR. It defaults to \fBaccept\fR, equivalent to
having no filter loaded at all. It is not necessary to specify an
\fIinfile\fR when using flush mode.
.TP
\fB-o \fIoutfile\fB, --output=\fIoutfile\fB\fR
Write output to \fIoutfile\fR instead of standard output.
.TP
\fB-h, --help\fR
Show command help.
.TP
\fB-V, --version\fR
Show program version.
.SH BUGS
Not all backends implement all features.
The packet filter is not optimised.
.SH SEE ALSO
\fBfgadm\fR(8), \fBfilter_syntax\fR(5), \fBfilter_backends\fR(7)
.SH AUTHOR
\fBfiltergen\fR was originally written by Matthew Kirkwood.
Jamie Wilkinson <jaq@spacepants.org> then took on maintenance of the
project, added some features, and rewrote a lot of the internals.