Filter Language Compiler

Current version: 1.12

The Filter Language Compiler (flc) generates rules for the various packages which perform packet filtering from a common language.

flc supports:

IP Filter (full support - 2.8.1)

ipfw (Linux - 1.3.6Beta3)

ipfwadm (Linux - 1.2)

ipfirewall (Linux/*BSD - 2.0e)

Cisco (extended access-lists)

screend

The input language for flc uses cpp for preprocessing input. It supports specifying policies which are inherited through the rules.

Comments can be provided in C style, using /* */ to mark them (this is only supported by cpp) or by the '#' character, either at the start of a line or imbedded.

Support

IP Filter - IP filter is fully supported, including port range comparisons and specifying IP options (including security).

ipfw - This is _diverging_ or there are multiple versions which are not compatible with each other or even backward compatible. Sigh.

ipfwadm - Support for ipfw (version 1.3.6beta6) and ipfwadm (version 1.2) is complete, excluding accounting rules. These are particular to this these programs, but yet may be added. Support for the maintenaince functions (flush/zero) is not provided.

ipfirewall - Support for version 2.0e is complete, excluding the head and tail IP fragment statements.

Cisco - the extended access list for Cisco routers is fully supported. It will print some warnings if you attempt to specify a rule which Cisco can't support (ie port ranges). It assumes that you are using a version of the IOS which supports both source and destination port comparisons.

screend

Doesn't support the TCP flags options (`recently' added, in the screend history), nor will it generate "-not" phrases. "reserved" and "xserver" are also ignored.

The BNFs, at a fairly abstract level, for the various supported filters are inside the distribution tar file, in the BNF directory.

It can be ftp'd from ftp://coombs.anu.edu.au/pub/net/firewall/ip-filter/flc.tar.gz.

An example of the input which flc takes is:

#define	BAR	foo
#define	foo	10.1.1.1
#define	bar	10.1.1.254
#if defined(__cisco__)
interface ethernet0
access-list 101
#endif
#if defined(__ipfilter__) || defined(__ipfirewall__) || defined(__ipfw21r__)
interface le0
#endif
#if defined(__ipfw__) || defined(__ipfwadm__)
interface 10.1.1.1
#endif
policy block in all

if ( in ) then {
	set protocol tcp
	if ( from host BAR and opening ) then {
		block .
	}
	if ( from foo and to host bar ) then {
		log body and block .
	}
	if ( to port 2049 ) then {
		log and block .
	}
	pass .
}
end-policy
policy pass out all
end-policy

The output for the various filters looks like:

IP Filter (BSD/SunOS/Solaris)

block in on le0 quick proto tcp from 10.1.1.1 to any flags S/SA
block in on le0 quick log body proto tcp from 10.1.1.1 to 10.1.1.254
block in on le0 quick log proto tcp from any to any port = 2049
pass in on le0 quick proto tcp from any to any
block in all
pass out all

ipfw (linux)

ipfw addblocking deny iface 10.1.1.1 from 10.1.1.1 to 0/0
ipfw addblocking deny iface 10.1.1.1 from 10.1.1.1 to 10.1.1.254
ipfw addblocking deny iface 10.1.1.1 from 0/0 to 0/0 2049
ipfw addblocking accept iface 10.1.1.1 from 0/0 to 0/0
ipfw addblocking deny from 0/0 to 0/0
ipfw addforwarding accept from 0/0 to 0/0

ipfw (FreeBSD 2.1.0-RELEASE)

ipfw addfowarding deny tcp opening from 10.1.1.1 to 0/0 via le0
ipfw addfowarding ldeny tcp from 10.1.1.1 to 10.1.1.254 via le0
ipfw addfowarding ldeny tcp from 0/0 to 0/0 2049 via le0
ipfw addfowarding accept tcp from 0/0 to 0/0 via le0
ipfw addf deny from 0/0 to 0/0
ipfw addf accept from 0/0 to 0/0

ipfwadm (linux)

ipfwadm -p deny -B -I 10.1.1.1 -P tcp -S 10.1.1.1 -D 0.0.0.0 -y
ipfwadm -p deny -B -I 10.1.1.1 -k -P tcp -S 10.1.1.1 -D 10.1.1.254
ipfwadm -p deny -B -I 10.1.1.1 -k -P tcp -S 0.0.0.0 -D 0.0.0.0 2049
ipfwadm -p accept -B -I 10.1.1.1 -P tcp -S 0.0.0.0 -D 0.0.0.0
ipfwadm -B -p deny -S 0.0.0.0 -D 0.0.0.0
ipfwadm -F -p accept -S 0.0.0.0 -D 0.0.0.0

ipfirewall (linux/BSD)

ipfirewall addblocking reject le0 from 10.1.1.1/32 to 0/0
ipfirewall addblocking reject le0 from 10.1.1.1/32 10.1.1.254/32
ipfirewall addblocking reject le0 from 0/0 to 0/0 2049
ipfirewall addblocking accept le0 from 0/0 to 0/0
ipfirewall addblocking reject from 0/0 to 0/0
ipfirewall addforwarding accept from 0/0 to 0/0

Cisco

access-list 100 deny tcp 10.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255
access-list 100 deny tcp 10.1.1.1 0.0.0.0 10.1.1.254 0.0.0.0
access-list 100 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2049
access-list 100 accept tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
access-list 100 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
interface ethernet 0
ip access-group 101 in
ip access-group 151 out
access-list 150 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
ip access-group 100 in
ip access-group 150 out

screend (BSD/Ultrix/??)

from host 10.1.1.1 proto tcp to any reject;
from host 10.1.1.1 proto tcp to net 10.1.1.254 reject log;
from any proto tcp to any port 2049 reject log;
from any proto tcp to any accept;
default reject;
default accept;

Darren Reed

darrenr@cyber.com.au