Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

filtergen(8) [debian man page]

FILTERGEN(8)						      System Manager's Manual						      FILTERGEN(8)

NAME
filtergen - packet filter compiler SYNOPSIS
filtergen [ -h | --help ] [ -V | --version ] [ -c | --compile ] [ -t target | --target=target ] [ -o outfile | --output=outfile ] infile filtergen [ -h | --help ] [ -V | --version ] [ -c | --compile ] [ -t target | --target=target ] [ -o outfile | --output=outfile ] [ -F pol- icy | --flush=policy ] DESCRIPTION
filtergen compiles a high-level filtering description language into a variety of target formats. USAGE
filtergen reads the ruleset from the infile specified on the command line (or standard input if infile is "-") and outputs to standard out- put (or outfile) via an optionally specified backend. Both short and GNU-style long option options are accepted: -c, --compile Only try to "compile" the input, and do not generate any output. This may be useful to check that an input file has no syntax errors in it before one attempts to use the result on a live server. -t target-filter, --target=target-filter If specified, target-filter will be used to select an output filter type, otherwise the default of iptables will be used. Supported backends are iptables, ipchains, ipfilter and cisco (for Cisco IOS access-lists). -F policy, --flush=policy Flush mode. Generate a set of rules for clearing all rules from the packet filter. Useful for firewall scripts that need to `shut- down' the firewall. You can supply a policy argument in place of the usual filename, to specify whether the flushed filter should default to accept, reject, or drop. It defaults to accept, equivalent to having no filter loaded at all. It is not necessary to specify an infile when using flush mode. -o outfile, --output=outfile Write output to outfile instead of standard output. -h, --help Show command help. -V, --version Show program version. BUGS
Not all backends implement all features. The packet filter is not optimised. SEE ALSO
fgadm(8), filter_syntax(5), filter_backends(7) AUTHOR
filtergen was originally written by Matthew Kirkwood. Jamie Wilkinson <jaq@spacepants.org> then rewrote a lot of the internals, added some features, and took on maintenance of the project. January 7, 2004 FILTERGEN(8)

Check Out this Related Man Page

FGADM(8)						      System Manager's Manual							  FGADM(8)

NAME
fgadm - filtergen command program SYNOPSIS
fgadm [ check | reload | save | stop ] DESCRIPTION
fgadm is a simple command interface for managing filtergen(8) based packet filters. USAGE
fgadm can be used to stop existing filters (thus turning them off), reload new packet filters, save currently running filters for longevity, and to check filter scripts for errors before reloading. The following commands are accepted by fgadm: check Check the filter script /etc/filtergen/rules.filter for errors. The generated filter will be printed on standard output, and errors printed to standard error. reload Replace the current live packet filter with the one in /etc/filtergen/rules.filter. The script will be tested for errors before reloading. save The current live packet filter will be saved in a distribution-friendly way. On Red Hat systems, this will save the iptables or ipchains firewall that is currently loaded into the kernel to load at boot with the iptables or ipchains initscript. stop This command will flush the current live packet filter out and put it in a default accept mode, thus no firewalling will be in place. This is useful to abort firewalls in an emergency. EXAMPLES
One may find the following sequence of commands useful for making firewall changes on live servers: # at now + 2 min warning: commands will be executed using (in order) a) $SHELL b) login shell c) /bin/sh at> fgadm stop at> ^D<EOT> job 53 at 2004-06-07 17:25 # fgadm check # fgadm reload # atq 53 # atrm 53 # fgadm save FILES
/etc/filtergen/rules.filter Packet filter descriptions are read from this file when fgadm is used. /etc/filtergen/fgadm.conf This file alters the behaviour of filtergen as called from fgadm. BUGS
fgadm save does not work on Debian systems with iptables due to a lack of common sense in the iptables package. SEE ALSO
filtergen(8), filter_syntax(5), filter_backends(5) AUTHOR
fgadm was written by Jamie Wilkinson <jaq@spacepants.org> for the filtergen package, to ease maintenance of filtergen-based firewalls. June 7, 2004 FGADM(8)
Man Page