Free anisotropic filtering software for linux

Constrictor is a Python module for parsing, filtering, and delivering mail as a Mail Delivery Agent (like Procmail). Constrictor provides the functionality to easily write a MDA in Python rather than reading some configuration file of its own syntax.
This has the advantages that configurations are readable and self-explanatory (at least, to anyone who knows Python) and that users have the full flexibility of the Python language at their disposal. Constrictor has the ability to deliver to maildir and Unix mbox format mailboxes, as well as bounce, forward, or reject messages.
Constrictor is currently beta software, at best. Im always very leery of software that messes with my mail, since one runs the risk of not only losing messages but, potentially, bouncing mail to great embarassment and chagrin. That said, I am currently using Constrictor on my own mailbox full-time, but, as always, your mileage may vary.
Installation
Constrictor is a single Python module that should be placed either in the directory you intend to invoke your MDA from, or in your Python library directory. The only non-standard module it relies on is the spamd module from the SpamAssassin distribution (available at http://spamassassin.apache.org/full/2.6x/dist/contrib/spamd.py), and only then if you intend to use the "spamassassin()" function to filter your mail (the module is loaded only when that function is called). Constrictor should work on all versions of Python greater than 2.3; it has been tested primarily on 2.3.4, 2.3.5, 2.4.1.
The spamassassin() function connects to a (optionally specified) spamd server (it defaults to localhost). If you do not have a spamd server, you cannot use this function.
For Postfix and Sendmail, edit your ~/.forward to include "|/path/to/filter.py". For more information on invoking this script as an MDA,see your MTAs manual or ask your administrator.
Enhancements:
- This release adds locking code to duplicate database (pickle file used to recognize duplicate messages) access.
- This release contains no known stability or delivery reliability issues, and thus is considered stable.

Packet filtering setup script by Anthony C. Zboralski. Adapted by Didi Damian for iptables version 1.0.0

Sample:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Set up variables
EXT_IF="eth0"
INT_IF="eth1"
EXT_IP=24.x.x.x/32
INT_IP=192.168.0.1/32
EXT_NET=24.x.x.0/24
INT_NET=192.168.0.0/24
MASQ_NETS="192.168.0.0/24"
LOCAL_ADDRS="127.0.0.0/8 192.168.0.1/32 24.x.x.x/32"
MAIL_RELAY=24.x.x.x/32
SMB_ACCESS="192.168.0.2/32"
SMB_BCAST="192.168.0.255/32"

# Turn on IP forwarding
echo Turning on IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Load the ip_tables module
echo Loading ip_tables module.
/sbin/modprobe ip_tables || exit 1
# I let the kernel dynamically load the other modules

echo Flush standard tables.
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
echo Deny everything until firewall setup is completed.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

CHAINS=`iptables -n -L |perl -n -e /Chains+(S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "`
echo Remove remaining chains:
echo $CHAINS
for chain in $CHAINS; do
iptables --flush $chain
done
# 2nd step cause of dependencies
for chain in $CHAINS; do
iptables --delete-chain $chain
done

for net in $MASQ_NETS; do
# I delete all the rules so you can rerun the scripts without bloating
# your nat entries.
iptables -D POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE 2>/dev/null
iptables -A POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE || exit 1
done
iptables --policy FORWARD ACCEPT

# Create a target for logging and dropping packets
iptables --new LDROP 2>/dev/null
iptables -A LDROP --proto tcp -j LOG --log-level info
--log-prefix "TCP Drop "
iptables -A LDROP --proto udp -j LOG --log-level info
--log-prefix "UDP Drop "
iptables -A LDROP --proto icmp -j LOG --log-level info
--log-prefix "ICMP Drop "
iptables -A LDROP --proto gre -j LOG --log-level info
--log-prefix "GRE Drop "

iptables -A LDROP -f -j LOG --log-level emerg
--log-prefix "FRAG Drop "
iptables -A LDROP -j DROP

# Create a table for watching some accepting rules
iptables --new WATCH 2>/dev/null
iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
iptables -A WATCH -j ACCEPT


echo Special target for local addresses:
iptables --new LOCAL 2>/dev/null
echo $LOCAL_ADDRS
for ip in $LOCAL_ADDRS; do
iptables -A INPUT --dst $ip -j LOCAL
# iptables -A INPUT --src $ip -i ! lo -j LDROP # lame spoof protect
done
echo Authorize mail from mail relay.
iptables -A LOCAL --proto tcp --syn --src $MAIL_RELAY --dst $EXT_IP --dport 25 -j ACCEPT


echo Authorizing samba access to:
echo $SMB_ACCESS
iptables --new SMB 2>/dev/null
for ip in $SMB_ACCESS; do
iptables -A SMB -s $ip -j ACCEPT
done
iptables -A LOCAL --proto udp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 445 -j SMB
iptables -A INPUT -i ! $EXT_IF --dst $SMB_BCAST -j ACCEPT #lame samba broadcast

echo Drop and log every other incoming tcp connection attempts.
iptables -A LOCAL -i ! lo --proto tcp --syn --j LDROP

echo Authorize dns access for local nets.
for net in $MASQ_NETS 127.0.0.0/8; do
iptables -A INPUT --proto udp --src $net --dport 53 -j ACCEPT
done


echo Enforcing up ICMP policies, use iptables -L ICMP to check.
# If you deny all ICMP messages you head for trouble since it would
# break lots of tcp/ip algorythm (acz)
iptables --new ICMP 2>/dev/null
iptables -A INPUT --proto icmp -j ICMP
iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP
iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP
iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP
iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP
iptables -A ICMP -p icmp --icmp-type redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH
iptables -A ICMP -p icmp --icmp-type router-advertisement -j LDROP
iptables -A ICMP -p icmp --icmp-type router-solicitation -j LDROP
iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH
iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP
iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP
iptables -A ICMP -p icmp -j LDROP

echo Authorize tcp traffic.
iptables -A INPUT --proto tcp -j ACCEPT

echo Authorize packet output.
iptables --policy OUTPUT ACCEPT

#echo reject ident if you drop em you gotta wait for timeout
#iptables -I LOCAL --proto tcp --syn --dst $EXT_IP --dport 113 -j REJECT

echo Drop and log all udp below 1024.
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j LDROP

echo Drop rpc dynamic udp port:
RPC_UDP=`rpcinfo -p localhost|perl -n -e /.*udps+(d+)s+/ && print $1,"n"|sort -u`
echo $RPC_UDP
for port in $RPC_UDP; do
iptables -A LOCAL -i ! lo --proto udp --dport $port -j LDROP
done

echo Authorize udp above 1024.
iptables -A INPUT --proto udp --dport 1024: -j ACCEPT

ip-filter-cgi is a set of perl script to modify rules of IP Filter (IP Filter is a TCP/IP packet filter cf: http://coombs.anu.edu.au/~avalon/ip-filter.html). If you make any improvement, correction send it back to. The scripts is not complete and is provided for testing purpose.
adulau@metatix.com .
Main features:
- Perl 5.0 (+CGI.pm)
- a HTTP server (Apache)

Yet Another Filter Proxy project is a preforking, banner filtering, content scanning Perl proxy.



Yet Another Filter Proxy is a proxy to filter out advertising banners and malicious script code from web sites. It is written in Perl and based on an example by Randal L. Schwartz.

For performance reasons it uses preforking to spawn several processes of itself (like Apache does).

Unlike other available proxies (such as Junkbuster), it does blocking by Perl regular expressions on the site content, which allows you to block JavaScript and popups, in addition to normal ads.

Run perldoc yafp.pl for full readme!

The fairly fast packet filter (FFPF) is an approach to network packet processing that adds many new features to existing filtering solutions like BPF.
fairly fast packet filter is designed for high speed by pushing computationally intensive tasks to the kernel or even network processors and by minimising packet copying.
By providing both access to richer programming languages and explicit extensibility, it is also considerably more flexible than existing approaches.
FFPF provides a complete solution for network monitoring that caters to all applications available today. Exploiting its extensibility, the language can even be used as a meta-filter to `script together filters from other approaches, such as BPF.
Main features:
- fast: processes significantly more packets per second than LSF (reference)
- scalable: transparently supports hardware assist, like that given by the Intel IXP2x00 network processors
- backward compatible: supports all existing libpcap based applications
- extensible: separates functionality from the framework. FFPF currently ships with implementations of BPF, Aho Corasick, Boyer Moore Horspool, and many more
- modular: new functions can be written in as little as 3 lines of code
- secure: relies on Keynote for authentication and resource control
- open and standard adherent: licensed under the GNU General Public License (GPL). It implements the Monitoring API (MAPI) draft as designed by the EU-SCAMPI consortium
Enhancements:
- enabled kernelspace processing
- enabled all 5 buffer implementations (Continuous, Fixed-size slot, Variable sized slot, Double ring and Index)
- added TCP stream reassembly and early implementation of zero-copy reassembly
- added PCAP input and output support, for userspace testing and offline use
- added additional minor functions: TCP Synprotect, output to files, ...
- added support for UDEV
- extended controlplane: flowspaces can now be queried for live state
- fixed up many bugs, hacks and irregularities.

DNS Blacklist Packet Filter project is a Linux netfilter client that decides whether to accept or drop packets based on the results of a DNS blacklist query (such as MAPS, SORBS, or SPEWS, to name a few).

One use is to filter all incoming SMTP SYN packets for spam filtering.

Hook::Filter is a runtime filtering layer on top of subroutine calls.

SYNOPSIS

Imagine you have a big program using a logging library that exports 3 functions called mydebug, myinfo and mywarn. Those functions generate far too much log, so you want to skip calling them except in some specific circumstances.

In your main program, write:

use Hook::Filter hook => ["mydebug","myinfo","mywarn"];

In all modules making use of the logging library, write:

use Hook::Filter;

Then create a file called ./hook_filter.rules. This file contains boolean expressions that specify when calls to the filtered subroutines should be allowed:

# allow calls to mydebug only inside package My::Filthy:Attempt
is_sub(mydebug) && from_pkg(My::Filthy::Attempt)

# allow all calls to myinfo except from inside packages under the namespace My::Test::
is_sub(myinfo) && !from_pkg(/^My::Test/)

# allow calls to mywarn from function do_stuff in package main
# whose third argument is a message that does not match the string invalid login name
is_sub(mywarn) && from_sub(do_stuff) && from_pkg(main) && !has_arg(3,/invalid login name/)

# all other calls to myinfo, mydebug or mywarn will be skipped

SYNOPSIS, Log::Dispatch

Your program uses Log::Dispatch. You want to enable Hook::Filter on top of the methods log and log_to from Log::Dispatch everywhere at once. And you want to use the filter rules located in /etc/myconf/filter_rules.conf. Easy: in main, write:

use Hook::Filter rules => /etc/myconf/filter_rules.conf, hook => [Log::Dispatch::log,Log::Dispatch::log_to];