Free filtering vodka software for linux

ip-filter-cgi is a set of perl script to modify rules of IP Filter (IP Filter is a TCP/IP packet filter cf: http://coombs.anu.edu.au/~avalon/ip-filter.html). If you make any improvement, correction send it back to. The scripts is not complete and is provided for testing purpose.
adulau@metatix.com .
Main features:
- Perl 5.0 (+CGI.pm)
- a HTTP server (Apache)

FIR filter Plugin is an effect plugin for XMMS which enables to filter audio data using long FIR (finite impulse response) filters. Typical applications is loudspeaker or room equalization which typically requires filters with more than 300 taps (filter weights).

The FIR filter plugin uses the fftw3 library to perform the filtering using the overlap-and-add method. If fftw3 is not available the plugin will perform the filtering (convolution) in the time-domain which is much less efficient for long filters.

Packet filtering setup script by Anthony C. Zboralski. Adapted by Didi Damian for iptables version 1.0.0

Sample:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Set up variables
EXT_IF="eth0"
INT_IF="eth1"
EXT_IP=24.x.x.x/32
INT_IP=192.168.0.1/32
EXT_NET=24.x.x.0/24
INT_NET=192.168.0.0/24
MASQ_NETS="192.168.0.0/24"
LOCAL_ADDRS="127.0.0.0/8 192.168.0.1/32 24.x.x.x/32"
MAIL_RELAY=24.x.x.x/32
SMB_ACCESS="192.168.0.2/32"
SMB_BCAST="192.168.0.255/32"

# Turn on IP forwarding
echo Turning on IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Load the ip_tables module
echo Loading ip_tables module.
/sbin/modprobe ip_tables || exit 1
# I let the kernel dynamically load the other modules

echo Flush standard tables.
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
echo Deny everything until firewall setup is completed.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

CHAINS=`iptables -n -L |perl -n -e /Chains+(S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "`
echo Remove remaining chains:
echo $CHAINS
for chain in $CHAINS; do
iptables --flush $chain
done
# 2nd step cause of dependencies
for chain in $CHAINS; do
iptables --delete-chain $chain
done

for net in $MASQ_NETS; do
# I delete all the rules so you can rerun the scripts without bloating
# your nat entries.
iptables -D POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE 2>/dev/null
iptables -A POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE || exit 1
done
iptables --policy FORWARD ACCEPT

# Create a target for logging and dropping packets
iptables --new LDROP 2>/dev/null
iptables -A LDROP --proto tcp -j LOG --log-level info
--log-prefix "TCP Drop "
iptables -A LDROP --proto udp -j LOG --log-level info
--log-prefix "UDP Drop "
iptables -A LDROP --proto icmp -j LOG --log-level info
--log-prefix "ICMP Drop "
iptables -A LDROP --proto gre -j LOG --log-level info
--log-prefix "GRE Drop "

iptables -A LDROP -f -j LOG --log-level emerg
--log-prefix "FRAG Drop "
iptables -A LDROP -j DROP

# Create a table for watching some accepting rules
iptables --new WATCH 2>/dev/null
iptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "
iptables -A WATCH -j ACCEPT


echo Special target for local addresses:
iptables --new LOCAL 2>/dev/null
echo $LOCAL_ADDRS
for ip in $LOCAL_ADDRS; do
iptables -A INPUT --dst $ip -j LOCAL
# iptables -A INPUT --src $ip -i ! lo -j LDROP # lame spoof protect
done
echo Authorize mail from mail relay.
iptables -A LOCAL --proto tcp --syn --src $MAIL_RELAY --dst $EXT_IP --dport 25 -j ACCEPT


echo Authorizing samba access to:
echo $SMB_ACCESS
iptables --new SMB 2>/dev/null
for ip in $SMB_ACCESS; do
iptables -A SMB -s $ip -j ACCEPT
done
iptables -A LOCAL --proto udp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 135:139 -j SMB
iptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 445 -j SMB
iptables -A INPUT -i ! $EXT_IF --dst $SMB_BCAST -j ACCEPT #lame samba broadcast

echo Drop and log every other incoming tcp connection attempts.
iptables -A LOCAL -i ! lo --proto tcp --syn --j LDROP

echo Authorize dns access for local nets.
for net in $MASQ_NETS 127.0.0.0/8; do
iptables -A INPUT --proto udp --src $net --dport 53 -j ACCEPT
done


echo Enforcing up ICMP policies, use iptables -L ICMP to check.
# If you deny all ICMP messages you head for trouble since it would
# break lots of tcp/ip algorythm (acz)
iptables --new ICMP 2>/dev/null
iptables -A INPUT --proto icmp -j ICMP
iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP
iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH
iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type host-unknown -j WATCH
iptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCH
iptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH
iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP
iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP
iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP
iptables -A ICMP -p icmp --icmp-type redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP
iptables -A ICMP -p icmp --icmp-type echo-request -j WATCH
iptables -A ICMP -p icmp --icmp-type router-advertisement -j LDROP
iptables -A ICMP -p icmp --icmp-type router-solicitation -j LDROP
iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH
iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH
iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH
iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH
iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH
iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP
iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP
iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP
iptables -A ICMP -p icmp -j LDROP

echo Authorize tcp traffic.
iptables -A INPUT --proto tcp -j ACCEPT

echo Authorize packet output.
iptables --policy OUTPUT ACCEPT

#echo reject ident if you drop em you gotta wait for timeout
#iptables -I LOCAL --proto tcp --syn --dst $EXT_IP --dport 113 -j REJECT

echo Drop and log all udp below 1024.
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j LDROP

echo Drop rpc dynamic udp port:
RPC_UDP=`rpcinfo -p localhost|perl -n -e /.*udps+(d+)s+/ && print $1,"n"|sort -u`
echo $RPC_UDP
for port in $RPC_UDP; do
iptables -A LOCAL -i ! lo --proto udp --dport $port -j LDROP
done

echo Authorize udp above 1024.
iptables -A INPUT --proto udp --dport 1024: -j ACCEPT

Filter::cpp is a cpp source filter.

SYNOPSIS

use Filter::cpp ;

This source filter pipes the current source file through the C pre-processor (cpp) if it is available.

As with all source filters its scope is limited to the current source file only. Every file you want to be processed by the filter must have a

use Filter::cpp ;

near the top.

Here is an example script which uses the filter:

use Filter::cpp ;

#define FRED 1
$a = 2 + FRED ;
print "a = $an" ;
#ifdef FRED
print "Hello FREDn" ;
#else
print "Where is FREDn" ;
#endif

And here is what it will output:

a = 3
Hello FRED

This example below, provided by Michael G Schwern, shows a clever way to get Perl to use a C pre-processor macro when the Filter::cpp module is available, or to use a Perl sub when it is not.

# use Filter::cpp if we can.
BEGIN { eval use Filter::cpp }

sub PRINT {
my($string) = shift;

#define PRINT($string)
(print $string."n")
}

PRINT("Mu");

Look at Michaels Tie::VecArray module for a practical use.

Hook::Filter is a runtime filtering layer on top of subroutine calls.

SYNOPSIS

Imagine you have a big program using a logging library that exports 3 functions called mydebug, myinfo and mywarn. Those functions generate far too much log, so you want to skip calling them except in some specific circumstances.

In your main program, write:

use Hook::Filter hook => ["mydebug","myinfo","mywarn"];

In all modules making use of the logging library, write:

use Hook::Filter;

Then create a file called ./hook_filter.rules. This file contains boolean expressions that specify when calls to the filtered subroutines should be allowed:

# allow calls to mydebug only inside package My::Filthy:Attempt
is_sub(mydebug) && from_pkg(My::Filthy::Attempt)

# allow all calls to myinfo except from inside packages under the namespace My::Test::
is_sub(myinfo) && !from_pkg(/^My::Test/)

# allow calls to mywarn from function do_stuff in package main
# whose third argument is a message that does not match the string invalid login name
is_sub(mywarn) && from_sub(do_stuff) && from_pkg(main) && !has_arg(3,/invalid login name/)

# all other calls to myinfo, mydebug or mywarn will be skipped

SYNOPSIS, Log::Dispatch

Your program uses Log::Dispatch. You want to enable Hook::Filter on top of the methods log and log_to from Log::Dispatch everywhere at once. And you want to use the filter rules located in /etc/myconf/filter_rules.conf. Easy: in main, write:

use Hook::Filter rules => /etc/myconf/filter_rules.conf, hook => [Log::Dispatch::log,Log::Dispatch::log_to];

Compact Filter is a network packet filter for Linux. It features an easy-to-use compact filter representation and high performance.
The main features are: easy to use interface, compact filter representation (memory efficient), and very high performance.
A difference between CF and other firewalls, such as Netfilter, is its representation of the ruleset. In CF the user writes a filter which is then compiled and optimized in user-space. The optimized filter is then loaded into the kernel (using netlink). Consequently the in kernel packet filtering code only needs funtionality for setting up a filter and filtering packets, while the more complex code of optimizing the filter remains in user-space.
Because of the continuous increase of the bandwidth and the security threats, firewalls have to evolve towards more efficient filtering schemes. The truth is that the existing scheme does not scale so well with the combined growth of bandwidth and rulesets.
Our aim is to try another approach to perform packet filtering where we minimize the complexity of the filtering process. This result in, both, a reduction of the required CPU power to filter packets and a simpler (and smaller) kernel code. Of course, we are pushing all the smart and complex part out to the user-space, but, developing in user-space is much simpler and safer.
Enhancements:
- changed -d option to delete all filters
- added -D option to delete a specific filter
- changed default policy to permit rather than deny
- added -l option on flex to support --yylineno on older versions of flex
- new and improved install guide