Does it also interface to kernel 2.4.x?
Thanks.
Bao
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Pim van
> Riezen
> Sent: Tuesday, June 12, 2001 11:23 PM
> To: [EMAIL PROTECTED]
> Subject: [Leaf-devel] ANN: access-list, an ipchains replacement
>
>
> Those who followed my CISH efforts a bit know that I started it off by
> writing a wrapper for ipchains which accepted and displayed
> cisco-syntax
> access-list rules. I've taken this concept one step further
> now and put
> this functionality in a separate binary. This new command no
> longer needs
> the ipchains command to function, it interfaces with the 2.2 kernel
> interface directly.
>
> Of course, this new command is what I'm using from cish now.
> It could be
> that there's an interest for it with other LEAF developers,
> though. Here's
> a little overview of how to operate it:
>
> [root@nexus /root]# access-list
> access-list 200 permit tcp any any eq auth
> access-list 200 jumpto 101 ip any any via eth2
> access-list 200 jumpto 102 ip any any via dummy0
> access-list 200 jumpto 103 ip any any via lo0
> !
> access-list 101 deny tcp any host 62.250.1.1 eq 7000
> access-list 101 deny tcp any host 62.250.1.30 eq squid log
> access-list 101 jumpto ssh tcp any any eq ssh
> access-list 101 permit ip host 62.250.1.1 host 255.255.255.255
> access-list 101 deny ip any 127.0.0.0 0.255.255.255
> access-list 101 deny ip any 172.16.0.0 0.15.255.255
> access-list 101 deny ip any 192.168.0.0 0.0.255.255
> access-list 101 deny ip any 10.0.0.0 0.255.255.255
> access-list 101 permit tcp any 62.250.1.0 0.0.0.31 range 21-23
> access-list 101 permit tcp any 62.250.1.0 0.0.0.31 eq www
> access-list 101 permit tcp any 62.250.1.0 0.0.0.31 estab
> access-list 101 permit udp any 62.250.1.0 0.0.0.31 gt 1023
> access-list 101 permit tcp any 62.250.1.0 0.0.0.31 gt 1023
> access-list 101 deny ip any any log
> !
> access-list 102 permit ip any any
> !
> access-list 103 permit tcp any lt 1024 any gt 1023 estab
> access-list 103 deny tcp any lt 1024 any lt 1024 syn
> access-list 103 permit ip any any
> !
> access-list ssh permit ip 62.250.3.0 0.0.0.255 any
> access-list ssh permit tcp any any estab
> access-list ssh permit ip 213.136.0.0 0.0.255.255 any
> access-list ssh permit ip host 62.250.7.5 any
> access-list ssh permit ip host 195.64.94.172 any
> access-list ssh permit ip any any log
> [root@nexus /root]#
>
> The output of the command without arguments prints out the
> access rules in
> "conf format". Adding the "show" flag will show packet counts:
>
> [root@nexus /root]# access-list show ssh
> Extended IP access list ssh
> permit ip 62.250.3.0 0.0.0.255 any (0 matches)
> permit tcp any any estab (60354 matches)
> permit ip 213.136.0.0 0.0.255.255 any (8 matches)
> permit ip host 62.250.7.5 any (6 matches)
> permit ip host 195.64.94.172 any (8 matches)
> permit ip any any (84 matches)
> [root@nexus /root]#
>
> Some "beyond cisco" features are there as well, including inserting a
> rule a the top, as in:
>
> access-list 100 insert permit tcp any any eq 80
>
> and nuking a specific list-entry, as in:
>
> access-list ssh no permit ip 62.250.3.0 0.0.0.255 any
>
> If you're interested in testing this tool, drop me a note. It
> comes as a
> single .c/.h file that can be compiled. If I get most of the
> bugs squashed
> I will make it available as a generic download.
>
> Cheers,
> Pi
>
> --
> Head Development -- Vuurwerk Internet --
> http://www.vuurwerk.nl/
> Brainbench MVP Unix Programming, twisted artist and Free
> Software idiot.
> Serversitter and Operator for the Efnet and Undernet
> chat networks.
> * I need a
> mental stoma.
>
>
> _______________________________________________
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
>
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
