use strict; use warnings; use Net::Telnet::Netscreen; use Net::IP; use Getopt::Long; my $usage = "\nThis script will configure a netscreen firewall with a set of addresses and rules.\n" . "Rules will allow all traffic from a set of source IP addresses to any destination on any port.\n\n" . "\nUsage: \n-h Host (firewall) to configure\n-u User \n-p Password\n" . "-t Run a test run to see the rules and addresses.\n\t-t will not apply a configuration to the firewall\n" . "\tCan be used in conjunction with -set and -unset \n\tto generate different command sets. Default is -set\n" . "-policyid Policy ID to start the set of rules at.\n\tDefault is 150\n" . "-iprange Range of IPs to generate source addresses for.\n\tDefault is 1.1.0.0 - 1.1.1.245\n" . "-from The zone traffic will be sourced from in the rules.\n\tDefault is Untrust\n" . "-to The zone traffic will be destined to in the rules.\n\tDefault is Trust\n" . "-zone The zone the addresses will be associated with.\n\tDefault is Untrust\n" . "-set Apply the rules and addresses to the firewall\n-unset Remove the rules from the firewall\n" . "-l Optional log file. Enter the full path to the log file.\n\tIf the file exists it will be overwritten\n" . "-help or -? for this message.\n \nUsername, Password, and Host are required.\n\n"; our ( $host, $uname, $pw, $set, $unset, $policyid, $iprange, $test, $vsys, $from, $to, $zone, $log, $help, $fw ); GetOptions( "h=s" => \$host, "u=s" => \$uname, "p=s" => \$pw, "set" => \$set, "unset" => \$unset, "policyid=s" => \$policyid, "iprange=s" => \$iprange, "t" => \$test, "vsys=s" => \$vsys, "from=s" => \$from, "to=s" => \$to, "zone=s" => \$zone, "l=s" => \$log, "help|?:s" => \$help ); die $usage unless ( $uname and $pw and $host ) or $help; unless ($policyid) { $policyid = 150; } unless ($iprange) { $iprange = '1.1.0.2 - 1.1.1.245'; } unless ($from) { $from = "Untrust"; } unless ($to) { $to = "Trust"; } unless ($zone) { $zone = "Untrust"; } our $ip = new Net::IP($iprange) or die; if ($log) { open( LOG, "> $log" ) or die "Couldn't open file " . $log; } if ($test) { &test; } elsif ($unset) { $fw = new Net::Telnet::Netscreen( host => $host ); $fw->login( $uname, $pw ) or die $fw->error; &unset_config; } elsif ($set) { $fw = new Net::Telnet::Netscreen( host => $host ); $fw->login( $uname, $pw ) or die $fw->error; &set_config; } close LOG or die "file not open"; sub test { my $count = 1; print "#" x 65, "\n"; print "Will log into $host with username $uname and password $pw\n"; print "We will start at policy ID $policyid and IP range $iprange\n"; print "The following addresses and rules will be generated:\n"; print "#" x 65, "\n\n"; if ($unset) { do { print $ip->ip() . " :ip# $count\n"; my $addrname = "AutoGenRule_" . $ip->ip(); my $rule = unset_rule( $addrname, $policyid ); print "unset policy id $rule\n"; my $addr = unset_addr($addrname); print "unset address $addr\n"; ++$policyid; ++$count; } while ( ++$ip ); } else { do { print $ip->ip() . " :ip# $count\n"; my $addrname = "AutoGenRule_" . $ip->ip(); my $addr = set_addr( $addrname, $ip->ip() ); print "set address $addr\n"; my $rule = set_rule( $addrname, $policyid ); print "set policy id $rule\n"; ++$policyid; ++$count; } while ( ++$ip ); } } sub unset_config() { if ( defined $fw ) { if ($vsys) { $fw->enter_vsys($vsys) } do { my $addrname = "AutoGenRule_" . $ip->ip(); my $rule = unset_rule( $addrname, $policyid ); my $addr = unset_addr( $addrname, $ip->ip() ); my $rulemsg = $fw->unsetValue( "policy id", $rule ); my $addrmsg = $fw->unsetValue( "address", $addr ); if ($rulemsg) { print "Removed $rule\n"; } else { print "Could not remove $rule\n" . $fw->error . "\n"; } if ($addrmsg) { print "Removed $addr\n"; } else { print "Could not remove $addr\n" . $fw->error . "\n"; } if ( $rulemsg and $log ) { print LOG "Removed $rule"; } else { print LOG "Could not remove $rule\n" . $fw->error . "\n"; } if ( $addrmsg and $log ) { print LOG "Removed $addr"; } else { print LOG "Could not remove $addr\n" . $fw->error . "\n"; } } while ( ++$ip ); } } sub set_config() { if ( defined $fw ) { if ($vsys) { $fw->enter_vsys($vsys) } do { my $addrname = "AutoGenRule_" . $ip->ip(); my $rule = set_rule( $addrname, $policyid ); my $addr = set_addr( $addrname, $ip->ip() ); my $addrmsg = $fw->setValue( "address", $addr ); my $rulemsg = $fw->setValue( "policy id", $rule ); if ($rulemsg) { print "Added $rule"; } else { print "Could not add $rule\n" . $fw->error . "\n"; } if ($addrmsg) { print "Added $addr"; } else { print "Could not add $addr\n" . $fw->error . "\n"; } if ( $rulemsg and $log ) { print LOG "Added $rule\n"; } else { print LOG "Could not add $rule\n" . $fw->error . "\n"; } if ( $addrmsg and $log ) { print LOG "Added $addr\n"; } else { print LOG "Could not add $addr\n" . $fw->error . "\n"; } } while ( ++$ip ); } } sub set_addr() { my $addrname = shift; my $ipaddr = shift; my $addr = "$zone $addrname $ipaddr\/32 \"Created with perl for testing\""; return $addr; } sub set_rule() { my $addrname = shift; my $policyid = shift; my $rule = "$policyid from $from to $to $addrname any any perm log"; return $rule; } sub unset_addr() { my $addrname = shift; my $addr = "$zone $addrname"; return $addr; } sub unset_rule() { my $ipaddr = shift; my $policyid = shift; my $rule = $policyid; return $rule; }