From hlfl at hlfl.org Tue Aug 22 01:05:09 2006 From: hlfl at hlfl.org (hlfl at hlfl.org) Date: Tue, 22 Aug 2006 01:05:09 +0200 (CEST) Subject: [Hlfl-cvs] r178 - trunk/doc Message-ID: <20060821230509.C74DE11410B@smtp.nocworld.net> Author: asl Date: 2006-08-22 01:05:09 +0200 (Tue, 22 Aug 2006) New Revision: 178 Added: trunk/doc/syntax.ja.utf8.txt Log: Add hlfl syntax in japanese; contributed by AirWhite Added: trunk/doc/syntax.ja.utf8.txt =================================================================== --- trunk/doc/syntax.ja.utf8.txt (rev 0) +++ trunk/doc/syntax.ja.utf8.txt 2006-08-21 23:05:09 UTC (rev 178) @@ -0,0 +1,290 @@ +HLFL ?? +----------------------------------------------------------------------------- + +hlfl are a list of statements. Each statement have the following syntax : +hlfl ? statement ??????????? statement ??? : + +statement ::= "protocol" ("local") "operator" ("remote") ["on"] [interfaces] keywords + +'local' ? ?????????? +'remote' ? ????????? + +? : + +tcp (192.168.1.1) X (192.168.2.1) [fxp0,xl1] + +bsd ipfw ?????? : + +ipfw -f add deny tcp from 192.168.1.1 to 192.168.2.1 out via fxp0 +ipfw -f add deny tcp from 192.168.2.1 to 192.168.1.1 in via fxp0 +ipfw -f add deny tcp from 192.168.1.1 to 192.168.2.1 out via xl1 +ipfw -f add deny tcp from 192.168.2.1 to 192.168.1.1 in via xl1 + +??? ???????????????? : + + 'deny communication between 192.168.1.1 and 192.168.2.1' + +all (any) X (any) + +?? : + +ipfw -f add deny all from any to any + +????????? : +----------------------------------------------------------------------------- + +1. ??????? +===================== + +-> : ?????(accept) +<- : ?????(accept) +<-> : ????????(accept) +<=>> : ?????????(established)??????(accept) +<<=> : ?????????(established)??????(accept) +X : ???????(deny) +X! : ??????(reject) +X-> : ??????(deny) +<-X : ??????(deny) +X!-> : ?????(reject) +<-X! : ?????(reject) + +Note +?? <=>> ? <<=> ??????UDP?????????? +?? <-> ???????UDP?????????? + +2. ?????????? +========================= + +?????????????????????????????????? +??1?????????????????? + +??????? : + +operator ::= "accept" | "deny" | "reject" ["from" | + "to" | "and" | "established" | "log"] + +? : + +# 192.168.1.1 ?? 192.168.2.1 ????????? +# 192.168.2.1 ?? 192.168.2.2 ????????????<->???? + +tcp (192.168.1.1) accept (192.168.2.1) on interface0 + +# ??????????? + +tcp (192.168.1.1) accept from and to (192.168.2.1) on interface0 + + +# Accept outgoing connections from 10.1.1.1 to 10.2.2.2, and +# log them (the same as "log <=>>") +# + +# 10.1.1.1 ?? 102.2.2.2 ??????????? + +tcp (10.1.1.1) accept established to and log (10.2.2.2) + + + + +(src) ? (dst) ??????? +------------------------------------------------------------------------- + +(src) ? (dst) ? (IP???? ?????) ?????? + +???? : +(192.168.1.1 1-1024) # 192.168.1.1 ? 1?1024???? +(192.168.2.1 21,22,80,49152-65535) # 192.168.2.1 ? 21,22,49152?65535???? + +??? : +(IP???? ????? | ?IP???? ?????? | ....) + +???? : + +(192.168.1.1|192.168.1.12|192.168.1.200) # 192.168.1.1 ? 192.168.1.12 ? 192.168.1.200 + + +??????????????????????? + +tcp (192.168.1.1|192.168.2.1|192.168.3.1) <=> (172.22.0.1|172.22.0.2|172.22.0.3) + +??? : + 192.168.1.1 ? 172.22.0.1 ? 172.22.0.2 ? 172.22.0.3 ????? + 192.168.2.1 ? 172.22.0.1 ? 172.22.0.2 ? 172.22.0.3 ????? + 192.168.3.1 ? 172.22.0.1 ? 172.22.0.2 ? 172.22.0.3 ????? + +???????????? 'nomix' ??????????????? + +tcp (192.168.1.1|192.168.2.1|192.168.3.1) <=> (172.22.0.1|172.22.0.2|172.22.0.3) nomix +??? : + + 192.168.1.1 ? 172.22.0.1 ?????? + 192.168.2.1 ? 172.22.0.2 ?????? + 192.168.3.1 ? 172.22.0.3 ?????? + + +tcp (192.168.1.1 80 | 192.168.2.1 21) X (172.22.0.1) + +????????? +172.22.0.1 ? 192.168.1.1 ? 80? ? 192.168.2.1 ? 21? ????????? + +??? + +tcp ((192.168.1.1|192.168.2.1) 80,21) X (172.22.0.1) + +???????? +172.22.0.1 ? 192.168.1.1 ? 192.168.2.1 ? 21?,80? ????????? + + +??????? ?????? +------------------------------------------------------------------------------- + +[???????] ? +* ????? +* ?????????? +* ???????????????????? + +????: +tcp (192.168.1.1) X (192.168.1.2) +??? 192.168.1.1 ? 192.168.1.2 ???????? + +tcp (192.168.1.1) X (192.168.1.2) [eth0] +??? 192.168.1.1 ? 192.168.1.2 ? eth0 ?????????? + +tcp (192.168.1.1) <-> (192.168.1.2) [fxp1,fxp2] +??? 192.168.1.1 ? 192.168.1.2 ? fxp1, fxp2 ???????? + +tcp (10.0.0.1) <-> (10.254.254.254) on Ethernet0 +??? 10.0.0.1 ? 10.254.254.254 ? Ethernet0 ???????? + +??????? : + +tcp (10.0.0.1) <-> (10.1.1.1) on [eth1, eth2, eth3] +tcp (10.0.0.1) <-> (10.1.1.1) on (eth1,eth2,eth3) + + + + +ICMP +------------------------------------------------------------------------------- + +icmp ????????? : + + echo-request + echo-reply + destination-unreachable + time-exceeded + +??? 'ping' ???????? : + +icmp (any echo-request) -> (any) +icmp (any) <- (any echo-reply) + + + +?? +------------------------------------------------------------------------------- + +'define'??????????????????????????????????? + + define ?? ? + +???? : + +define inside 192.168.1.0/24 +define public_ports 1024-65535 + +??????????????????? + +(inside public_ports) <=>> (any) + + +Include +------------------------------------------------------------------------------ + +'include' ???????????????? + +??? : + +?????def.hlfl??? : + +define ftp 21 +define ssh 22 +define telnet 23 + + +?????rules.hlfl??? : + +include def.hlfl + +tcp (any ssh) <<=> (any) + + + +???? +------------------------------------------------------------------------------- + +hlfl ??3?????????????????? + +- '%'???????????????????????????? + + ??? : + + % + % This rules are written in hlfl + % + + tcp (any) -> (any) + + ????? ipchains ???????? : + + ipchains -A output -s 0/0 -d 0/0 -j ACCEPT + +- '#'?????????????????????????????cisco ???????? + + ??? : + + % + % This rules are written in hlfl + % + + # allow all the outgoing tcp + tcp (any) -> (any) + + ???? : + + # allow all the outgoing tcp + ipchains -A output -s 0/0 -d 0/0 -j ACCEPT + +- '!'??????????????????????????? + ???'!'??????????????? + ????????????????????? + + !ipchains -A forward -s 0/0 -d 0/0 -i eth0 -j ACCEPT + tcp (any) -> (any) + + ???????? : + + ipchains -A forward -s 0/0 -d 0/0 -i eth0 -j ACCEPT + ipchains -A output -s 0/0 -d 0/0 -j ACCEPT + + Note: ?? ipfw ???????????????????? + + ipchains -A forward -s 0/0 -d 0/0 -i eth0 -j ACCEPT + ipfw add allow tcp from any to any out + + + ????????????????????????? : + + ! if(ipchains) $ipchains -A forward -s 0/0 -d 0/0 -j eth0 -j ACCEPT + + ??????? ipchains ????????????? + 'else'?????????? + + ! if(ipchains) $ipchains -A forward -s 0/0 -d 0/0 -i eth0 -j MASQ + ! else echo "MASQUERADING NOT IMPLEMENTED" ; exit + + +??????? +------------------------------------------------------------------------------- + +???? sample_1.hlfl ? sample_2.hlfl ????????????