[Firewall] Arno-fwfilter: resolve destinations
Arno van Amersfoort
arnova at rocky.eld.leidenuniv.nl
Mon Feb 27 07:53:07 CET 2012
Finally I had some time again to tweak arno-fwfilter a bit. Please read
my comments below.
On 28-Sep-11 12:57, Mark van Dijk wrote:
> Hi Arno,
> I have two requests:
> 1) Currently locations are retrieved with lynx. Could you please update
> this to use wget or curl? These are much more common on servers and are
> designed to function as backends, while lynx is more of a front-end
Done. Totally makes sense back then Curl wasn't that common that's the
reason I used.
> 2) Could you please split RESOLVE_NAMES up into RESOLVE_SRC and
> RESOLVE_DST, and add the ability to resolve destinations? This is
> handy especially for IPv6, because IPv6-addresses can be less
> readable and thus harder to parse, especially when the reader is
> tired ;-) Maybe they can use the same colours as the src/dest IP, and
> the output can be updated a bit for when one is not using colours,
> e.g. they could be of the form src(example.com) dst(example.com).
I've implemented your idea in a slightly different matter. Use the new
FULL_INFO option to get the behavior you want.
> 3) Perhaps maybe you can test if a resolve returns something before
> printing. This way it will not print empty lines if a resolve fails.
That's not that easy with awk unfortunately. I'm planning on rewriting
the script as a POSIX shell script but this requires a lot of work.
> I have currently updated 1 myself using curl (curl -L --connect-timeout
You also need to add --silent to make this truely work properly ;-)
> 2 was a bit harder, because I am not sure how I should add this with
> proper colours. Currently I have resolved it in the following way:
> below the line
> # Show destination
> printf(" %s", $i)
> I added:
> dst=substr($i, 5, length($i)-4)
> then, I updated the block 'if (RESOLVE_NAMES==1)' to this:
> if (RESOLVE_NAMES==1)
> # If multiple names exist for one IP than only use the first (head -n1)
> syscall=sprintf("echo -n \"$(dig +short +time=1 +tries=1 -x %s 2>/dev/null |head -n1 |grep -v \";;.*\" |sed s,.$,\" \",) \" 2>2>/dev/null", substr(HOSTINFO,5,length(HOSTINFO)-4))
> if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;35m")
> if (USE_HTML==1) printf("<font color=dark purple>")
> syscall=sprintf("echo -n \"$(dig +short +time=1 +tries=1 -x %s 2>/dev/null |head -n1 |grep -v \";;.*\" |sed s,.$,\" \",) \" 2>/dev/null", dst)
> if (USE_ANSI_COLORS==1) printf("\033[0m")
> if (USE_HTML==1) printf("</font>")
> This is far from perfect. The oddest thing is that I have to add the
> printf("-") statement because no hostname gets printed if I don't
> add it. Even printf(" ") does not help. I'm sure you have better ways.
For now we'll just have to live with empty lines until the script has
been rewritten, I guess.
> Looking forward to your reply,
Thanks for your suggestions.
ps. Your name sounds "Dutch" ... ?
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> Arno's (Linux IPTABLES Firewall) Homepage:
More information about the Firewall