Hi marc57,
My ZA free functions fine, but I have added some goodies into the proggie: fwconwatch, ipfilter, paranoid_conf, secure router, and a personal flaw of IPF WADM of a ZAL-O-FIREWALL inside ZoneAlarm free as it comes by default. So I have some extra protection in the lower realms. No problems or hick-ups,
polonus
Just a taste:
#!/usr/local/bin/perl
#----------------------------------------------------------------------------
#
# fwconwatch.pl - Monitor FireWall-1 connection table
#
# www.sabernet.net
#
#
# By default this script checks the status of the connection table every
# 60 seconds. The administrator will be notified by page/email if the
# connection table has reached the warning percentage.
#
# The -f switch causes an output line to be displayed for each check.
# The -F switch causes an output line to be logged via syslogd.
#
# Distributed under the terms of this General Public License
# http://www.gnu.org/copyleft/gpl.html
#
# Revision History:
# 11-Jun-2000 1.3 Added switch info for fwtable.pl ver1.1beta
# 08-Sep-1999 1.2 Added features provided by masato@mulan.aero.org
# 30-Jul-1999 1.1 Added cpu utilization check (SunOS 5.x)
# 30-Jul-1999 1.0 Script completed
#
#----------------------------------------------------------------------------
#
# TARGET : Target FW host
#
# LIMIT : Number of slots in the connection table. Details can be found
# in PhoneBoy's FW1 FAQ: http://www.phoneboy.com/fw1/faq/0289.html
#
# WARN : Percentage at which a page/email will be sent
#
# SRC_MAX : Number of connection sources to report on
#
# SCRIPT : Path to Lance Spitzner's fwtable.pl script
# http://www.enteract.com/~lspitz/fwtable.html
#
# PAGE : Address to send warning page to
#
# EMAIL : Address to send connection report to
#
# SLEEP : Number of seconds to sleep between checks
#
#----------------------------------------------------------------------------
$TARGET = "localhost";
$LIMIT = 25000;
$WARN = 20;
$SRC_MAX = 100;
$SCRIPT = "/etc/fw/bin/fwtable.pl -c $LIMIT"; # < ver 1.1beta
#$SCRIPT = "/etc/fw/bin/fwtable.pl -s -c $LIMIT"; # >= ver 1.1beta
$PAGE = "pager\@example.com";
$EMAIL = "infosec\@example.com";
$LOGGER = "/usr/bin/logger -p local1.info -t FWD";
$SLEEP = 60;
# main
{
while(1)
{
$conns = get_conns();
$percent = ($conns / $LIMIT) * 100;
if ($ARGV[0] eq '-f')
{
$date = `date`;
chop($date);
print "$date $percent% $conns\n";
}
elsif (($ARGV[0] eq '-F') && defined($LOGGER))
{
system("$LOGGER connections=$conns $percent%");
}
if ($percent >= $WARN)
{
`echo \"fw conn $percent%\" | mailx $PAGE`;
report_top();
}
check_cpu();
sleep($SLEEP);
}
}
#
# get_conns : returns the number of slots filled in the connection table
#
sub get_conns
{
$_ = `/etc/fw/bin/fw tab -t connections -s $TARGET | tail -1`;
chop();
$_ =~ /(\d+)$/;
$1;
}
#
# report_top : reports the top n connection sources
#
sub report_top
{
my ($top, %table);
open(DATA, "$SCRIPT |");
while(<DATA>)
{
if ($_ =~ /^(\d+\.\d+\.\d+\.\d+)/)
{
$table{$1}++;
}
}
close($DATA);
my($i) = 0;
foreach $key ( sort { $table{$b} <=> $table{$a} } sort(keys %table) )
{
if ($i < $SRC_MAX)
{
$top .= sprintf(" %-20s %-8d\n", $key, $table{$key});
$i++;
}
}
open(MAIL, "| mailx -s \"FW Connection Table $percent%\" $EMAIL");
print MAIL "Top $i connection sources:\n\n$top";
close(MAIL);
}
#
# check_cpu : checks the cpu stats and sends an alarm if warranted
#
sub check_cpu
{
$_ = `iostat -c 5 2 | tail -1`;
my(@stats) = split;
if ( ($stats[0] > 85) || # user
($stats[1] > 85) || # kernel
($stats[2] > 70) ) # iowait
{
`echo \"fw cpu us:$stats[0] ke:$stats[1] io:$stats[2]\" | mailx $PAGE`;
}
}