Qubes firewall learning based on denied connections

firewall-learn.pl

#!/usr/bin/perl

# usage:
#  sudo tcpdump -vni eth0 port 53 or icmp | perl ./firewall-learn.pl

use strict;
use Data::Dumper;
use Sys::Hostname;


my %dns_cache;
my $host = hostname();

if (defined($ARGV[0])) {
	$host = $ARGV[0];
}

my $denied_ip = undef;
my $denied_host = undef;

while (<>) {
	if (defined($denied_ip)) {
		if (m/ > $denied_ip\.(\S+): Flags/) {
			print "qvm-firewall -a $host $denied_host tcp $1\n";
			$denied_ip = undef;
		} elsif (m/^[0-9]/) {
			# next packet
			print STDERR "Unrecognised packet to $denied_ip ($denied_host)\n";
			$denied_ip = undef;
		}
	}
	if (m/\.domain > 10\..*: \d+ \d+\/\d+\/\d+ (.*) \(\d+\)$/) {
		# DNS response
		foreach (split(/, /, $1)) {
			if (m/(\S+) A ([0-9.]+)/) {
				$dns_cache{$2} = $1;
			}
		}
	}
	if (m/ICMP host ([0-9.]+) unreachable - admin prohibited/) {
		$denied_ip = $1;
		if (defined($dns_cache{$1})) {
			$denied_host = $dns_cache{$1};
		} else {
			$denied_host = $denied_ip;
		}
	}

}

#print Dumper(%dns_cache);