blob: e0c46f8ef9254fef3230b264f903c8806fb3b2fd (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: ipfw
# REQUIRE: ppp
# KEYWORD: nojailvnet
. /etc/rc.subr
. /etc/network.subr
name="ipfw"
desc="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
rcvar="firewall_enable"
start_cmd="ipfw_start"
start_precmd="ipfw_prestart"
start_postcmd="ipfw_poststart"
stop_cmd="ipfw_stop"
status_cmd="ipfw_status"
required_modules="ipfw"
extra_commands="status"
set_rcvar_obsolete ipv6_firewall_enable
ipfw_prestart()
{
if checkyesno dummynet_enable; then
required_modules="$required_modules dummynet"
fi
if checkyesno natd_enable; then
required_modules="$required_modules ipdivert"
fi
if checkyesno firewall_nat_enable; then
required_modules="$required_modules ipfw_nat"
fi
}
ipfw_start()
{
local _firewall_type
if [ -n "${1}" ]; then
_firewall_type=$1
else
_firewall_type=${firewall_type}
fi
# set the firewall rules script if none was specified
[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
if [ -r "${firewall_script}" ]; then
/bin/sh "${firewall_script}" "${_firewall_type}"
echo 'Firewall rules loaded.'
elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
echo 'Warning: kernel has firewall functionality, but' \
' firewall rules are not enabled.'
echo ' All ip services are disabled.'
fi
# Firewall logging
#
if checkyesno firewall_logging; then
echo 'Firewall logging enabled.'
${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
fi
if checkyesno firewall_logif; then
ifconfig ipfw0 create
echo 'Firewall logging pseudo-interface (ipfw0) created.'
fi
}
ipfw_poststart()
{
local _coscript
# Start firewall coscripts
#
for _coscript in ${firewall_coscripts} ; do
if [ -f "${_coscript}" ]; then
${_coscript} quietstart
fi
done
# Enable the firewall
#
if ! ${SYSCTL} net.inet.ip.fw.enable=1 >/dev/null 2>&1; then
warn "failed to enable IPv4 firewall"
fi
if afexists inet6; then
if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 >/dev/null 2>&1
then
warn "failed to enable IPv6 firewall"
fi
fi
}
ipfw_stop()
{
local _coscript
# Disable the firewall
#
${SYSCTL} net.inet.ip.fw.enable=0 >/dev/null
if afexists inet6; then
${SYSCTL} net.inet6.ip6.fw.enable=0 >/dev/null
fi
# Stop firewall coscripts
#
for _coscript in `reverse_list ${firewall_coscripts}` ; do
if [ -f "${_coscript}" ]; then
${_coscript} quietstop
fi
done
}
ipfw_status()
{
status=$(sysctl -i -n net.inet.ip.fw.enable)
if [ ${status:-0} -eq 0 ]; then
echo "ipfw is not enabled"
exit 1
else
echo "ipfw is enabled"
exit 0
fi
}
load_rc_config $name
firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
run_rc_command $*
|
