diff options
| author | darrenr <darrenr@FreeBSD.org> | 2000-10-06 12:24:45 +0000 |
|---|---|---|
| committer | darrenr <darrenr@FreeBSD.org> | 2000-10-06 12:24:45 +0000 |
| commit | d021730618104ab174a87b6e451c53d7d6debf2d (patch) | |
| tree | e23a823196a77501fe133c2a42390d2317ad254a /etc | |
| parent | d3c4500dd0fe079f0851ccedbe2aaf5c512a5f7b (diff) | |
| download | FreeBSD-src-d021730618104ab174a87b6e451c53d7d6debf2d.zip FreeBSD-src-d021730618104ab174a87b6e451c53d7d6debf2d.tar.gz | |
This brings support for IP Filter into rc.network and rc.conf with
the appropriate documentation added to rc.conf(5). If all goes well
with this over the next few weeks, the PR will be closed with the
pullup of patches back to 4-STABLE.
PR: 20202
Submitted by: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Reviewed by: Darren Reed <darrenr@freebsd.org>
Approved by: Darren Reed <darrenr@freebsd.org>
Obtained from: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/defaults/rc.conf | 16 | ||||
| -rw-r--r-- | etc/network.subr | 31 | ||||
| -rw-r--r-- | etc/rc.d/netoptions | 31 | ||||
| -rw-r--r-- | etc/rc.d/network1 | 31 | ||||
| -rw-r--r-- | etc/rc.d/network2 | 31 | ||||
| -rw-r--r-- | etc/rc.d/network3 | 31 | ||||
| -rw-r--r-- | etc/rc.d/routing | 31 | ||||
| -rw-r--r-- | etc/rc.network | 31 |
8 files changed, 233 insertions, 0 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 40e621a..23903c4 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -55,6 +55,22 @@ natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. +ipfilter_enable="NO" # Set to YES to enable ipfilter functionality +ipfilter_program="/sbin/ipf -Fa -f" + # program and how to specify the rules file, + # see /etc/rc.network (pass1) for details +ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see + # /usr/src/contrib/ipfilter/rules for examples +ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module + # (i.e. compiled into the kernel) to + # avoid a warning about "already initialized" +ipnat_enable="NO" # Set to YES for ipnat; needs ipfilter, too! +ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file +ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat +ipnat_flags="" # additional flags for ipnat +ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter, too! +ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives +ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions. log_in_vain="NO" # YES to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). diff --git a/etc/network.subr b/etc/network.subr index 8e97b44..4c9d621 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index 8e97b44..4c9d621 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index 8e97b44..4c9d621 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index 8e97b44..4c9d621 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index 8e97b44..4c9d621 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/routing b/etc/rc.d/routing index 8e97b44..4c9d621 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.network b/etc/rc.network index 8e97b44..4c9d621 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in |
