diff options
author | danny <danny@FreeBSD.org> | 1997-09-11 10:59:02 +0000 |
---|---|---|
committer | danny <danny@FreeBSD.org> | 1997-09-11 10:59:02 +0000 |
commit | 347e2e3c367cf81b878169973f92ca840bdc2f79 (patch) | |
tree | d4778f03cfb9ffe99f176497f48c54a1dddcdbe9 /etc | |
parent | 03e311c03496f6d71419c283ba3b3b5106a68144 (diff) | |
download | FreeBSD-src-347e2e3c367cf81b878169973f92ca840bdc2f79.zip FreeBSD-src-347e2e3c367cf81b878169973f92ca840bdc2f79.tar.gz |
Reviewed by: msmith, alex
Cosmetic changes to the loading of firewall rules and lkm.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/network.subr | 37 | ||||
-rw-r--r-- | etc/rc.conf | 6 | ||||
-rw-r--r-- | etc/rc.d/netoptions | 37 | ||||
-rw-r--r-- | etc/rc.d/network1 | 37 | ||||
-rw-r--r-- | etc/rc.d/network2 | 37 | ||||
-rw-r--r-- | etc/rc.d/network3 | 37 | ||||
-rw-r--r-- | etc/rc.d/routing | 37 | ||||
-rw-r--r-- | etc/rc.firewall | 104 | ||||
-rw-r--r-- | etc/rc.network | 37 |
9 files changed, 288 insertions, 81 deletions
diff --git a/etc/network.subr b/etc/network.subr index 3c5657d..fb35d2f 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.conf b/etc/rc.conf index ffd02d4..9925a71 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -6,7 +6,7 @@ # # All arguments must be in double or single quotes. # -# $Id: rc.conf,v 1.24 1997/08/17 10:04:52 jkh Exp $ +# $Id: rc.conf,v 1.25 1997/08/19 16:49:30 pst Exp $ ############################################################## ### Important initial Boot-time options ##################### @@ -28,7 +28,9 @@ local_periodic="/usr/local/etc/periodic /usr/X11R6/etc/periodic" # periodic scri ### Basic network options: ### hostname="myname.my.domain" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). -firewall="NO" # firewall type (see /etc/rc.firewall) or NO. +firewall_enable="NO" # Set to YES to enable firewall functionality +firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) +firewall_quiet="NO" # Set to YES to suppress rule display tcp_extensions="YES" # Allow RFC1323 & RFC1544 extensions (or NO). network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index 3c5657d..fb35d2f 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index 3c5657d..fb35d2f 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index 3c5657d..fb35d2f 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index 3c5657d..fb35d2f 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.d/routing b/etc/rc.d/routing index 3c5657d..fb35d2f 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.firewall b/etc/rc.firewall index b0e29ba..5bfaedc 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -1,17 +1,18 @@ ############ # Setup system for firewall service. -# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $ +# $Id: rc.firewall,v 1.12 1997/05/05 07:08:31 jkh Exp $ ############ +# Define the firewall type in /etc/rc.conf. Valid values are: +# open - will allow anyone in +# client - will try to protect just this machine +# simple - will try to protect a whole network +# closed - totally disables IP services except via lo0 interface +# UNKNOWN - disables the loading of firewall rules. +# filename - will load the rules in the given filename (full path required) # -# >>Warning<< -# This file is not very old yet, and have been put together without much -# testing of the contents. - -# Set this to be the type of firewall you want: open, client, simple or NONE. -# ``open'' will allow anyone in, ``client'' will try to protect just one -# machine and ``simple'' will try to protect a whole network (entries should -# be customized appropriately below). To let no one in, use NONE. +# For ``client'' and ``simple'' the entries below should be customized +# appropriately. ############ # @@ -36,9 +37,21 @@ # http://www.awl.com/ # +if [ "x$1" != "x" ]; then + firewall_type=$1 +fi + +############ +# Set quiet mode if requested +if [ "x$firewall_quiet" = "xYES" ]; then + fwcmd="/sbin/ipfw -q" +else + fwcmd="/sbin/ipfw" +fi + ############ # Flush out the list before we begin. -/sbin/ipfw -f flush +$fwcmd -f flush ############ # If you just configured ipfw in the kernel as a tool to solve network @@ -46,19 +59,23 @@ # they you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. -# /sbin/ipfw add 65000 pass all from any to any +# $fwcmd add 65000 pass all from any to any ############ # Only in rare cases do you want to change this rule -/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 +$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1 # Prototype setups. -if [ "${firewall}" = "open" ]; then +if [ "${firewall_type}" = "open" ]; then + + $fwcmd add 65000 pass all from any to any - /sbin/ipfw add 65000 pass all from any to any +elif [ "${firewall_type}" = "simple" ]; then -elif [ "${firewall}" = "client" ]; then + $fwcmd add 65000 pass all from any to any via lo0 + +elif [ "${firewall_type}" = "client" ]; then ############ # This is a prototype setup that will protect your system somewhat against @@ -71,32 +88,32 @@ elif [ "${firewall}" = "client" ]; then ip="192.168.4.17" # Allow any traffic to or from my own net. - /sbin/ipfw add pass all from ${ip} to ${net}:${mask} - /sbin/ipfw add pass all from ${net}:${mask} to ${ip} + $fwcmd add pass all from ${ip} to ${net}:${mask} + $fwcmd add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded - /sbin/ipfw add pass tcp from any to any established + $fwcmd add pass tcp from any to any established # Allow setup of incoming email - /sbin/ipfw add pass tcp from any to ${ip} 25 setup + $fwcmd add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only - /sbin/ipfw add pass tcp from ${ip} to any setup + $fwcmd add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections - /sbin/ipfw add deny tcp from any to any setup + $fwcmd add deny tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${ip} - /sbin/ipfw add pass udp from ${ip} to any 53 + $fwcmd add pass udp from any 53 to ${ip} + $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${ip} - /sbin/ipfw add pass udp from ${ip} to any 123 + $fwcmd add pass udp from any 123 to ${ip} + $fwcmd add pass udp from ${ip} to any 123 # Everything else is denied as default. -elif [ "${firewall}" = "simple" ]; then +elif [ "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine @@ -117,43 +134,42 @@ elif [ "${firewall}" = "simple" ]; then iip="192.168.3.17" # Stop spoofing - /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} - /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} + $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} + $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface - /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} - /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} - /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if setup succeeded - /sbin/ipfw add pass tcp from any to any established + $fwcmd add pass tcp from any to any established # Allow setup of incoming email - /sbin/ipfw add pass tcp from any to ${oip} 25 setup + $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS - /sbin/ipfw add pass tcp from any to ${oip} 53 setup + $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW - /sbin/ipfw add pass tcp from any to ${oip} 80 setup + $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside - /sbin/ipfw add deny log tcp from any to any in via ${oif} setup + $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection - /sbin/ipfw add pass tcp from any to any setup + $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${oip} - /sbin/ipfw add pass udp from ${oip} to any 53 + $fwcmd add pass udp from any 53 to ${oip} + $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${oip} - /sbin/ipfw add pass udp from ${oip} to any 123 + $fwcmd add pass udp from any 123 to ${oip} + $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. -elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then - - /sbin/ipfw ${firewall} +elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then + $fwcmd ${firewall} fi diff --git a/etc/rc.network b/etc/rc.network index 3c5657d..fb35d2f 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" |