diff options
-rw-r--r-- | etc/defaults/rc.conf | 16 | ||||
-rw-r--r-- | etc/network.subr | 31 | ||||
-rw-r--r-- | etc/rc.d/netoptions | 31 | ||||
-rw-r--r-- | etc/rc.d/network1 | 31 | ||||
-rw-r--r-- | etc/rc.d/network2 | 31 | ||||
-rw-r--r-- | etc/rc.d/network3 | 31 | ||||
-rw-r--r-- | etc/rc.d/routing | 31 | ||||
-rw-r--r-- | etc/rc.network | 31 | ||||
-rw-r--r-- | share/man/man5/rc.conf.5 | 214 |
9 files changed, 447 insertions, 0 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 40e621a..23903c4 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -55,6 +55,22 @@ natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. +ipfilter_enable="NO" # Set to YES to enable ipfilter functionality +ipfilter_program="/sbin/ipf -Fa -f" + # program and how to specify the rules file, + # see /etc/rc.network (pass1) for details +ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see + # /usr/src/contrib/ipfilter/rules for examples +ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module + # (i.e. compiled into the kernel) to + # avoid a warning about "already initialized" +ipnat_enable="NO" # Set to YES for ipnat; needs ipfilter, too! +ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file +ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat +ipnat_flags="" # additional flags for ipnat +ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter, too! +ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives +ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions. log_in_vain="NO" # YES to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). diff --git a/etc/network.subr b/etc/network.subr index 8e97b44..4c9d621 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index 8e97b44..4c9d621 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index 8e97b44..4c9d621 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index 8e97b44..4c9d621 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index 8e97b44..4c9d621 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.d/routing b/etc/rc.d/routing index 8e97b44..4c9d621 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/etc/rc.network b/etc/rc.network index 8e97b44..4c9d621 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -32,6 +32,37 @@ network_pass1() { echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-ipmon} ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index bb1c128..261da1e 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -161,6 +161,8 @@ If set to .Ar YES , and the kernel was not built with IPFIREWALL, the ipfw kernel module will be loaded. +See also +.Ar ipfilter_enable . .It Ar firewall_script (str) If you want to run a firewall script other than .Pa /etc/rc.firewall , @@ -218,6 +220,218 @@ or flag is automatically added with the above .Ar natd_interface as an argument. +.\" ----- ipfilter_enable seting -------------------------------- +.It Ar ipfilter_enable +(bool) Set to +.Ar NO +by default. +Setting this to +.Ar YES +enables +.Xr ipf 8 +packet filtering. +Strictly speaking almost any filter could be established +"abusing" this setting and the fact that +.Ar ipfilter_program , +.Ar ipfilter_rules +and +.Ar ipfilter_flags +are concatenated to form a command, +as long as the file specified in +.Ar ipfilter_rules +is readable. +When +.Ar ipfilter_enable +and +.Ar ipnat_enable +are set to +.Ar YES +and the file specified in +.Ar ipnat_rules +is readable, +.Ar ipnat_program , +.Ar ipnat_rules +and +.Ar ipnat_flags +make up a command line to start a network address translation program. +When +.Ar ipfilter_enable +and +.Ar ipmon_enable +are set to +.Ar YES , +.Ar ipmon_program +and +.Ar ipmon_flags +form another command line for monitoring the above actions. +See +.Pa /etc/rc.network +for details. +.Pp +Typical usage will require putting +.Bd -literal +ipfilter_enable="YES" +ipfilter_flags="" +ipnat_enable="YES" +ipmon_enable="YES" + +.Ed +into +.Pa /etc/rc.conf +and editing +.Pa /etc/ipf.rules +and +.Pa /etc/ipnat.rules +appropriately. +Turning off +.Ar firewall_enable +when using ipf is recommended. +Having +.Bd -literal +options IPFILTER +options IPFILTER_LOG +options IPFILTER_DEFAULT_BLOCK + +.Ed +in the kernel configuration file is a good idea, too. +.\" ----- ipfilter_program setting ------------------------------ +.It Ar ipfilter_program +(str) Set to +.Ar /sbin/ipf -Fa -f +by default. +This variable contains a command line +up to (but not including) the filter rule definition +(expected to live in a separate file). +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipfilter_rules setting -------------------------------- +.It Ar ipfilter_rules +(str) Set to +.Ar /etc/ipf.rules +by default. +This variable contains the name of the filter rule definition file. +The file is expected to be readable for the filter command to execute. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipfilter_flags setting -------------------------------- +.It Ar ipfilter_flags +(str) Set to +.Ar -E +by default. +This variable contains flags appended to the filter command +after the rule definition filename. +The default setting will initialize an on demand loaded ipf module. +When compiling ipfilter directly into your kernel (as is recommended) +the variable should be empty to not initialize +the code more than once. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipnat_enable setting ---------------------------------- +.It Ar ipnat_enable +(bool) Set to +.Ar NO +by default. +Set it to +.Ar YES +to enable +.Xr ipnat 8 +network address translation. +Setting this variable needs setting +.Ar ipfilter_enable , +too. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipnat_program setting --------------------------------- +.It Ar ipnat_program +(str) Set to +.Ar /sbin/ipnat -CF -f +by default. +This variable contains a command line +up to (but not including) the translation rule definition +(expected to live in a separate file). +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipnat_rules setting ----------------------------------- +.It Ar ipnat_rules +(str) Set to +.Ar /etc/ipnat.rules +by default. +This variable contains the name of the file +holding the network address translation definition. +This file is expected to be readable for the NAT command to execute. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipnat_flags setting ----------------------------------- +.It Ar ipnat_flags +(str) Empty by default. +This variable contains additional flags +appended to the ipnat command line +after the rule definition filename. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipmon_enable setting ---------------------------------- +.It Ar ipmon_enable +(bool) Set to +.Ar NO +by default. +Set it to +.Ar YES +to enable +.Xr ipmon 8 +monitoring (logging +.Xr ipf 8 +and +.Xr ipnat 8 +events). +Setting this variable needs setting +.Ar ipfilter_enable , +too. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipmon_program setting --------------------------------- +.It Ar ipmon_program +(str) Set to +.Ar /sbin/ipmon +by default. +This variable contains the +.Xr ipmon 8 +executable filename. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipmon_flags setting ----------------------------------- +.It Ar ipmon_flags +(str) Set to +.Ar -Ds +by default. +This variable contains flags passed to the +.Xr ipmon 8 +program. +Another typical example would be +.Ar -D /var/log/ipflog +to have +.Xr ipmon 8 +log directly to a file bypassing +.Xr syslogd 8 . +Make sure to adjust +.Pa /etc/newsyslog.conf +in such case like this: +.Bd -literal +/var/log/ipflog 640 10 100 * Z /var/run/ipmon.pid + +.Ed +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- end of added ipf hook --------------------------------- .It Ar tcp_extensions (bool) Set to .Ar NO |