summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/defaults/rc.conf16
-rw-r--r--etc/network.subr31
-rw-r--r--etc/rc.d/netoptions31
-rw-r--r--etc/rc.d/network131
-rw-r--r--etc/rc.d/network231
-rw-r--r--etc/rc.d/network331
-rw-r--r--etc/rc.d/routing31
-rw-r--r--etc/rc.network31
8 files changed, 233 insertions, 0 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 40e621a..23903c4 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -55,6 +55,22 @@ natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="NO" # Enable natd (if firewall_enable == YES).
natd_interface="fxp0" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
+ipfilter_enable="NO" # Set to YES to enable ipfilter functionality
+ipfilter_program="/sbin/ipf -Fa -f"
+ # program and how to specify the rules file,
+ # see /etc/rc.network (pass1) for details
+ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
+ # /usr/src/contrib/ipfilter/rules for examples
+ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module
+ # (i.e. compiled into the kernel) to
+ # avoid a warning about "already initialized"
+ipnat_enable="NO" # Set to YES for ipnat; needs ipfilter, too!
+ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
+ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
+ipnat_flags="" # additional flags for ipnat
+ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter, too!
+ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
+ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions.
log_in_vain="NO" # YES to log connects to ports w/o listeners.
tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).
diff --git a/etc/network.subr b/etc/network.subr
index 8e97b44..4c9d621 100644
--- a/etc/network.subr
+++ b/etc/network.subr
@@ -32,6 +32,37 @@ network_pass1() {
echo -n ' hostname'
fi
+ # Establish ipfilter ruleset as early as possible (best in
+ # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+ #
+ case "${ipfilter_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-ipmon} ${ipmon_flags}
+ ;;
+ esac
+ case "${ipnat_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipnat_rules}" ]; then
+ echo -n ' ipnat';
+ ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+ else
+ echo -n ' NO IPNAT RULES'
+ fi
+ ;;
+ esac
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+ ;;
+ esac
+
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions
index 8e97b44..4c9d621 100644
--- a/etc/rc.d/netoptions
+++ b/etc/rc.d/netoptions
@@ -32,6 +32,37 @@ network_pass1() {
echo -n ' hostname'
fi
+ # Establish ipfilter ruleset as early as possible (best in
+ # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+ #
+ case "${ipfilter_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-ipmon} ${ipmon_flags}
+ ;;
+ esac
+ case "${ipnat_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipnat_rules}" ]; then
+ echo -n ' ipnat';
+ ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+ else
+ echo -n ' NO IPNAT RULES'
+ fi
+ ;;
+ esac
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+ ;;
+ esac
+
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
diff --git a/etc/rc.d/network1 b/etc/rc.d/network1
index 8e97b44..4c9d621 100644
--- a/etc/rc.d/network1
+++ b/etc/rc.d/network1
@@ -32,6 +32,37 @@ network_pass1() {
echo -n ' hostname'
fi
+ # Establish ipfilter ruleset as early as possible (best in
+ # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+ #
+ case "${ipfilter_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-ipmon} ${ipmon_flags}
+ ;;
+ esac
+ case "${ipnat_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipnat_rules}" ]; then
+ echo -n ' ipnat';
+ ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+ else
+ echo -n ' NO IPNAT RULES'
+ fi
+ ;;
+ esac
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+ ;;
+ esac
+
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
diff --git a/etc/rc.d/network2 b/etc/rc.d/network2
index 8e97b44..4c9d621 100644
--- a/etc/rc.d/network2
+++ b/etc/rc.d/network2
@@ -32,6 +32,37 @@ network_pass1() {
echo -n ' hostname'
fi
+ # Establish ipfilter ruleset as early as possible (best in
+ # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+ #
+ case "${ipfilter_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-ipmon} ${ipmon_flags}
+ ;;
+ esac
+ case "${ipnat_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipnat_rules}" ]; then
+ echo -n ' ipnat';
+ ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+ else
+ echo -n ' NO IPNAT RULES'
+ fi
+ ;;
+ esac
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+ ;;
+ esac
+
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
diff --git a/etc/rc.d/network3 b/etc/rc.d/network3
index 8e97b44..4c9d621 100644
--- a/etc/rc.d/network3
+++ b/etc/rc.d/network3
@@ -32,6 +32,37 @@ network_pass1() {
echo -n ' hostname'
fi
+ # Establish ipfilter ruleset as early as possible (best in
+ # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+ #
+ case "${ipfilter_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-ipmon} ${ipmon_flags}
+ ;;
+ esac
+ case "${ipnat_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipnat_rules}" ]; then
+ echo -n ' ipnat';
+ ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+ else
+ echo -n ' NO IPNAT RULES'
+ fi
+ ;;
+ esac
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+ ;;
+ esac
+
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
diff --git a/etc/rc.d/routing b/etc/rc.d/routing
index 8e97b44..4c9d621 100644
--- a/etc/rc.d/routing
+++ b/etc/rc.d/routing
@@ -32,6 +32,37 @@ network_pass1() {
echo -n ' hostname'
fi
+ # Establish ipfilter ruleset as early as possible (best in
+ # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+ #
+ case "${ipfilter_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-ipmon} ${ipmon_flags}
+ ;;
+ esac
+ case "${ipnat_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipnat_rules}" ]; then
+ echo -n ' ipnat';
+ ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+ else
+ echo -n ' NO IPNAT RULES'
+ fi
+ ;;
+ esac
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+ ;;
+ esac
+
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
diff --git a/etc/rc.network b/etc/rc.network
index 8e97b44..4c9d621 100644
--- a/etc/rc.network
+++ b/etc/rc.network
@@ -32,6 +32,37 @@ network_pass1() {
echo -n ' hostname'
fi
+ # Establish ipfilter ruleset as early as possible (best in
+ # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+ #
+ case "${ipfilter_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-ipmon} ${ipmon_flags}
+ ;;
+ esac
+ case "${ipnat_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipnat_rules}" ]; then
+ echo -n ' ipnat';
+ ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+ else
+ echo -n ' NO IPNAT RULES'
+ fi
+ ;;
+ esac
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+ ;;
+ esac
+
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
OpenPOWER on IntegriCloud