blob: a9b05ee111323a1ec27cf5f0c6a54103b367fd77 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
#!/bin/sh
#
#
# PROVIDE: ipfw
# REQUIRE: ppp
# KEYWORD: nojailvnet
. /etc/rc.subr
. /etc/network.subr
name="ipfw"
desc="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
rcvar="firewall_enable"
start_cmd="ipfw_start"
start_precmd="ipfw_prestart"
start_postcmd="ipfw_poststart"
stop_cmd="ipfw_stop"
status_cmd="ipfw_status"
required_modules="ipfw"
extra_commands="status"
set_rcvar_obsolete ipv6_firewall_enable
ipfw_prestart()
{
if checkyesno dummynet_enable; then
required_modules="$required_modules dummynet"
fi
if checkyesno natd_enable; then
required_modules="$required_modules ipdivert"
fi
if checkyesno firewall_nat_enable; then
required_modules="$required_modules ipfw_nat"
fi
if checkyesno firewall_nat64_enable; then
required_modules="$required_modules ipfw_nat64"
fi
if checkyesno firewall_nptv6_enable; then
required_modules="$required_modules ipfw_nptv6"
fi
if checkyesno firewall_pmod_enable; then
required_modules="$required_modules ipfw_pmod"
fi
}
ipfw_start()
{
local _firewall_type _module _sysctl_reload
if [ -n "${1}" ]; then
_firewall_type=$1
else
_firewall_type=${firewall_type}
fi
_sysctl_reload=no
for _module in ${required_modules}
do
if kldstat -qn ${_module}; then
_sysctl_reload=yes
break
fi
done
if [ ${_sysctl_reload} = yes ]; then
/etc/rc.d/sysctl reload
fi
# set the firewall rules script if none was specified
[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
if [ -r "${firewall_script}" ]; then
/bin/sh "${firewall_script}" "${_firewall_type}"
echo 'Firewall rules loaded.'
elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
echo 'Warning: kernel has firewall functionality, but' \
'firewall rules are not enabled.'
echo ' All ip services are disabled.'
fi
# Firewall logging
#
if checkyesno firewall_logging; then
echo 'Firewall logging enabled.'
${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
fi
}
ipfw_poststart()
{
local _coscript
# Start firewall coscripts
#
for _coscript in ${firewall_coscripts} ; do
if [ -f "${_coscript}" ]; then
${_coscript} quietstart
fi
done
# Enable the firewall
#
if ! ${SYSCTL} net.inet.ip.fw.enable=1 >/dev/null 2>&1; then
warn "failed to enable IPv4 firewall"
fi
if afexists inet6; then
if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 >/dev/null 2>&1
then
warn "failed to enable IPv6 firewall"
fi
fi
}
ipfw_stop()
{
local _coscript
# Disable the firewall
#
${SYSCTL} net.inet.ip.fw.enable=0 >/dev/null
if afexists inet6; then
${SYSCTL} net.inet6.ip6.fw.enable=0 >/dev/null
fi
# Stop firewall coscripts
#
for _coscript in `reverse_list ${firewall_coscripts}` ; do
if [ -f "${_coscript}" ]; then
${_coscript} quietstop
fi
done
}
ipfw_status()
{
status=$(sysctl -i -n net.inet.ip.fw.enable)
: ${status:=0}
if afexists inet6; then
status6=$(sysctl -i -n net.inet6.ip6.fw.enable)
: ${status6:=0}
status=$((${status} + ${status6}))
fi
if [ ${status} -eq 0 ]; then
echo "ipfw is not enabled"
exit 1
else
echo "ipfw is enabled"
exit 0
fi
}
load_rc_config $name
firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
# doesn't make sense to run in a svcj: config setting
ipfw_svcj="NO"
run_rc_command $*
|
