Menu

[r10367]: / legacy / etc / rc.d / ipfw  Maximize  Restore  History

Download this file

138 lines (116 with data), 3.3 kB 

#!/bin/sh
#
# $FreeBSD: src/etc/rc.d/ipfw,v 1.15.2.2.2.1 2009/04/15 03:14:26 kensmith Exp $
#
# Modified by Volker Theile (votdev@gmx.de)
# Changes:
# - Modify prereqs
# - Add status command
# - Add mkconf command to create firewall rules file
#

# PROVIDE: ipfw
# REQUIRE: netif
# BEFORE: NETWORKING
# KEYWORD: nojail
# XQUERY: -i "count(//system/firewall/enable) > 0" -o "0" -b
# RCVAR: firewall

. /etc/rc.subr
. /etc/network.subr
. /etc/configxml.subr

name="ipfw"
rcvar="firewall_enable"

load_rc_config "$name"

# Custom commands
start_cmd="ipfw_start"
start_precmd="ipfw_prestart"
stop_cmd="ipfw_stop"
status_cmd="ipfw_status"
mkconf_cmd="ipfw_mkconf"
extra_commands="status mkconf"
required_modules="ipfw"

# Defaults
firewall_script_auxrules=${firewall_script_auxrules:-"/etc/rc.firewall.auxrules"}
firewall_verbose_limit=${firewall_verbose_limit:-"5"}

ipfw_status()
{
	if ${SYSCTL} net.inet.ip.fw.enable > /dev/null 2>&1; then
		echo "${name} is running."
	else
		echo "${name} is not running."
		return 1
	fi
}

ipfw_mkconf()
{
	# Clean the rules file
	cat /dev/null > ${firewall_script_auxrules}

	# Add rules
	/usr/local/bin/xml sel -t -m "//system/firewall/rule[enable]" -s A:N:- "ruleno" \
		-v "concat('\${fwcmd} add ',action)" \
		-i "count(log) > 0" -o " log" -b \
		-v "concat(' ',protocol,' from ')" \
		-i "string-length(src) > 0" -v "src" -b \
		-i "string-length(src) = 0" -o "any" -b \
		-i "string-length(srcport) > 0" -v "concat(' ',srcport)" -b \
		-o " to " \
		-i "string-length(dst) > 0" -v "dst" -b \
		-i "string-length(dst) = 0" -o "any" -b \
		-i "string-length(dstport) > 0" -v "concat(' ',dstport)" -b \
		-i "string-length(direction) > 0" -v "concat(' ',direction)" -b \
		-i "string-length(extraoptions) > 0" -v "concat(' ',extraoptions)" -b \
		-i "string-length(if) > 0" -v "concat(' via ',if)" -b \
		-n \
		${configxml_file} | /usr/local/bin/xml unesc > ${firewall_script_auxrules}

		# Set verbose logging limit
		${SYSCTL_W} net.inet.ip.fw.verbose_limit=${firewall_verbose_limit}
}

ipfw_prestart()
{
	ipfw_mkconf

	if checkyesno dummynet_enable; then
		required_modules="$required_modules dummynet"
	fi

	if checkyesno firewall_nat_enable; then
		if ! checkyesno natd_enable; then
			required_modules="$required_modules ipfw_nat"
		fi
	fi 
}

ipfw_start()
{
	local   _firewall_type

	_firewall_type=$1 

	# set the firewall rules script if none was specified
	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

	if [ -r "${firewall_script}" ]; then
		if [ -f /etc/rc.d/natd ] ; then
			/etc/rc.d/natd start
		fi
		/bin/sh "${firewall_script}" "${_firewall_type}"
		echo 'Firewall rules loaded.'
	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
		echo 'Warning: kernel has firewall functionality, but' \
		    ' firewall rules are not enabled.'
		echo '           All ip services are disabled.'
	fi

	# Firewall logging
	#
	if checkyesno firewall_logging; then
		echo 'Firewall logging enabled.'
		sysctl net.inet.ip.fw.verbose=1 >/dev/null
	fi

	# Enable the firewall
	#
	${SYSCTL_W} net.inet.ip.fw.enable=1
}

ipfw_stop()
{
	# Disable the firewall
	#
	${SYSCTL_W} net.inet.ip.fw.enable=0
	if [ -f /etc/rc.d/natd ] ; then
		/etc/rc.d/natd stop
	fi
}

load_rc_config $name
run_rc_command $*
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.