Menu

[r4114]: / trunk / etc / rc.d / ipfw  Maximize  Restore  History

Download this file

134 lines (113 with data), 3.2 kB 

#!/bin/sh
#
# $FreeBSD: src/etc/rc.d/ipfw,v 1.10.2.5.2.1 2008/10/02 02:57:24 kensmith Exp $
#
# Modified by Volker Theile (votdev@gmx.de)
# Changes:
# - Modify prereqs
# - Add status command
# - Add mkconf command to create firewall rules file
#

# PROVIDE: ipfw
# REQUIRE: netif
# BEFORE: NETWORKING
# KEYWORD: nojail
# XQUERY: -i "count(//system/firewall/enable) > 0" -o "0" -b
# RCVAR: firewall

. /etc/rc.subr
. /etc/network.subr
. /etc/configxml.subr

name="ipfw"
rcvar="firewall_enable"

load_rc_config "$name"

start_cmd="ipfw_start"
start_precmd="ipfw_precmd"
stop_cmd="ipfw_stop"
status_cmd="status_cmd"
mkconf_cmd="mkconf_cmd"
extra_commands="status mkconf"

# Defaults
firewall_script_auxrules=${firewall_script_auxrules:-"/etc/rc.firewall.auxrules"}
firewall_verbose_limit=${firewall_verbose_limit:-"5"}

status_cmd()
{
	if ${SYSCTL} net.inet.ip.fw.enable > /dev/null 2>&1; then
		echo "${name} is running."
	else
		echo "${name} is not running."
		return 1
	fi
}

mkconf_cmd()
{
	# Clean the rules file
	cat /dev/null > ${firewall_script_auxrules}

	# Add rules
	/usr/local/bin/xml sel -t -m "//system/firewall/rule[enable]" -s A:N "ruleno" \
		-v "concat('\${fwcmd} add ',action)" \
		-i "count(log) > 0" -o " log" -b \
		-v "concat(' ',protocol,' from ')" \
		-i "string-length(src) > 0" -v "src" -b \
		-i "string-length(src) = 0" -o "any" -b \
		-i "string-length(srcport) > 0" -v "concat(' ',srcport)" -b \
		-o " to " \
		-i "string-length(dst) > 0" -v "dst" -b \
		-i "string-length(dst) = 0" -o "any" -b \
		-i "string-length(dstport) > 0" -v "concat(' ',dstport)" -b \
		-i "string-length(direction) > 0" -v "concat(' ',direction)" -b \
		-i "string-length(extraoptions) > 0" -v "concat(' ',extraoptions)" -b \
		-i "string-length(if) > 0" -v "concat(' via ',if)" -b \
		-n \
		${configxml_file} | /usr/local/bin/xml unesc > ${firewall_script_auxrules}

		# Set verbose logging limit
		${SYSCTL_W} net.inet.ip.fw.verbose_limit=${firewall_verbose_limit}
}

ipfw_precmd()
{
	mkconf_cmd

	if ! ${SYSCTL} net.inet.ip.fw.enable > /dev/null 2>&1; then
		if ! kldload ipfw; then
			warn unable to load firewall module.
			return 1
		fi
	fi

	if checkyesno dummynet_enable; then
		required_modules="$required_modules dummynet"
	fi

	return 0
}

ipfw_start()
{
	# set the firewall rules script if none was specified
	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

	if [ -r "${firewall_script}" ]; then
		if [ -f /etc/rc.d/natd ] ; then
			/etc/rc.d/natd start
		fi
		/bin/sh "${firewall_script}"
		echo 'Firewall rules loaded.'
	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
		echo 'Warning: kernel has firewall functionality, but' \
		    ' firewall rules are not enabled.'
		echo '           All ip services are disabled.'
	fi

	# Firewall logging
	#
	if checkyesno firewall_logging; then
		echo 'Firewall logging enabled.'
		sysctl net.inet.ip.fw.verbose=1 >/dev/null
	fi

	# Enable the firewall
	#
	${SYSCTL_W} net.inet.ip.fw.enable=1
}

ipfw_stop()
{
	# Disable the firewall
	#
	${SYSCTL_W} net.inet.ip.fw.enable=0
	if [ -f /etc/rc.d/natd ] ; then
		/etc/rc.d/natd stop
	fi
}

run_rc_command "$1"
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.