1278699Sian#!/bin/sh 2248557Sray# 3248557Sray# $FreeBSD$ 4248557Sray# 5248557Sray 6248557Sray# PROVIDE: ipfw 7248557Sray# REQUIRE: ppp 8248557Sray# KEYWORD: nojailvnet 9248557Sray 10248557Sray. /etc/rc.subr 11248557Sray. /etc/network.subr 12248557Sray 13248557Srayname="ipfw" 14248557Srayrcvar="firewall_enable" 15248557Sraystart_cmd="ipfw_start" 16248557Sraystart_precmd="ipfw_prestart" 17248557Sraystart_postcmd="ipfw_poststart" 18248557Sraystop_cmd="ipfw_stop" 19248557Srayrequired_modules="ipfw" 20248557Sray 21248557Srayset_rcvar_obsolete ipv6_firewall_enable 22248557Sray 23253746Sianipfw_prestart() 24248557Sray{ 25283368Sian if checkyesno dummynet_enable; then 26248557Sray required_modules="$required_modules dummynet" 27248557Sray fi 28278699Sian if checkyesno natd_enable; then 29248557Sray required_modules="$required_modules ipdivert" 30278699Sian fi 31278699Sian if checkyesno firewall_nat_enable; then 32248557Sray required_modules="$required_modules ipfw_nat" 33248557Sray fi 34248557Sray} 35248557Sray 36248557Srayipfw_start() 37278699Sian{ 38248557Sray local _firewall_type 39248557Sray 40248557Sray _firewall_type=$1 41248557Sray 42248557Sray # set the firewall rules script if none was specified 43248557Sray [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall 44248557Sray 45278699Sian if [ -r "${firewall_script}" ]; then 46248557Sray /bin/sh "${firewall_script}" "${_firewall_type}" 47278699Sian echo 'Firewall rules loaded.' 48278699Sian elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then 49266328Sian echo 'Warning: kernel has firewall functionality, but' \ 50266328Sian ' firewall rules are not enabled.' 51248557Sray echo ' All ip services are disabled.' 52248557Sray fi 53248557Sray 54248557Sray # Firewall logging 55248557Sray # 56248557Sray if checkyesno firewall_logging; then 57248557Sray echo 'Firewall logging enabled.' 58248557Sray sysctl net.inet.ip.fw.verbose=1 >/dev/null 59248557Sray fi 60248557Sray if checkyesno firewall_logif; then 61278699Sian ifconfig ipfw0 create 62248557Sray echo 'Firewall logging pseudo-interface (ipfw0) created.' 63278699Sian fi 64248557Sray} 65278699Sian 66278699Sianipfw_poststart() 67278699Sian{ 68278699Sian local _coscript 69278699Sian 70278699Sian # Start firewall coscripts 71278699Sian # 72278699Sian for _coscript in ${firewall_coscripts} ; do 73278699Sian if [ -f "${_coscript}" ]; then 74278699Sian ${_coscript} quietstart 75278699Sian fi 76278699Sian done 77278699Sian 78278699Sian # Enable the firewall 79278699Sian # 80278699Sian if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then 81278699Sian warn "failed to enable IPv4 firewall" 82248557Sray fi 83278699Sian if afexists inet6; then 84248557Sray if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1 85248557Sray then 86248557Sray warn "failed to enable IPv6 firewall" 87278699Sian fi 88248557Sray fi 89248557Sray} 90248557Sray 91248557Srayipfw_stop() 92248557Sray{ 93248557Sray local _coscript 94248557Sray 95248557Sray # Disable the firewall 96248557Sray # 97248557Sray ${SYSCTL} net.inet.ip.fw.enable=0 98248557Sray if afexists inet6; then 99248557Sray ${SYSCTL} net.inet6.ip6.fw.enable=0 100248557Sray fi 101248557Sray 102248557Sray # Stop firewall coscripts 103248557Sray # 104248557Sray for _coscript in `reverse_list ${firewall_coscripts}` ; do 105271428Sian if [ -f "${_coscript}" ]; then 106271428Sian ${_coscript} quietstop 107271428Sian fi 108271428Sian done 109248557Sray} 110248557Sray 111248557Srayload_rc_config $name 112248557Srayfirewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" 113266328Sian 114248557Srayrun_rc_command $* 115248557Sray