198184Sgordon#!/bin/sh 298184Sgordon# 398184Sgordon# $FreeBSD$ 498184Sgordon# 598184Sgordon 698184Sgordon# PROVIDE: ipfw 7195026Sdougb# REQUIRE: ppp 8250804Sjamie# KEYWORD: nojailvnet 998184Sgordon 1098184Sgordon. /etc/rc.subr 11118099Smbr. /etc/network.subr 1298184Sgordon 1398184Sgordonname="ipfw" 1498184Sgordonrcvar="firewall_enable" 1598184Sgordonstart_cmd="ipfw_start" 16175722Smtmstart_precmd="ipfw_prestart" 17203676Semaxstart_postcmd="ipfw_poststart" 18112849Smtmstop_cmd="ipfw_stop" 19165683Syarrequired_modules="ipfw" 2098184Sgordon 21200028Sumeset_rcvar_obsolete ipv6_firewall_enable 22200028Sume 23175722Smtmipfw_prestart() 24175722Smtm{ 25175722Smtm if checkyesno dummynet_enable; then 26175722Smtm required_modules="$required_modules dummynet" 27175722Smtm fi 28242301Shrs if checkyesno natd_enable; then 29242301Shrs required_modules="$required_modules ipdivert" 30242301Shrs fi 31190575Semax if checkyesno firewall_nat_enable; then 32242301Shrs required_modules="$required_modules ipfw_nat" 33208060Sdougb fi 34175722Smtm} 35175722Smtm 3698184Sgordonipfw_start() 3798184Sgordon{ 38190575Semax local _firewall_type 39190575Semax 40208060Sdougb _firewall_type=$1 41190575Semax 4298184Sgordon # set the firewall rules script if none was specified 4398184Sgordon [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall 4498184Sgordon 4598184Sgordon if [ -r "${firewall_script}" ]; then 46190575Semax /bin/sh "${firewall_script}" "${_firewall_type}" 47160672Syar echo 'Firewall rules loaded.' 48156030Swkoszek elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then 4998184Sgordon echo 'Warning: kernel has firewall functionality, but' \ 5098184Sgordon ' firewall rules are not enabled.' 5198184Sgordon echo ' All ip services are disabled.' 5298184Sgordon fi 5398184Sgordon 5498184Sgordon # Firewall logging 5598184Sgordon # 56112849Smtm if checkyesno firewall_logging; then 57160672Syar echo 'Firewall logging enabled.' 58112849Smtm sysctl net.inet.ip.fw.verbose=1 >/dev/null 59112849Smtm fi 60238277Shrs if checkyesno firewall_logif; then 61238277Shrs ifconfig ipfw0 create 62238277Shrs echo 'Firewall logging pseudo-interface (ipfw0) created.' 63238277Shrs fi 64203676Semax} 6598184Sgordon 66203676Semaxipfw_poststart() 67203676Semax{ 68203676Semax local _coscript 69203676Semax 70203676Semax # Start firewall coscripts 71203676Semax # 72203676Semax for _coscript in ${firewall_coscripts} ; do 73203676Semax if [ -f "${_coscript}" ]; then 74203676Semax ${_coscript} quietstart 75203676Semax fi 76203676Semax done 77203676Semax 78112849Smtm # Enable the firewall 79112849Smtm # 80220153Semaste if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then 81200028Sume warn "failed to enable IPv4 firewall" 82180296Smtm fi 83200028Sume if afexists inet6; then 84220153Semaste if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1 85200028Sume then 86200028Sume warn "failed to enable IPv6 firewall" 87200028Sume fi 88200028Sume fi 8998184Sgordon} 9098184Sgordon 91112849Smtmipfw_stop() 92112849Smtm{ 93203676Semax local _coscript 94203676Semax 95112849Smtm # Disable the firewall 96112849Smtm # 97220153Semaste ${SYSCTL} net.inet.ip.fw.enable=0 98200028Sume if afexists inet6; then 99220153Semaste ${SYSCTL} net.inet6.ip6.fw.enable=0 100200028Sume fi 101203676Semax 102203676Semax # Stop firewall coscripts 103203676Semax # 104203676Semax for _coscript in `reverse_list ${firewall_coscripts}` ; do 105203676Semax if [ -f "${_coscript}" ]; then 106203676Semax ${_coscript} quietstop 107203676Semax fi 108203676Semax done 109112849Smtm} 110112849Smtm 11198184Sgordonload_rc_config $name 112203676Semaxfirewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" 113203676Semax 114190575Semaxrun_rc_command $* 115