ipfw revision 208060
198184Sgordon#!/bin/sh 298184Sgordon# 398184Sgordon# $FreeBSD: head/etc/rc.d/ipfw 208060 2010-05-14 04:53:57Z dougb $ 498184Sgordon# 598184Sgordon 698184Sgordon# PROVIDE: ipfw 7195026Sdougb# REQUIRE: ppp 8136224Smtm# KEYWORD: nojail 998184Sgordon 1098184Sgordon. /etc/rc.subr 11118099Smbr. /etc/network.subr 1298184Sgordon 1398184Sgordonname="ipfw" 1498184Sgordonrcvar="firewall_enable" 1598184Sgordonstart_cmd="ipfw_start" 16175722Smtmstart_precmd="ipfw_prestart" 17203676Semaxstart_postcmd="ipfw_poststart" 18112849Smtmstop_cmd="ipfw_stop" 19165683Syarrequired_modules="ipfw" 2098184Sgordon 21200028Sumeset_rcvar_obsolete ipv6_firewall_enable 22200028Sume 23175722Smtmipfw_prestart() 24175722Smtm{ 25175722Smtm if checkyesno dummynet_enable; then 26175722Smtm required_modules="$required_modules dummynet" 27175722Smtm fi 28190575Semax 29190575Semax if checkyesno firewall_nat_enable; then 30190575Semax if ! checkyesno natd_enable; then 31190575Semax required_modules="$required_modules ipfw_nat" 32190575Semax fi 33208060Sdougb fi 34175722Smtm} 35175722Smtm 3698184Sgordonipfw_start() 3798184Sgordon{ 38190575Semax local _firewall_type 39190575Semax 40208060Sdougb _firewall_type=$1 41190575Semax 4298184Sgordon # set the firewall rules script if none was specified 4398184Sgordon [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall 4498184Sgordon 4598184Sgordon if [ -r "${firewall_script}" ]; then 46190575Semax /bin/sh "${firewall_script}" "${_firewall_type}" 47160672Syar echo 'Firewall rules loaded.' 48156030Swkoszek elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then 4998184Sgordon echo 'Warning: kernel has firewall functionality, but' \ 5098184Sgordon ' firewall rules are not enabled.' 5198184Sgordon echo ' All ip services are disabled.' 5298184Sgordon fi 5398184Sgordon 5498184Sgordon # Firewall logging 5598184Sgordon # 56112849Smtm if checkyesno firewall_logging; then 57160672Syar echo 'Firewall logging enabled.' 58112849Smtm sysctl net.inet.ip.fw.verbose=1 >/dev/null 59112849Smtm fi 60203676Semax} 6198184Sgordon 62203676Semaxipfw_poststart() 63203676Semax{ 64203676Semax local _coscript 65203676Semax 66203676Semax # Start firewall coscripts 67203676Semax # 68203676Semax for _coscript in ${firewall_coscripts} ; do 69203676Semax if [ -f "${_coscript}" ]; then 70203676Semax ${_coscript} quietstart 71203676Semax fi 72203676Semax done 73203676Semax 74112849Smtm # Enable the firewall 75112849Smtm # 76180296Smtm if ! ${SYSCTL_W} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then 77200028Sume warn "failed to enable IPv4 firewall" 78180296Smtm fi 79200028Sume if afexists inet6; then 80200028Sume if ! ${SYSCTL_W} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1 81200028Sume then 82200028Sume warn "failed to enable IPv6 firewall" 83200028Sume fi 84200028Sume fi 8598184Sgordon} 8698184Sgordon 87112849Smtmipfw_stop() 88112849Smtm{ 89203676Semax local _coscript 90203676Semax 91112849Smtm # Disable the firewall 92112849Smtm # 93112849Smtm ${SYSCTL_W} net.inet.ip.fw.enable=0 94200028Sume if afexists inet6; then 95200028Sume ${SYSCTL_W} net.inet6.ip6.fw.enable=0 96200028Sume fi 97203676Semax 98203676Semax # Stop firewall coscripts 99203676Semax # 100203676Semax for _coscript in `reverse_list ${firewall_coscripts}` ; do 101203676Semax if [ -f "${_coscript}" ]; then 102203676Semax ${_coscript} quietstop 103203676Semax fi 104203676Semax done 105112849Smtm} 106112849Smtm 10798184Sgordonload_rc_config $name 108203676Semaxfirewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" 109203676Semax 110190575Semaxrun_rc_command $* 111