xref: /freebsd-10.2-release/etc/rc.d/ipfw

#!/bin/sh
#
# $FreeBSD: head/etc/rc.d/ipfw 190575 2009-03-30 21:31:52Z emax $
#

# PROVIDE: ipfw
# REQUIRE: ppp
# BEFORE: NETWORKING
# KEYWORD: nojail

. /etc/rc.subr
. /etc/network.subr

name="ipfw"
rcvar="firewall_enable"
start_cmd="ipfw_start"
start_precmd="ipfw_prestart"
stop_cmd="ipfw_stop"
required_modules="ipfw"

ipfw_prestart()
{
	if checkyesno dummynet_enable; then
		required_modules="$required_modules dummynet"
	fi

	if checkyesno firewall_nat_enable; then
		if ! checkyesno natd_enable; then
			required_modules="$required_modules ipfw_nat"
		fi
	fi 
}

ipfw_start()
{
	local   _firewall_type

	_firewall_type=$1 

	# set the firewall rules script if none was specified
	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

	if [ -r "${firewall_script}" ]; then
		if [ -f /etc/rc.d/natd ] ; then
			/etc/rc.d/natd quietstart
		fi
		/bin/sh "${firewall_script}" "${_firewall_type}"
		echo 'Firewall rules loaded.'
	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
		echo 'Warning: kernel has firewall functionality, but' \
		    ' firewall rules are not enabled.'
		echo '           All ip services are disabled.'
	fi

	# Firewall logging
	#
	if checkyesno firewall_logging; then
		echo 'Firewall logging enabled.'
		sysctl net.inet.ip.fw.verbose=1 >/dev/null
	fi

	# Enable the firewall
	#
	if ! ${SYSCTL_W} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
		warn "failed to enable firewall"
	fi
}

ipfw_stop()
{
	# Disable the firewall
	#
	${SYSCTL_W} net.inet.ip.fw.enable=0
	if [ -f /etc/rc.d/natd ] ; then
		/etc/rc.d/natd quietstop
	fi
}

load_rc_config $name
run_rc_command $*