Changeset View
Changeset View
Standalone View
Standalone View
head/sbin/init/rc.d/ipfw
| Property | Old Value | New Value |
|---|---|---|
| svn:executable | null | * \ No newline at end of property |
| svn:keywords | null | FreeBSD=%H \ No newline at end of property |
| #!/bin/sh | |||||
| # | |||||
| # $FreeBSD$ | |||||
| # | |||||
| # PROVIDE: ipfw | |||||
| # REQUIRE: ppp | |||||
| # KEYWORD: nojailvnet | |||||
| . /etc/rc.subr | |||||
| . /etc/network.subr | |||||
| name="ipfw" | |||||
| desc="Firewall, traffic shaper, packet scheduler, in-kernel NAT" | |||||
| rcvar="firewall_enable" | |||||
| start_cmd="ipfw_start" | |||||
| start_precmd="ipfw_prestart" | |||||
| start_postcmd="ipfw_poststart" | |||||
| stop_cmd="ipfw_stop" | |||||
| status_cmd="ipfw_status" | |||||
| required_modules="ipfw" | |||||
| extra_commands="status" | |||||
| set_rcvar_obsolete ipv6_firewall_enable | |||||
| ipfw_prestart() | |||||
| { | |||||
| if checkyesno dummynet_enable; then | |||||
| required_modules="$required_modules dummynet" | |||||
| fi | |||||
| if checkyesno natd_enable; then | |||||
| required_modules="$required_modules ipdivert" | |||||
| fi | |||||
| if checkyesno firewall_nat_enable; then | |||||
| required_modules="$required_modules ipfw_nat" | |||||
| fi | |||||
| } | |||||
| ipfw_start() | |||||
| { | |||||
| local _firewall_type | |||||
| if [ -n "${1}" ]; then | |||||
| _firewall_type=$1 | |||||
| else | |||||
| _firewall_type=${firewall_type} | |||||
| fi | |||||
| # set the firewall rules script if none was specified | |||||
| [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall | |||||
| if [ -r "${firewall_script}" ]; then | |||||
| /bin/sh "${firewall_script}" "${_firewall_type}" | |||||
| echo 'Firewall rules loaded.' | |||||
| elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then | |||||
| echo 'Warning: kernel has firewall functionality, but' \ | |||||
| ' firewall rules are not enabled.' | |||||
| echo ' All ip services are disabled.' | |||||
| fi | |||||
| # Firewall logging | |||||
| # | |||||
| if checkyesno firewall_logging; then | |||||
| echo 'Firewall logging enabled.' | |||||
| ${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null | |||||
| fi | |||||
| if checkyesno firewall_logif; then | |||||
| ifconfig ipfw0 create | |||||
| echo 'Firewall logging pseudo-interface (ipfw0) created.' | |||||
| fi | |||||
| } | |||||
| ipfw_poststart() | |||||
| { | |||||
| local _coscript | |||||
| # Start firewall coscripts | |||||
| # | |||||
| for _coscript in ${firewall_coscripts} ; do | |||||
| if [ -f "${_coscript}" ]; then | |||||
| ${_coscript} quietstart | |||||
| fi | |||||
| done | |||||
| # Enable the firewall | |||||
| # | |||||
| if ! ${SYSCTL} net.inet.ip.fw.enable=1 >/dev/null 2>&1; then | |||||
| warn "failed to enable IPv4 firewall" | |||||
| fi | |||||
| if afexists inet6; then | |||||
| if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 >/dev/null 2>&1 | |||||
| then | |||||
| warn "failed to enable IPv6 firewall" | |||||
| fi | |||||
| fi | |||||
| } | |||||
| ipfw_stop() | |||||
| { | |||||
| local _coscript | |||||
| # Disable the firewall | |||||
| # | |||||
| ${SYSCTL} net.inet.ip.fw.enable=0 >/dev/null | |||||
| if afexists inet6; then | |||||
| ${SYSCTL} net.inet6.ip6.fw.enable=0 >/dev/null | |||||
| fi | |||||
| # Stop firewall coscripts | |||||
| # | |||||
| for _coscript in `reverse_list ${firewall_coscripts}` ; do | |||||
| if [ -f "${_coscript}" ]; then | |||||
| ${_coscript} quietstop | |||||
| fi | |||||
| done | |||||
| } | |||||
| ipfw_status() | |||||
| { | |||||
| status=$(sysctl -i -n net.inet.ip.fw.enable) | |||||
| if [ ${status:-0} -eq 0 ]; then | |||||
| echo "ipfw is not enabled" | |||||
| exit 1 | |||||
| else | |||||
| echo "ipfw is enabled" | |||||
| exit 0 | |||||
| fi | |||||
| } | |||||
| load_rc_config $name | |||||
| firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" | |||||
| run_rc_command $* | |||||