Index: head/etc/network.subr =================================================================== --- head/etc/network.subr (revision 29299) +++ head/etc/network.subr (revision 29300) @@ -1,209 +1,236 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in # this file, but rather in /etc/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. network_pass1() { echo -n 'Doing initial network setup:' # Set the host name if it is not already set if [ -z "`hostname -s`" ] ; then hostname $hostname echo -n ' hostname' fi # Set the domainname if we're using NIS if [ -n "$nisdomainname" -a "x$nisdomainname" != "xNO" ] ; then domainname $nisdomainname echo -n ' domain' fi echo '.' # Set up all the network interfaces, calling startup scripts if needed for ifn in ${network_interfaces}; do if [ -e /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} ${ifn} fi # Do the primary ifconfig if specified eval ifconfig_args=\$ifconfig_${ifn} if [ -n "${ifconfig_args}" ] ; then ifconfig ${ifn} ${ifconfig_args} fi # Check to see if aliases need to be added alias=0 while : do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + + # Configure routing if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" fi # Set up any static routes. This should be done before router discovery. if [ "x${static_routes}" != "x" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' if [ -n "$tcp_extensions" -a "x$tcp_extensions" != "xYES" ] ; then echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 2>&1 sysctl -w net.inet.tcp.rfc1644=0 >/dev/null 2>&1 fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null 2>&1 fi if [ "X$router_enable" = X"YES" ]; then echo -n " ${router}"; ${router} ${router_flags} fi if [ "X$ipxgateway_enable" = X"YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 2>&1 fi if [ "X$ipxrouted_enable" = X"YES" ]; then echo -n ' IPXrouted: ' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 fi if [ "X$arpproxy_all" = X"YES" ]; then echo -n ' enabling ARP_PROXY_ALL: ' sysctl -w net.link.ether.inet.proxyall=1 2>&1 fi echo '.' network_pass1_done=YES # Let future generations know we made it. } network_pass2() { echo -n 'Doing additional network setup:' if [ "X${named_enable}" = X"YES" ]; then echo -n ' named'; named ${named_flags} fi if [ "X${ntpdate_enable}" = X"YES" -o "X${xntpd_enable}" = X"YES" ]; then if [ "X${ntpdate_enable}" = X"YES" ]; then echo -n ' ntpdate'; ntpdate ${ntpdate_flags} >/dev/null 2>&1 fi if [ "X${xntpd_enable}" = X"YES" ]; then echo -n ' xntpd'; xntpd ${xntpd_flags} fi fi if [ "X${timed_enable}" = X"YES" ]; then echo -n ' timed'; timed ${timed_flags} fi if [ "X${portmap_enable}" = X"YES" ]; then echo -n ' portmap'; portmap ${portmap_flags} fi # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. if [ "X${nis_server_enable}" = X"YES" ]; then echo -n ' ypserv'; ypserv ${nis_server_flags} if [ "X${nis_ypxfrd_enable}" = X"YES" ]; then echo -n ' rpc.ypxfrd'; rpc.ypxfrd ${nis_ypxfrd_flags} fi if [ "X${nis_yppasswdd_enable}" = X"YES" ]; then echo -n ' rpc.yppasswdd'; rpc.yppasswdd ${nis_yppasswdd_flags} fi fi # Start ypbind if we're an NIS client if [ "X${nis_client_enable}" = X"YES" ]; then echo -n ' ypbind'; ypbind ${nis_client_flags} if [ "X${nis_ypset_enable}" = X"YES" ]; then echo -n ' ypset'; ypset ${nis_ypset_flags} fi fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' if [ "X${nfs_server_enable}" = X"YES" -a -r /etc/exports ]; then echo -n ' mountd' if [ "X${weak_mountd_authentication}" = X"YES" ]; then mountd_flags="-n" fi mountd ${mountd_flags} if [ "X${nfs_reserved_port_only}" = X"YES" ]; then echo -n ' nfsprivport=YES' sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 2>&1 fi echo -n ' nfsd'; nfsd ${nfs_server_flags} if [ "X$rpc_lockd_enable" = X"YES" ]; then echo -n ' rpc.lockd'; rpc.lockd fi if [ "X$rpc_statd_enable" = X"YES" ]; then echo -n ' rpc.statd'; rpc.statd fi fi if [ "X${nfs_client_enable}" = X"YES" ]; then echo -n ' nfsiod'; nfsiod ${nfs_client_flags} fi if [ "X${amd_enable}" = X"YES" ]; then echo -n ' amd' amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null fi if [ "X${rwhod_enable}" = X"YES" ]; then echo -n ' rwhod'; rwhod fi # Kerberos runs ONLY on the Kerberos server machine if [ "X${kerberos_server_enable}" = X"YES" ]; then echo -n ' kerberos'; kerberos >> /var/log/kerberos.log & echo -n ' kadmind'; \ (sleep 20; kadmind -n >/dev/null 2>&1 &) & fi # IP multicast routing daemon if [ "X${mrouted_enable}" = X"YES" ]; then echo -n ' mrouted'; mrouted ${mrouted_flags} fi echo '.' network_pass3_done=YES } Index: head/etc/rc.conf =================================================================== --- head/etc/rc.conf (revision 29299) +++ head/etc/rc.conf (revision 29300) @@ -1,139 +1,141 @@ #!/bin/sh # # This is rc.conf - a file full of useful variables that you can set # to change the default startup behavior of your system. # # All arguments must be in double or single quotes. # -# $Id: rc.conf,v 1.24 1997/08/17 10:04:52 jkh Exp $ +# $Id: rc.conf,v 1.25 1997/08/19 16:49:30 pst Exp $ ############################################################## ### Important initial Boot-time options ##################### ############################################################## swapfile="NO" # Set to name of swapfile if aux swapfile desired. apm_enable="NO" # Set to YES if you want APM enabled. pccard_enable="NO" # Set to YES if you want to configure PCCARD devices. pccard_mem="DEFAULT" # If pccard_enable=YES, this is card memory address. pccard_ifconfig="NO" # Specialized pccard ethernet configuration (or NO). local_startup="/usr/local/etc/rc.d /usr/X11R6/etc/rc.d" # startup script dirs. local_periodic="/usr/local/etc/periodic /usr/X11R6/etc/periodic" # periodic script dirs ############################################################## ### Network configuration sub-section ###################### ############################################################## ### Basic network options: ### hostname="myname.my.domain" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). -firewall="NO" # firewall type (see /etc/rc.firewall) or NO. +firewall_enable="NO" # Set to YES to enable firewall functionality +firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) +firewall_quiet="NO" # Set to YES to suppress rule display tcp_extensions="YES" # Allow RFC1323 & RFC1544 extensions (or NO). network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. ### Network daemon (miscellaneous) & NFS options: ### syslogd_enable="YES" # Run syslog daemon (or NO). syslogd_flags="" # Flags to syslogd (if enabled). inetd_enable="YES" # Run the network daemon displatcher (or NO). inetd_flags="" # Optional flags to inetd. named_enable="NO" # Run named, the DNS server (or NO). named_flags="-b /etc/namedb/named.boot" # Flags to named (if enabled). kerberos_server_enable="NO" # Run a kerberos master server (or NO). rwhod_enable="NO" # Run the rwho daemon (or NO). amd_enable="NO" # Run amd service with $amd_flags (or NO). amd_flags="-a /net -c 1800 -k i386 -d my.domain -l syslog /host /etc/amd.map" nfs_client_enable="NO" # This host is an NFS client (or NO). nfs_client_flags="-n 4" # Flags to nfsiod (if enabled). nfs_server_enable="NO" # This host is an NFS server (or NO). nfs_server_flags="-u -t 4" # Flags to nfsd (if enabled). mountd_flags="" # Flags to mountd (if NFS server enabled). nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO). rpc_lockd_enable="NO" # Run NFS rpc.lockd (*broken!*) if nfs_server. rpc_statd_enable="YES" # Run NFS rpc.statd if nfs_server (or NO). portmap_enable="YES" # Run the portmapper service (or NO). portmap_flags="" # Flags to portmap (if enabled). xtend_enable="NO" # Run the X-10 power controller daemon. xtend_flags="" # Flags to xtend (if enabled). ### Network Time Services options: ### timed_enable="NO" # Run the time daemon (or NO). timed_flags="" # Flags to timed (if enabled). ntpdate_enable="NO" # Run the ntpdate to sync time (or NO). ntpdate_flags="" # Flags to ntpdate (if enabled). xntpd_enable="NO" # Run xntpd Network Time Protocol (or NO). xntpd_flags="" # Flags to xntpd (if enabled). tickadj_enable="NO" # Run tickadj (or NO). tickadj_flags="-Aq" # Flags to tickadj (if enabled). # Network Information Services (NIS) options: ### nis_client_enable="NO" # We're an NIS client (or NO). nis_client_flags="" # Flags to ypbind (if enabled). nis_ypset_enable="NO" # Run ypset at boot time (or NO). nis_ypset_flags="" # Flags to ypset (if enabled). nis_server_enable="NO" # We're an NIS server (or NO). nis_server_flags="" # Flags to ypserv (if enabled). nis_ypxfrd_enable="NO" # Run rpc.ypxfrd at boot time (or NO). nis_ypxfrd_flags="" # Flags to rpc.ypxfrd (if enabled). nis_yppasswdd_enable="NO" # Run rpc.yppasswdd at boot time (or NO). nis_yppasswdd_flags="" # Flags to rpc.yppasswdd (if enabled). ### Network routing options: ### defaultrouter="NO" # Set to default gateway (or NO). static_routes="" # Set to static route list (or leave empty). gateway_enable="NO" # Set to YES if this host will be a gateway. router_enable="YES" # Set to YES to enable a routing daemon. router="routed" # Name of routing daemon to use if enabled. router_flags="-q" # Flags for routing daemon. mrouted_enable="NO" # Do multicast routing (see /etc/mrouted.conf). ipxgateway_enable="NO" # Set to YES to enable IPX routing. ipxrouted_enable="NO" # Set to YES to run the IPX routing daemon. ipxrouted_flags="" # Flags for IPX routing daemon. arpproxy_all="" # replaces obsolete kernel option ARP_PROXYALL. ############################################################## ### System console options ################################# ############################################################## keymap="NO" # keymap in /usr/share/syscons/keymaps/* (or NO). keyrate="NO" # keyboard rate to: slow, normal, fast (or NO). keybell="NO" # bell to duration.pitch or normal or visual (or NO). keychange="NO" # function keys default values (or NO). cursor="NO" # cursor type {normal|blink|destructive} (or NO). scrnmap="NO" # screen map in /usr/share/syscons/scrnmaps/* (or NO). font8x16="NO" # font 8x16 from /usr/share/syscons/fonts/* (or NO). font8x14="NO" # font 8x14 from /usr/share/syscons/fonts/* (or NO). font8x8="NO" # font 8x8 from /usr/share/syscons/fonts/* (or NO). blanktime="NO" # blank time (in seconds) or "NO" to turn it off. saver="NO" # screen saver: blank/daemon/green/snake/star/NO. moused_type="NO" # See man page for rc.conf(8) for available settings. moused_port="/dev/cuaa0" # Set to your mouse port (required if mousetype set). moused_flags="" # Any additional flags to moused. ############################################################## ### Miscellaneous administrative options ################### ############################################################## cron_enable="YES" # Run the periodic job daemon. lpd_enable="YES" # Run the line printer daemon. lpd_flags="" # Flags to lpd (if enabled). sendmail_enable="YES" # Run the sendmail daemon (or NO). sendmail_flags="-bd -q30m" # -bd is pretty mandatory. savecore_enable="NO" # Save kernel crashdumps for debugging (or NO). dumpdev="NO" # Device name to crashdump to (if enabled). check_quotas="NO" # Check quotas (or NO). accounting_enable="NO" # Turn on process accounting (or NO). ibcs2_enable="NO" # Ibcs2 (SCO) emulation loaded at startup (or NO). linux_enable="NO" # Linux emulation loaded at startup (or NO). rand_irqs="NO" # Stir the entropy pool (like "5 11" or NO). ############################################################## ### Allow local configuration override at the very end here ## ############################################################## if [ -f /etc/rc.conf.local ]; then . /etc/rc.conf.local fi Index: head/etc/rc.d/netoptions =================================================================== --- head/etc/rc.d/netoptions (revision 29299) +++ head/etc/rc.d/netoptions (revision 29300) @@ -1,209 +1,236 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in # this file, but rather in /etc/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. network_pass1() { echo -n 'Doing initial network setup:' # Set the host name if it is not already set if [ -z "`hostname -s`" ] ; then hostname $hostname echo -n ' hostname' fi # Set the domainname if we're using NIS if [ -n "$nisdomainname" -a "x$nisdomainname" != "xNO" ] ; then domainname $nisdomainname echo -n ' domain' fi echo '.' # Set up all the network interfaces, calling startup scripts if needed for ifn in ${network_interfaces}; do if [ -e /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} ${ifn} fi # Do the primary ifconfig if specified eval ifconfig_args=\$ifconfig_${ifn} if [ -n "${ifconfig_args}" ] ; then ifconfig ${ifn} ${ifconfig_args} fi # Check to see if aliases need to be added alias=0 while : do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + + # Configure routing if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" fi # Set up any static routes. This should be done before router discovery. if [ "x${static_routes}" != "x" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' if [ -n "$tcp_extensions" -a "x$tcp_extensions" != "xYES" ] ; then echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 2>&1 sysctl -w net.inet.tcp.rfc1644=0 >/dev/null 2>&1 fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null 2>&1 fi if [ "X$router_enable" = X"YES" ]; then echo -n " ${router}"; ${router} ${router_flags} fi if [ "X$ipxgateway_enable" = X"YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 2>&1 fi if [ "X$ipxrouted_enable" = X"YES" ]; then echo -n ' IPXrouted: ' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 fi if [ "X$arpproxy_all" = X"YES" ]; then echo -n ' enabling ARP_PROXY_ALL: ' sysctl -w net.link.ether.inet.proxyall=1 2>&1 fi echo '.' network_pass1_done=YES # Let future generations know we made it. } network_pass2() { echo -n 'Doing additional network setup:' if [ "X${named_enable}" = X"YES" ]; then echo -n ' named'; named ${named_flags} fi if [ "X${ntpdate_enable}" = X"YES" -o "X${xntpd_enable}" = X"YES" ]; then if [ "X${ntpdate_enable}" = X"YES" ]; then echo -n ' ntpdate'; ntpdate ${ntpdate_flags} >/dev/null 2>&1 fi if [ "X${xntpd_enable}" = X"YES" ]; then echo -n ' xntpd'; xntpd ${xntpd_flags} fi fi if [ "X${timed_enable}" = X"YES" ]; then echo -n ' timed'; timed ${timed_flags} fi if [ "X${portmap_enable}" = X"YES" ]; then echo -n ' portmap'; portmap ${portmap_flags} fi # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. if [ "X${nis_server_enable}" = X"YES" ]; then echo -n ' ypserv'; ypserv ${nis_server_flags} if [ "X${nis_ypxfrd_enable}" = X"YES" ]; then echo -n ' rpc.ypxfrd'; rpc.ypxfrd ${nis_ypxfrd_flags} fi if [ "X${nis_yppasswdd_enable}" = X"YES" ]; then echo -n ' rpc.yppasswdd'; rpc.yppasswdd ${nis_yppasswdd_flags} fi fi # Start ypbind if we're an NIS client if [ "X${nis_client_enable}" = X"YES" ]; then echo -n ' ypbind'; ypbind ${nis_client_flags} if [ "X${nis_ypset_enable}" = X"YES" ]; then echo -n ' ypset'; ypset ${nis_ypset_flags} fi fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' if [ "X${nfs_server_enable}" = X"YES" -a -r /etc/exports ]; then echo -n ' mountd' if [ "X${weak_mountd_authentication}" = X"YES" ]; then mountd_flags="-n" fi mountd ${mountd_flags} if [ "X${nfs_reserved_port_only}" = X"YES" ]; then echo -n ' nfsprivport=YES' sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 2>&1 fi echo -n ' nfsd'; nfsd ${nfs_server_flags} if [ "X$rpc_lockd_enable" = X"YES" ]; then echo -n ' rpc.lockd'; rpc.lockd fi if [ "X$rpc_statd_enable" = X"YES" ]; then echo -n ' rpc.statd'; rpc.statd fi fi if [ "X${nfs_client_enable}" = X"YES" ]; then echo -n ' nfsiod'; nfsiod ${nfs_client_flags} fi if [ "X${amd_enable}" = X"YES" ]; then echo -n ' amd' amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null fi if [ "X${rwhod_enable}" = X"YES" ]; then echo -n ' rwhod'; rwhod fi # Kerberos runs ONLY on the Kerberos server machine if [ "X${kerberos_server_enable}" = X"YES" ]; then echo -n ' kerberos'; kerberos >> /var/log/kerberos.log & echo -n ' kadmind'; \ (sleep 20; kadmind -n >/dev/null 2>&1 &) & fi # IP multicast routing daemon if [ "X${mrouted_enable}" = X"YES" ]; then echo -n ' mrouted'; mrouted ${mrouted_flags} fi echo '.' network_pass3_done=YES } Index: head/etc/rc.d/network1 =================================================================== --- head/etc/rc.d/network1 (revision 29299) +++ head/etc/rc.d/network1 (revision 29300) @@ -1,209 +1,236 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in # this file, but rather in /etc/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. network_pass1() { echo -n 'Doing initial network setup:' # Set the host name if it is not already set if [ -z "`hostname -s`" ] ; then hostname $hostname echo -n ' hostname' fi # Set the domainname if we're using NIS if [ -n "$nisdomainname" -a "x$nisdomainname" != "xNO" ] ; then domainname $nisdomainname echo -n ' domain' fi echo '.' # Set up all the network interfaces, calling startup scripts if needed for ifn in ${network_interfaces}; do if [ -e /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} ${ifn} fi # Do the primary ifconfig if specified eval ifconfig_args=\$ifconfig_${ifn} if [ -n "${ifconfig_args}" ] ; then ifconfig ${ifn} ${ifconfig_args} fi # Check to see if aliases need to be added alias=0 while : do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + + # Configure routing if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" fi # Set up any static routes. This should be done before router discovery. if [ "x${static_routes}" != "x" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' if [ -n "$tcp_extensions" -a "x$tcp_extensions" != "xYES" ] ; then echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 2>&1 sysctl -w net.inet.tcp.rfc1644=0 >/dev/null 2>&1 fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null 2>&1 fi if [ "X$router_enable" = X"YES" ]; then echo -n " ${router}"; ${router} ${router_flags} fi if [ "X$ipxgateway_enable" = X"YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 2>&1 fi if [ "X$ipxrouted_enable" = X"YES" ]; then echo -n ' IPXrouted: ' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 fi if [ "X$arpproxy_all" = X"YES" ]; then echo -n ' enabling ARP_PROXY_ALL: ' sysctl -w net.link.ether.inet.proxyall=1 2>&1 fi echo '.' network_pass1_done=YES # Let future generations know we made it. } network_pass2() { echo -n 'Doing additional network setup:' if [ "X${named_enable}" = X"YES" ]; then echo -n ' named'; named ${named_flags} fi if [ "X${ntpdate_enable}" = X"YES" -o "X${xntpd_enable}" = X"YES" ]; then if [ "X${ntpdate_enable}" = X"YES" ]; then echo -n ' ntpdate'; ntpdate ${ntpdate_flags} >/dev/null 2>&1 fi if [ "X${xntpd_enable}" = X"YES" ]; then echo -n ' xntpd'; xntpd ${xntpd_flags} fi fi if [ "X${timed_enable}" = X"YES" ]; then echo -n ' timed'; timed ${timed_flags} fi if [ "X${portmap_enable}" = X"YES" ]; then echo -n ' portmap'; portmap ${portmap_flags} fi # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. if [ "X${nis_server_enable}" = X"YES" ]; then echo -n ' ypserv'; ypserv ${nis_server_flags} if [ "X${nis_ypxfrd_enable}" = X"YES" ]; then echo -n ' rpc.ypxfrd'; rpc.ypxfrd ${nis_ypxfrd_flags} fi if [ "X${nis_yppasswdd_enable}" = X"YES" ]; then echo -n ' rpc.yppasswdd'; rpc.yppasswdd ${nis_yppasswdd_flags} fi fi # Start ypbind if we're an NIS client if [ "X${nis_client_enable}" = X"YES" ]; then echo -n ' ypbind'; ypbind ${nis_client_flags} if [ "X${nis_ypset_enable}" = X"YES" ]; then echo -n ' ypset'; ypset ${nis_ypset_flags} fi fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' if [ "X${nfs_server_enable}" = X"YES" -a -r /etc/exports ]; then echo -n ' mountd' if [ "X${weak_mountd_authentication}" = X"YES" ]; then mountd_flags="-n" fi mountd ${mountd_flags} if [ "X${nfs_reserved_port_only}" = X"YES" ]; then echo -n ' nfsprivport=YES' sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 2>&1 fi echo -n ' nfsd'; nfsd ${nfs_server_flags} if [ "X$rpc_lockd_enable" = X"YES" ]; then echo -n ' rpc.lockd'; rpc.lockd fi if [ "X$rpc_statd_enable" = X"YES" ]; then echo -n ' rpc.statd'; rpc.statd fi fi if [ "X${nfs_client_enable}" = X"YES" ]; then echo -n ' nfsiod'; nfsiod ${nfs_client_flags} fi if [ "X${amd_enable}" = X"YES" ]; then echo -n ' amd' amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null fi if [ "X${rwhod_enable}" = X"YES" ]; then echo -n ' rwhod'; rwhod fi # Kerberos runs ONLY on the Kerberos server machine if [ "X${kerberos_server_enable}" = X"YES" ]; then echo -n ' kerberos'; kerberos >> /var/log/kerberos.log & echo -n ' kadmind'; \ (sleep 20; kadmind -n >/dev/null 2>&1 &) & fi # IP multicast routing daemon if [ "X${mrouted_enable}" = X"YES" ]; then echo -n ' mrouted'; mrouted ${mrouted_flags} fi echo '.' network_pass3_done=YES } Index: head/etc/rc.d/network2 =================================================================== --- head/etc/rc.d/network2 (revision 29299) +++ head/etc/rc.d/network2 (revision 29300) @@ -1,209 +1,236 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in # this file, but rather in /etc/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. network_pass1() { echo -n 'Doing initial network setup:' # Set the host name if it is not already set if [ -z "`hostname -s`" ] ; then hostname $hostname echo -n ' hostname' fi # Set the domainname if we're using NIS if [ -n "$nisdomainname" -a "x$nisdomainname" != "xNO" ] ; then domainname $nisdomainname echo -n ' domain' fi echo '.' # Set up all the network interfaces, calling startup scripts if needed for ifn in ${network_interfaces}; do if [ -e /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} ${ifn} fi # Do the primary ifconfig if specified eval ifconfig_args=\$ifconfig_${ifn} if [ -n "${ifconfig_args}" ] ; then ifconfig ${ifn} ${ifconfig_args} fi # Check to see if aliases need to be added alias=0 while : do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + + # Configure routing if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" fi # Set up any static routes. This should be done before router discovery. if [ "x${static_routes}" != "x" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' if [ -n "$tcp_extensions" -a "x$tcp_extensions" != "xYES" ] ; then echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 2>&1 sysctl -w net.inet.tcp.rfc1644=0 >/dev/null 2>&1 fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null 2>&1 fi if [ "X$router_enable" = X"YES" ]; then echo -n " ${router}"; ${router} ${router_flags} fi if [ "X$ipxgateway_enable" = X"YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 2>&1 fi if [ "X$ipxrouted_enable" = X"YES" ]; then echo -n ' IPXrouted: ' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 fi if [ "X$arpproxy_all" = X"YES" ]; then echo -n ' enabling ARP_PROXY_ALL: ' sysctl -w net.link.ether.inet.proxyall=1 2>&1 fi echo '.' network_pass1_done=YES # Let future generations know we made it. } network_pass2() { echo -n 'Doing additional network setup:' if [ "X${named_enable}" = X"YES" ]; then echo -n ' named'; named ${named_flags} fi if [ "X${ntpdate_enable}" = X"YES" -o "X${xntpd_enable}" = X"YES" ]; then if [ "X${ntpdate_enable}" = X"YES" ]; then echo -n ' ntpdate'; ntpdate ${ntpdate_flags} >/dev/null 2>&1 fi if [ "X${xntpd_enable}" = X"YES" ]; then echo -n ' xntpd'; xntpd ${xntpd_flags} fi fi if [ "X${timed_enable}" = X"YES" ]; then echo -n ' timed'; timed ${timed_flags} fi if [ "X${portmap_enable}" = X"YES" ]; then echo -n ' portmap'; portmap ${portmap_flags} fi # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. if [ "X${nis_server_enable}" = X"YES" ]; then echo -n ' ypserv'; ypserv ${nis_server_flags} if [ "X${nis_ypxfrd_enable}" = X"YES" ]; then echo -n ' rpc.ypxfrd'; rpc.ypxfrd ${nis_ypxfrd_flags} fi if [ "X${nis_yppasswdd_enable}" = X"YES" ]; then echo -n ' rpc.yppasswdd'; rpc.yppasswdd ${nis_yppasswdd_flags} fi fi # Start ypbind if we're an NIS client if [ "X${nis_client_enable}" = X"YES" ]; then echo -n ' ypbind'; ypbind ${nis_client_flags} if [ "X${nis_ypset_enable}" = X"YES" ]; then echo -n ' ypset'; ypset ${nis_ypset_flags} fi fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' if [ "X${nfs_server_enable}" = X"YES" -a -r /etc/exports ]; then echo -n ' mountd' if [ "X${weak_mountd_authentication}" = X"YES" ]; then mountd_flags="-n" fi mountd ${mountd_flags} if [ "X${nfs_reserved_port_only}" = X"YES" ]; then echo -n ' nfsprivport=YES' sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 2>&1 fi echo -n ' nfsd'; nfsd ${nfs_server_flags} if [ "X$rpc_lockd_enable" = X"YES" ]; then echo -n ' rpc.lockd'; rpc.lockd fi if [ "X$rpc_statd_enable" = X"YES" ]; then echo -n ' rpc.statd'; rpc.statd fi fi if [ "X${nfs_client_enable}" = X"YES" ]; then echo -n ' nfsiod'; nfsiod ${nfs_client_flags} fi if [ "X${amd_enable}" = X"YES" ]; then echo -n ' amd' amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null fi if [ "X${rwhod_enable}" = X"YES" ]; then echo -n ' rwhod'; rwhod fi # Kerberos runs ONLY on the Kerberos server machine if [ "X${kerberos_server_enable}" = X"YES" ]; then echo -n ' kerberos'; kerberos >> /var/log/kerberos.log & echo -n ' kadmind'; \ (sleep 20; kadmind -n >/dev/null 2>&1 &) & fi # IP multicast routing daemon if [ "X${mrouted_enable}" = X"YES" ]; then echo -n ' mrouted'; mrouted ${mrouted_flags} fi echo '.' network_pass3_done=YES } Index: head/etc/rc.d/network3 =================================================================== --- head/etc/rc.d/network3 (revision 29299) +++ head/etc/rc.d/network3 (revision 29300) @@ -1,209 +1,236 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in # this file, but rather in /etc/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. network_pass1() { echo -n 'Doing initial network setup:' # Set the host name if it is not already set if [ -z "`hostname -s`" ] ; then hostname $hostname echo -n ' hostname' fi # Set the domainname if we're using NIS if [ -n "$nisdomainname" -a "x$nisdomainname" != "xNO" ] ; then domainname $nisdomainname echo -n ' domain' fi echo '.' # Set up all the network interfaces, calling startup scripts if needed for ifn in ${network_interfaces}; do if [ -e /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} ${ifn} fi # Do the primary ifconfig if specified eval ifconfig_args=\$ifconfig_${ifn} if [ -n "${ifconfig_args}" ] ; then ifconfig ${ifn} ${ifconfig_args} fi # Check to see if aliases need to be added alias=0 while : do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + + # Configure routing if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" fi # Set up any static routes. This should be done before router discovery. if [ "x${static_routes}" != "x" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' if [ -n "$tcp_extensions" -a "x$tcp_extensions" != "xYES" ] ; then echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 2>&1 sysctl -w net.inet.tcp.rfc1644=0 >/dev/null 2>&1 fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null 2>&1 fi if [ "X$router_enable" = X"YES" ]; then echo -n " ${router}"; ${router} ${router_flags} fi if [ "X$ipxgateway_enable" = X"YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 2>&1 fi if [ "X$ipxrouted_enable" = X"YES" ]; then echo -n ' IPXrouted: ' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 fi if [ "X$arpproxy_all" = X"YES" ]; then echo -n ' enabling ARP_PROXY_ALL: ' sysctl -w net.link.ether.inet.proxyall=1 2>&1 fi echo '.' network_pass1_done=YES # Let future generations know we made it. } network_pass2() { echo -n 'Doing additional network setup:' if [ "X${named_enable}" = X"YES" ]; then echo -n ' named'; named ${named_flags} fi if [ "X${ntpdate_enable}" = X"YES" -o "X${xntpd_enable}" = X"YES" ]; then if [ "X${ntpdate_enable}" = X"YES" ]; then echo -n ' ntpdate'; ntpdate ${ntpdate_flags} >/dev/null 2>&1 fi if [ "X${xntpd_enable}" = X"YES" ]; then echo -n ' xntpd'; xntpd ${xntpd_flags} fi fi if [ "X${timed_enable}" = X"YES" ]; then echo -n ' timed'; timed ${timed_flags} fi if [ "X${portmap_enable}" = X"YES" ]; then echo -n ' portmap'; portmap ${portmap_flags} fi # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. if [ "X${nis_server_enable}" = X"YES" ]; then echo -n ' ypserv'; ypserv ${nis_server_flags} if [ "X${nis_ypxfrd_enable}" = X"YES" ]; then echo -n ' rpc.ypxfrd'; rpc.ypxfrd ${nis_ypxfrd_flags} fi if [ "X${nis_yppasswdd_enable}" = X"YES" ]; then echo -n ' rpc.yppasswdd'; rpc.yppasswdd ${nis_yppasswdd_flags} fi fi # Start ypbind if we're an NIS client if [ "X${nis_client_enable}" = X"YES" ]; then echo -n ' ypbind'; ypbind ${nis_client_flags} if [ "X${nis_ypset_enable}" = X"YES" ]; then echo -n ' ypset'; ypset ${nis_ypset_flags} fi fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' if [ "X${nfs_server_enable}" = X"YES" -a -r /etc/exports ]; then echo -n ' mountd' if [ "X${weak_mountd_authentication}" = X"YES" ]; then mountd_flags="-n" fi mountd ${mountd_flags} if [ "X${nfs_reserved_port_only}" = X"YES" ]; then echo -n ' nfsprivport=YES' sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 2>&1 fi echo -n ' nfsd'; nfsd ${nfs_server_flags} if [ "X$rpc_lockd_enable" = X"YES" ]; then echo -n ' rpc.lockd'; rpc.lockd fi if [ "X$rpc_statd_enable" = X"YES" ]; then echo -n ' rpc.statd'; rpc.statd fi fi if [ "X${nfs_client_enable}" = X"YES" ]; then echo -n ' nfsiod'; nfsiod ${nfs_client_flags} fi if [ "X${amd_enable}" = X"YES" ]; then echo -n ' amd' amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null fi if [ "X${rwhod_enable}" = X"YES" ]; then echo -n ' rwhod'; rwhod fi # Kerberos runs ONLY on the Kerberos server machine if [ "X${kerberos_server_enable}" = X"YES" ]; then echo -n ' kerberos'; kerberos >> /var/log/kerberos.log & echo -n ' kadmind'; \ (sleep 20; kadmind -n >/dev/null 2>&1 &) & fi # IP multicast routing daemon if [ "X${mrouted_enable}" = X"YES" ]; then echo -n ' mrouted'; mrouted ${mrouted_flags} fi echo '.' network_pass3_done=YES } Index: head/etc/rc.d/routing =================================================================== --- head/etc/rc.d/routing (revision 29299) +++ head/etc/rc.d/routing (revision 29300) @@ -1,209 +1,236 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in # this file, but rather in /etc/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. network_pass1() { echo -n 'Doing initial network setup:' # Set the host name if it is not already set if [ -z "`hostname -s`" ] ; then hostname $hostname echo -n ' hostname' fi # Set the domainname if we're using NIS if [ -n "$nisdomainname" -a "x$nisdomainname" != "xNO" ] ; then domainname $nisdomainname echo -n ' domain' fi echo '.' # Set up all the network interfaces, calling startup scripts if needed for ifn in ${network_interfaces}; do if [ -e /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} ${ifn} fi # Do the primary ifconfig if specified eval ifconfig_args=\$ifconfig_${ifn} if [ -n "${ifconfig_args}" ] ; then ifconfig ${ifn} ${ifconfig_args} fi # Check to see if aliases need to be added alias=0 while : do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + + # Configure routing if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" fi # Set up any static routes. This should be done before router discovery. if [ "x${static_routes}" != "x" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' if [ -n "$tcp_extensions" -a "x$tcp_extensions" != "xYES" ] ; then echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 2>&1 sysctl -w net.inet.tcp.rfc1644=0 >/dev/null 2>&1 fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null 2>&1 fi if [ "X$router_enable" = X"YES" ]; then echo -n " ${router}"; ${router} ${router_flags} fi if [ "X$ipxgateway_enable" = X"YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 2>&1 fi if [ "X$ipxrouted_enable" = X"YES" ]; then echo -n ' IPXrouted: ' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 fi if [ "X$arpproxy_all" = X"YES" ]; then echo -n ' enabling ARP_PROXY_ALL: ' sysctl -w net.link.ether.inet.proxyall=1 2>&1 fi echo '.' network_pass1_done=YES # Let future generations know we made it. } network_pass2() { echo -n 'Doing additional network setup:' if [ "X${named_enable}" = X"YES" ]; then echo -n ' named'; named ${named_flags} fi if [ "X${ntpdate_enable}" = X"YES" -o "X${xntpd_enable}" = X"YES" ]; then if [ "X${ntpdate_enable}" = X"YES" ]; then echo -n ' ntpdate'; ntpdate ${ntpdate_flags} >/dev/null 2>&1 fi if [ "X${xntpd_enable}" = X"YES" ]; then echo -n ' xntpd'; xntpd ${xntpd_flags} fi fi if [ "X${timed_enable}" = X"YES" ]; then echo -n ' timed'; timed ${timed_flags} fi if [ "X${portmap_enable}" = X"YES" ]; then echo -n ' portmap'; portmap ${portmap_flags} fi # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. if [ "X${nis_server_enable}" = X"YES" ]; then echo -n ' ypserv'; ypserv ${nis_server_flags} if [ "X${nis_ypxfrd_enable}" = X"YES" ]; then echo -n ' rpc.ypxfrd'; rpc.ypxfrd ${nis_ypxfrd_flags} fi if [ "X${nis_yppasswdd_enable}" = X"YES" ]; then echo -n ' rpc.yppasswdd'; rpc.yppasswdd ${nis_yppasswdd_flags} fi fi # Start ypbind if we're an NIS client if [ "X${nis_client_enable}" = X"YES" ]; then echo -n ' ypbind'; ypbind ${nis_client_flags} if [ "X${nis_ypset_enable}" = X"YES" ]; then echo -n ' ypset'; ypset ${nis_ypset_flags} fi fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' if [ "X${nfs_server_enable}" = X"YES" -a -r /etc/exports ]; then echo -n ' mountd' if [ "X${weak_mountd_authentication}" = X"YES" ]; then mountd_flags="-n" fi mountd ${mountd_flags} if [ "X${nfs_reserved_port_only}" = X"YES" ]; then echo -n ' nfsprivport=YES' sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 2>&1 fi echo -n ' nfsd'; nfsd ${nfs_server_flags} if [ "X$rpc_lockd_enable" = X"YES" ]; then echo -n ' rpc.lockd'; rpc.lockd fi if [ "X$rpc_statd_enable" = X"YES" ]; then echo -n ' rpc.statd'; rpc.statd fi fi if [ "X${nfs_client_enable}" = X"YES" ]; then echo -n ' nfsiod'; nfsiod ${nfs_client_flags} fi if [ "X${amd_enable}" = X"YES" ]; then echo -n ' amd' amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null fi if [ "X${rwhod_enable}" = X"YES" ]; then echo -n ' rwhod'; rwhod fi # Kerberos runs ONLY on the Kerberos server machine if [ "X${kerberos_server_enable}" = X"YES" ]; then echo -n ' kerberos'; kerberos >> /var/log/kerberos.log & echo -n ' kadmind'; \ (sleep 20; kadmind -n >/dev/null 2>&1 &) & fi # IP multicast routing daemon if [ "X${mrouted_enable}" = X"YES" ]; then echo -n ' mrouted'; mrouted ${mrouted_flags} fi echo '.' network_pass3_done=YES } Index: head/etc/rc.firewall =================================================================== --- head/etc/rc.firewall (revision 29299) +++ head/etc/rc.firewall (revision 29300) @@ -1,159 +1,175 @@ ############ # Setup system for firewall service. -# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $ +# $Id: rc.firewall,v 1.12 1997/05/05 07:08:31 jkh Exp $ ############ +# Define the firewall type in /etc/rc.conf. Valid values are: +# open - will allow anyone in +# client - will try to protect just this machine +# simple - will try to protect a whole network +# closed - totally disables IP services except via lo0 interface +# UNKNOWN - disables the loading of firewall rules. +# filename - will load the rules in the given filename (full path required) # -# >>Warning<< -# This file is not very old yet, and have been put together without much -# testing of the contents. +# For ``client'' and ``simple'' the entries below should be customized +# appropriately. -# Set this to be the type of firewall you want: open, client, simple or NONE. -# ``open'' will allow anyone in, ``client'' will try to protect just one -# machine and ``simple'' will try to protect a whole network (entries should -# be customized appropriately below). To let no one in, use NONE. - ############ # # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # # Building Internet Firewalls # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-124-0 # http://www.ora.com/ # # For a more advanced treatment of Internet Security read: # # Firewalls & Internet Security # Repelling the wily hacker # William R. Cheswick, Steven M. Bellowin # # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # +if [ "x$1" != "x" ]; then + firewall_type=$1 +fi + ############ +# Set quiet mode if requested +if [ "x$firewall_quiet" = "xYES" ]; then + fwcmd="/sbin/ipfw -q" +else + fwcmd="/sbin/ipfw" +fi + +############ # Flush out the list before we begin. -/sbin/ipfw -f flush +$fwcmd -f flush ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # they you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. -# /sbin/ipfw add 65000 pass all from any to any +# $fwcmd add 65000 pass all from any to any ############ # Only in rare cases do you want to change this rule -/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 +$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1 # Prototype setups. -if [ "${firewall}" = "open" ]; then +if [ "${firewall_type}" = "open" ]; then - /sbin/ipfw add 65000 pass all from any to any + $fwcmd add 65000 pass all from any to any -elif [ "${firewall}" = "client" ]; then +elif [ "${firewall_type}" = "simple" ]; then + $fwcmd add 65000 pass all from any to any via lo0 + +elif [ "${firewall_type}" = "client" ]; then + ############ # This is a prototype setup that will protect your system somewhat against # people from outside your own network. ############ # set these to your network and netmask and ip net="192.168.4.0" mask="255.255.255.0" ip="192.168.4.17" # Allow any traffic to or from my own net. - /sbin/ipfw add pass all from ${ip} to ${net}:${mask} - /sbin/ipfw add pass all from ${net}:${mask} to ${ip} + $fwcmd add pass all from ${ip} to ${net}:${mask} + $fwcmd add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded - /sbin/ipfw add pass tcp from any to any established + $fwcmd add pass tcp from any to any established # Allow setup of incoming email - /sbin/ipfw add pass tcp from any to ${ip} 25 setup + $fwcmd add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only - /sbin/ipfw add pass tcp from ${ip} to any setup + $fwcmd add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections - /sbin/ipfw add deny tcp from any to any setup + $fwcmd add deny tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${ip} - /sbin/ipfw add pass udp from ${ip} to any 53 + $fwcmd add pass udp from any 53 to ${ip} + $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${ip} - /sbin/ipfw add pass udp from ${ip} to any 123 + $fwcmd add pass udp from any 123 to ${ip} + $fwcmd add pass udp from ${ip} to any 123 # Everything else is denied as default. -elif [ "${firewall}" = "simple" ]; then +elif [ "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine # as a named server and ntp server, and point all the machines on the inside # at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="ed0" onet="192.168.4.0" omask="255.255.255.0" oip="192.168.4.17" # set these to your inside interface network and netmask and ip iif="ed1" inet="192.168.3.0" imask="255.255.255.0" iip="192.168.3.17" # Stop spoofing - /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} - /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} + $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} + $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface - /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} - /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} - /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if setup succeeded - /sbin/ipfw add pass tcp from any to any established + $fwcmd add pass tcp from any to any established # Allow setup of incoming email - /sbin/ipfw add pass tcp from any to ${oip} 25 setup + $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS - /sbin/ipfw add pass tcp from any to ${oip} 53 setup + $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW - /sbin/ipfw add pass tcp from any to ${oip} 80 setup + $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside - /sbin/ipfw add deny log tcp from any to any in via ${oif} setup + $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection - /sbin/ipfw add pass tcp from any to any setup + $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${oip} - /sbin/ipfw add pass udp from ${oip} to any 53 + $fwcmd add pass udp from any 53 to ${oip} + $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${oip} - /sbin/ipfw add pass udp from ${oip} to any 123 + $fwcmd add pass udp from any 123 to ${oip} + $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. -elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then - - /sbin/ipfw ${firewall} +elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then + $fwcmd ${firewall} fi Index: head/etc/rc.network =================================================================== --- head/etc/rc.network (revision 29299) +++ head/etc/rc.network (revision 29300) @@ -1,209 +1,236 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in # this file, but rather in /etc/rc.conf. Please check that file # first before contemplating any changes here. If you do need to change # this file for some reason, we would like to know about it. # First pass startup stuff. network_pass1() { echo -n 'Doing initial network setup:' # Set the host name if it is not already set if [ -z "`hostname -s`" ] ; then hostname $hostname echo -n ' hostname' fi # Set the domainname if we're using NIS if [ -n "$nisdomainname" -a "x$nisdomainname" != "xNO" ] ; then domainname $nisdomainname echo -n ' domain' fi echo '.' # Set up all the network interfaces, calling startup scripts if needed for ifn in ${network_interfaces}; do if [ -e /etc/start_if.${ifn} ]; then . /etc/start_if.${ifn} ${ifn} fi # Do the primary ifconfig if specified eval ifconfig_args=\$ifconfig_${ifn} if [ -n "${ifconfig_args}" ] ; then ifconfig ${ifn} ${ifconfig_args} fi # Check to see if aliases need to be added alias=0 while : do eval ifconfig_args=\$ifconfig_${ifn}_alias${alias} if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} alias alias=`expr ${alias} + 1` else break; fi done # Do ipx address if specified eval ifconfig_args=\$ifconfig_${ifn}_ipx if [ -n "${ifconfig_args}" ]; then ifconfig ${ifn} ${ifconfig_args} fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 + fi + + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi fi + + # Configure routing if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" fi # Set up any static routes. This should be done before router discovery. if [ "x${static_routes}" != "x" ]; then for i in ${static_routes}; do eval route_args=\$route_${i} route add ${route_args} done fi echo -n 'Additional routing options:' if [ -n "$tcp_extensions" -a "x$tcp_extensions" != "xYES" ] ; then echo -n ' tcp extensions=NO' sysctl -w net.inet.tcp.rfc1323=0 >/dev/null 2>&1 sysctl -w net.inet.tcp.rfc1644=0 >/dev/null 2>&1 fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' sysctl -w net.inet.ip.forwarding=1 >/dev/null 2>&1 fi if [ "X$router_enable" = X"YES" ]; then echo -n " ${router}"; ${router} ${router_flags} fi if [ "X$ipxgateway_enable" = X"YES" ]; then echo -n ' IPX gateway=YES' sysctl -w net.ipx.ipx.ipxforwarding=1 >/dev/null 2>&1 fi if [ "X$ipxrouted_enable" = X"YES" ]; then echo -n ' IPXrouted: ' IPXrouted ${ipxrouted_flags} > /dev/null 2>&1 fi if [ "X$arpproxy_all" = X"YES" ]; then echo -n ' enabling ARP_PROXY_ALL: ' sysctl -w net.link.ether.inet.proxyall=1 2>&1 fi echo '.' network_pass1_done=YES # Let future generations know we made it. } network_pass2() { echo -n 'Doing additional network setup:' if [ "X${named_enable}" = X"YES" ]; then echo -n ' named'; named ${named_flags} fi if [ "X${ntpdate_enable}" = X"YES" -o "X${xntpd_enable}" = X"YES" ]; then if [ "X${ntpdate_enable}" = X"YES" ]; then echo -n ' ntpdate'; ntpdate ${ntpdate_flags} >/dev/null 2>&1 fi if [ "X${xntpd_enable}" = X"YES" ]; then echo -n ' xntpd'; xntpd ${xntpd_flags} fi fi if [ "X${timed_enable}" = X"YES" ]; then echo -n ' timed'; timed ${timed_flags} fi if [ "X${portmap_enable}" = X"YES" ]; then echo -n ' portmap'; portmap ${portmap_flags} fi # Start ypserv if we're an NIS server. # Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server. if [ "X${nis_server_enable}" = X"YES" ]; then echo -n ' ypserv'; ypserv ${nis_server_flags} if [ "X${nis_ypxfrd_enable}" = X"YES" ]; then echo -n ' rpc.ypxfrd'; rpc.ypxfrd ${nis_ypxfrd_flags} fi if [ "X${nis_yppasswdd_enable}" = X"YES" ]; then echo -n ' rpc.yppasswdd'; rpc.yppasswdd ${nis_yppasswdd_flags} fi fi # Start ypbind if we're an NIS client if [ "X${nis_client_enable}" = X"YES" ]; then echo -n ' ypbind'; ypbind ${nis_client_flags} if [ "X${nis_ypset_enable}" = X"YES" ]; then echo -n ' ypset'; ypset ${nis_ypset_flags} fi fi echo '.' network_pass2_done=YES } network_pass3() { echo -n 'Starting final network daemons:' if [ "X${nfs_server_enable}" = X"YES" -a -r /etc/exports ]; then echo -n ' mountd' if [ "X${weak_mountd_authentication}" = X"YES" ]; then mountd_flags="-n" fi mountd ${mountd_flags} if [ "X${nfs_reserved_port_only}" = X"YES" ]; then echo -n ' nfsprivport=YES' sysctl -w vfs.nfs.nfs_privport=1 >/dev/null 2>&1 fi echo -n ' nfsd'; nfsd ${nfs_server_flags} if [ "X$rpc_lockd_enable" = X"YES" ]; then echo -n ' rpc.lockd'; rpc.lockd fi if [ "X$rpc_statd_enable" = X"YES" ]; then echo -n ' rpc.statd'; rpc.statd fi fi if [ "X${nfs_client_enable}" = X"YES" ]; then echo -n ' nfsiod'; nfsiod ${nfs_client_flags} fi if [ "X${amd_enable}" = X"YES" ]; then echo -n ' amd' amd -p ${amd_flags} > /var/run/amd.pid 2> /dev/null fi if [ "X${rwhod_enable}" = X"YES" ]; then echo -n ' rwhod'; rwhod fi # Kerberos runs ONLY on the Kerberos server machine if [ "X${kerberos_server_enable}" = X"YES" ]; then echo -n ' kerberos'; kerberos >> /var/log/kerberos.log & echo -n ' kadmind'; \ (sleep 20; kadmind -n >/dev/null 2>&1 &) & fi # IP multicast routing daemon if [ "X${mrouted_enable}" = X"YES" ]; then echo -n ' mrouted'; mrouted ${mrouted_flags} fi echo '.' network_pass3_done=YES }