Date: Sun, 21 Mar 2004 20:20:41 +0100 From: Max Laier <max@love2party.net> To: Claus Guttesen <cguttesen@yahoo.dk> Cc: freebsd-current@freebsd.org Subject: Re: pf startup script Message-ID: <20040321192041.GA43656@router.laiers.local> In-Reply-To: <20040320222504.18517.qmail@web14106.mail.yahoo.com> References: <024201c40eba$22912520$0201a8c0@idlewild.net> <20040320222504.18517.qmail@web14106.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--s/l3CgOIzMHHjg/5 Content-Type: multipart/mixed; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 20, 2004 at 11:25:04PM +0100, Claus Guttesen wrote: > > Is there supposed to be a startup script for pf > > installed now that it's part > > of the base system, or am I missing something? >=20 > A bsd-fellow suggested I used the startup-script from > pf in the ports-col. I placed it in > /usr/local/etc/rc.d and changed the script, so it > would load the pf-mod. from /boot/kernel. >=20 > You cold copy ipfilter/ipfw and make a pf-script. I planned to commit something for a while, but real-life (i.e. exams) and missing libpcap-support -> missing pflogd stopped me until now. Attached is my wip-version of rc.d/pf and required diff to defaults/rc.conf. Comments welcome, as I am not very familiar with rcNG (it's more or less a copy of the ipfilter script). --=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="rc.d_pf" #!/bin/sh # # $FreeBSD$ # # PROVIDE: pf # REQUIRE: root beforenetlkm mountcritlocal netif # BEFORE: DAEMON LOGIN # KEYWORD: FreeBSD nojail . /etc/rc.subr name="pf" rcvar=`set_rcvar` load_rc_config $name stop_precmd="test -f ${pf_rules}" start_precmd="pf_prestart" start_cmd="pf_start" stop_cmd="pf_stop" reload_precmd="$stop_precmd" reload_cmd="pf_reload" resync_precmd="$stop_precmd" resync_cmd="pf_resync" status_precmd="$stop_precmd" status_cmd="pf_status" extra_commands="reload resync status" pf_prestart() { # load pf kernel module if needed if ! kldstat -v | grep -q pf\$; then if kldload pf; then info 'pf module loaded.' else err 1 'pf module failed to load.' fi fi # check for pf rules if [ ! -r "${pf_rules}" ] then warn 'pf: NO PF RULESET FOUND' return 1 fi } pf_start() { echo "Enabling pf." if ! ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then ${pf_program:-/sbin/pfctl} -e fi ${pf_program:-/sbin/pfctl} -Fa 2>&1 > /dev/null if [ -r "${pf_rules}" ]; then ${pf_program:-/sbin/pfctl} \ -f "${pf_rules}" ${pf_flags} fi } pf_stop() { if ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then echo "Disabling pf." ${pf_program:-/sbin/pfctl} -d fi } pf_reload() { echo "Reloading pf rules." ${pf_program:-/sbin/pfctl} -Fa 2>&1 > /dev/null if [ -r "${pf_rules}" ]; then ${pf_program:-/sbin/pfctl} \ -f "${pf_rules}" ${pf_flags} fi } pf_resync() { # Don't resync if pf is not loaded if ! kldstat -v | grep -q pf\$ ; then return fi ${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags} } pf_status() { ${pf_program:-/sbin/pfctl} -si } run_rc_command "$1" --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="defaults_rc.conf.diff" --- rc.conf~ Sat Mar 20 03:22:02 2004 +++ rc.conf Sun Mar 21 20:07:41 2004 @@ -98,6 +98,10 @@ # of state tables at shutdown and boot ipfs_program="/sbin/ipfs" # where the ipfs program lives ipfs_flags="" # additional flags for ipfs +pf_enable="NO" # Set to YES to enable packet filter (pf) +pf_rules="/etc/pf.conf" # rules definition file for pf +pf_program="/sbin/pfctl" # where the pfctl program lives +pf_flags="" # additional flags for pfctl tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. log_in_vain="0" # >=1 to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). --2fHTh5uZTiUOsy+g-- --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAXesIXyyEoT62BG0RAjFLAJwMs+YiUHCehbvAunNHth/r68wobQCdGPbV Wq+2b6gGxY7HAp+AVjUOYKA= =ptvJ -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040321192041.GA43656>