From owner-freebsd-current@FreeBSD.ORG Sun Mar 21 11:14:06 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5682416A4D0 for ; Sun, 21 Mar 2004 11:14:06 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id D734D43D2D for ; Sun, 21 Mar 2004 11:14:05 -0800 (PST) (envelope-from mlaier@vampire.homelinux.org) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1B58Ob-0000QG-00 for freebsd-current@freebsd.org; Sun, 21 Mar 2004 20:14:05 +0100 Received: from [217.227.153.88] (helo=vampire.homelinux.org) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1B58Oa-0007NX-00 for freebsd-current@freebsd.org; Sun, 21 Mar 2004 20:14:04 +0100 Received: (qmail 43697 invoked by uid 1001); 21 Mar 2004 19:20:41 -0000 Date: Sun, 21 Mar 2004 20:20:41 +0100 From: Max Laier To: Claus Guttesen Message-ID: <20040321192041.GA43656@router.laiers.local> References: <024201c40eba$22912520$0201a8c0@idlewild.net> <20040320222504.18517.qmail@web14106.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="s/l3CgOIzMHHjg/5" Content-Disposition: inline In-Reply-To: <20040320222504.18517.qmail@web14106.mail.yahoo.com> User-Agent: Mutt/1.4.1i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 cc: freebsd-current@freebsd.org Subject: Re: pf startup script X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Mar 2004 19:14:06 -0000 --s/l3CgOIzMHHjg/5 Content-Type: multipart/mixed; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 20, 2004 at 11:25:04PM +0100, Claus Guttesen wrote: > > Is there supposed to be a startup script for pf > > installed now that it's part > > of the base system, or am I missing something? >=20 > A bsd-fellow suggested I used the startup-script from > pf in the ports-col. I placed it in > /usr/local/etc/rc.d and changed the script, so it > would load the pf-mod. from /boot/kernel. >=20 > You cold copy ipfilter/ipfw and make a pf-script. I planned to commit something for a while, but real-life (i.e. exams) and missing libpcap-support -> missing pflogd stopped me until now. Attached is my wip-version of rc.d/pf and required diff to defaults/rc.conf. Comments welcome, as I am not very familiar with rcNG (it's more or less a copy of the ipfilter script). --=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="rc.d_pf" #!/bin/sh # # $FreeBSD$ # # PROVIDE: pf # REQUIRE: root beforenetlkm mountcritlocal netif # BEFORE: DAEMON LOGIN # KEYWORD: FreeBSD nojail . /etc/rc.subr name="pf" rcvar=`set_rcvar` load_rc_config $name stop_precmd="test -f ${pf_rules}" start_precmd="pf_prestart" start_cmd="pf_start" stop_cmd="pf_stop" reload_precmd="$stop_precmd" reload_cmd="pf_reload" resync_precmd="$stop_precmd" resync_cmd="pf_resync" status_precmd="$stop_precmd" status_cmd="pf_status" extra_commands="reload resync status" pf_prestart() { # load pf kernel module if needed if ! kldstat -v | grep -q pf\$; then if kldload pf; then info 'pf module loaded.' else err 1 'pf module failed to load.' fi fi # check for pf rules if [ ! -r "${pf_rules}" ] then warn 'pf: NO PF RULESET FOUND' return 1 fi } pf_start() { echo "Enabling pf." if ! ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then ${pf_program:-/sbin/pfctl} -e fi ${pf_program:-/sbin/pfctl} -Fa 2>&1 > /dev/null if [ -r "${pf_rules}" ]; then ${pf_program:-/sbin/pfctl} \ -f "${pf_rules}" ${pf_flags} fi } pf_stop() { if ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then echo "Disabling pf." ${pf_program:-/sbin/pfctl} -d fi } pf_reload() { echo "Reloading pf rules." ${pf_program:-/sbin/pfctl} -Fa 2>&1 > /dev/null if [ -r "${pf_rules}" ]; then ${pf_program:-/sbin/pfctl} \ -f "${pf_rules}" ${pf_flags} fi } pf_resync() { # Don't resync if pf is not loaded if ! kldstat -v | grep -q pf\$ ; then return fi ${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags} } pf_status() { ${pf_program:-/sbin/pfctl} -si } run_rc_command "$1" --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="defaults_rc.conf.diff" --- rc.conf~ Sat Mar 20 03:22:02 2004 +++ rc.conf Sun Mar 21 20:07:41 2004 @@ -98,6 +98,10 @@ # of state tables at shutdown and boot ipfs_program="/sbin/ipfs" # where the ipfs program lives ipfs_flags="" # additional flags for ipfs +pf_enable="NO" # Set to YES to enable packet filter (pf) +pf_rules="/etc/pf.conf" # rules definition file for pf +pf_program="/sbin/pfctl" # where the pfctl program lives +pf_flags="" # additional flags for pfctl tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. log_in_vain="0" # >=1 to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). --2fHTh5uZTiUOsy+g-- --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAXesIXyyEoT62BG0RAjFLAJwMs+YiUHCehbvAunNHth/r68wobQCdGPbV Wq+2b6gGxY7HAp+AVjUOYKA= =ptvJ -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5--