Date: Wed, 26 Jul 2000 23:19:46 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: FreeBSD-gnats-submit@freebsd.org Subject: conf/20202: ipfilter hooks in rc.network Message-ID: <20000726231946.L24476@speedy.gsinet>
next in thread | raw e-mail | index | archive | help
>Number: 20202 >Category: conf >Synopsis: ipfilter hooks in rc.network >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: wish >Submitter-Id: current-users >Arrival-Date: Wed Jul 26 14:30:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Gerhard Sittig >Release: FreeBSD 4.0-STABLE i386 >Organization: in private >Environment: FreeBSD 4.0-R up to 4.1-RC (I'm sure about -STABLE up to 2000-06-12, but haven't seen any related commit until today when the 4.1 release build was done) FreeBSD 3.x branch too (with different rc notation style, I guess) >Description: FreeBSD has ipfilter in the contrib subtree, but the rc scripts don't have hooks for the involved programs. This PR wants to provide these hooks. I feel that a /usr/local/etc/rc.d script comes in too late. And using the firewall_script setting in rc.conf will load ipfw which I fear to collide with ipf (if not now then maybe in future versions -- I just want to be sure). That's why I think that the below patch is the most intuitive and maintainable approach to employing ipfilter in a FreeBSD environment. Of course all admins running ipfilter on a FreeBSD system could do these modifications (if only to rc.network and rc.conf) by themselves, but chances are that these will prevent upgrades and other merges from applying cleanly. That's why I feel these ipf hooks should come with FreeBSD right from installation time. IIUC now that Darren has direct commit priviledges ipfilter seems to make it even closer into the FreeBSD core system. >How-To-Repeat: Just install a FreeBSD system (or step in front of an existing one) and try to find the lever to throw which will start your ipf ruleset -- it's missing, or it's not obvious where to slip in in the existing firewall knobs for the desired effect. :) >Fix: I was inspired by the http://www.free-x.ch/pub/ipf-conf-en.html document which discusses how to configure ipf on FreeBSD, but it seems a little outdated and no longer fits the 4.x rc script style -- see the message ------------------------------------------------------- Date: Mon, 26 Jun 2000 22:08:52 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: security@FreeBSD.ORG Subject: ipfilter hooks in rc.network Message-ID: <20000626220852.M9883@speedy.gsinet> ------------------------------------------------------- and the mini thread it started on what confusion it caused on my side. :) And how it was refused for not fitting into today's rc script style. :( So I cleaned it up and hope I found all the involved places (code, config, doc). The diff to follow is the result of running 'rcsdiff -u -r1.1 /usr/src/etc/rc.network /usr/src/etc/defaults/rc.conf /usr/src/share/man/man5/rc.conf.5' on a locally modified copy of FreeBSD RELENG_4 as of June 12th (although white spaces could be mangled by copy&paste and mail transfer -- I'm reluctant to use attachments when filing a PR). Example usage could look like editing /etc/ipf.rules and /etc/ipnat.rules and putting --------------------------------------------- ipfilter_enable="YES" ipfilter_flags="" ipnat_enable="YES" ipmon_flags="-D /var/log/ipmon.log" --------------------------------------------- into /etc/rc.conf. The manpage diff surely is in need of some rewording or markup checking -- neither troff nor English are native languages to me. But I tried my best to "look like what's already there". And I tried to keep future diffs as short as possible in case some points are missing or wrong -- hence the short and mucho broken lines in the doc part. Have the appropriate amount of fun ... :) =================================================================== RCS file: /usr/src/etc/rc.network,v retrieving revision 1.1 diff -u -r1.1 /usr/src/etc/rc.network --- /usr/src/etc/rc.network 2000/07/26 17:52:35 1.1 +++ /usr/src/etc/rc.network 2000/07/26 18:00:04 @@ -20,6 +20,39 @@ echo -n ' hostname' fi + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + # + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} + case "${ipmon_flags}" in + [Nn][Oo]) + ;; + *) + echo -n ' ipmon' + ipmon ${ipmon_flags} + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat'; + ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags} + else + echo -n ' NO IPNAT RULES' + fi + ;; + esac + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + # Set the domainname if we're using NIS # case ${nisdomainname} in =================================================================== RCS file: /usr/src/etc/defaults/rc.conf,v retrieving revision 1.1 diff -u -r1.1 /usr/src/etc/defaults/rc.conf --- /usr/src/etc/defaults/rc.conf 2000/07/26 18:00:40 1.1 +++ /usr/src/etc/defaults/rc.conf 2000/07/26 18:05:17 @@ -51,6 +51,21 @@ natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. +ipfilter_enable="NO" # Set to YES to enable ipfilter functionality +ipfilter_program="/sbin/ipf -Fa -f" + # program and how to specify the rules file, + # see /etc/rc.network (pass1) for details +ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see + # /usr/src/contrib/ipfilter/rules for examples +ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module + # (i.e. compiled into the kernel) to + # avoid a warning about "already initialized" +ipnat_enable="NO" # Set to YES for ipnat; needs ipfilter, too! +ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file +ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat +ipnat_flags="" # additional flags for ipnat +ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog", + # can be "NO" as well to deactivate ipmon tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions. log_in_vain="NO" # YES to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). =================================================================== RCS file: /usr/src/share/man/man5/rc.conf.5,v retrieving revision 1.1 diff -u -r1.1 /usr/src/share/man/man5/rc.conf.5 --- /usr/src/share/man/man5/rc.conf.5 2000/07/26 18:07:06 1.1 +++ /usr/src/share/man/man5/rc.conf.5 2000/07/26 20:37:43 @@ -154,6 +154,8 @@ .Ar YES , and the kernel was not built with IPFIREWALL, the ipfw kernel module will be loaded. +See also +.Ar ipfilter_enable . .It Ar firewall_script (str) If you want to run a firewall script other than .Pa /etc/rc.firewall , @@ -206,6 +208,165 @@ flag is automatically added with the above .Ar natd_interface as an argument. +.\" ----- ipfilter_enable seting -------------------------------- +.It Ar ipfilter_enable +(bool) Set to +.Ar NO +by default. +Setting this to +.Ar YES +enables +.Xr ipf 8 +packet filtering. +Strictly speaking almost any filter could be established +"abusing" this setting and the fact that +.Ar ipfilter_program , +.Ar ipfilter_rules +and +.Ar ipfilter_flags +are concatenated to form a command, +as long as the file specified in +.Ar ipfilter_rules +is readable. +.Ar ipnat_program , +.Ar ipnat_rules +and +.Ar ipnat_flags +are handled in a similar way. +.Ar ipmon_flags +only come into effect with this option enabled, too. +See +.Pa /etc/rc.network +for details. +.Pp +Typical usage will require putting +.Bd -literal +ipfilter_enable="YES" +ipfilter_flags="" +ipnat_enable="YES" +ipmon_flags="-D /var/log/ipmon.log" + +.Ed +into +.Pa /etc/rc.conf +and editing +.Pa /etc/ipf.rules +and +.Pa /etc/ipnat.rules +appropriately. +Turning off +.Ar firewall_enable +when using ipf is recommended. +Having +.Bd -literal +options IPFILTER +options IPFILTER_LOG +options IPFILTER_DEFAULT_BLOCK + +.Ed +in the kernel configuration file is a good idea, too. +.\" ----- ipfilter_program setting ------------------------------ +.It Ar ipfilter_program +(str) Set to +.Ar /sbin/ipf -Fa -f +by default. +This variable contains a command line +up to (but not including) the filter rule definition +(expected to live in a separate file). +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipfilter_rules setting -------------------------------- +.It Ar ipfilter_rules +(str) Set to +.Ar /etc/ipf.rules +by default. +This variable contains the name of the filter rule definition file. +The file is expected to be readable for the filter command to execute. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipfilter_flags setting -------------------------------- +.It Ar ipfilter_flags +(str) Set to +.Ar -E +by default. +This variable contains flags appended to the filter command +after the rule definition filename. +The default setting will initialize an on demand loaded ipf module. +When compiling ipfilter directly into your kernel (as is recommended) +the variable should be empty to avoid a warning about initializing +the code more than once. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipnat_enable setting ---------------------------------- +.It Ar ipnat_enable +(bool) Set to +.Ar NO +by default. +Set it to +.Ar YES +to enable +.Xr ipnat 8 +network address translation +(also referred to as masquerading sometimes). +Setting this variable needs setting +.Ar ipfilter_enable , +too. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipnat_program setting --------------------------------- +.It Ar ipnat_program +(str) Set to +.Ar /sbin/ipnat -CF -f +by default. +This variable contains a command line +up to (but not including) the translation rule definition +(expected to live in a separate file). +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipnat_rules setting ----------------------------------- +.It Ar ipnat_rules +(str) Set to +.Ar /etc/ipnat.rules +by default. +This variable contains the name of the file +holding the network address translation definition. +This file is expected to be readable for the NAT command to execute. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipnat_flags setting ----------------------------------- +.It Ar ipnat_flags +(str) Empty by default. +This variable contains additional flags +appended to the ipnat command line +after the rule definition filename. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipmon_flags setting ----------------------------------- +.It Ar ipmon_flags +(str) Set to +.Ar -Ds +by default. +This variable contains flags passed to the +.Xr ipmon 8 +program. +Set this variable to +.Pa NO +to disable monitoring the packet filter. +Any other value (as well as empty settings) +will enable monitoring, when +.Ar ipfilter_enable +is set. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- end of added ipf hook --------------------------------- .It Ar tcp_extensions (bool) Set to .Ar NO =================================================================== virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. >Release-Note: >Audit-Trail: >Unformatted: ... not really sure about this, I "only" follow -stable :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000726231946.L24476>