From owner-freebsd-newbies Thu Jan 13 14:35:51 2000 Delivered-To: freebsd-newbies@freebsd.org Received: from mx2.x-treme.gr (mx2.x-treme.gr [212.120.192.15]) by hub.freebsd.org (Postfix) with ESMTP id 37B8A150AA for ; Thu, 13 Jan 2000 14:35:42 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (pat34.x-treme.gr [212.120.197.226]) by mx2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id AAA09666 for ; Fri, 14 Jan 2000 00:35:30 +0200 Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id RAA03777 for freebsd-newbies@freebsd.org; Thu, 13 Jan 2000 17:21:53 +0200 (EET) (envelope-from keramida@diogenis.ceid.upatras.gr) Date: Thu, 13 Jan 2000 17:21:52 +0200 From: Giorgos Keramidas To: freebsd-newbies@freebsd.org Subject: Contributing patch for ipfilter? Message-ID: <20000113172152.G2590@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i Sender: owner-freebsd-newbies@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I installed Darren's ipfilter yesterday, and after making a few changes to my /etc files I came up with the patch below. Do you think I could send the thing to freebsd-hackers for others to test / refine? If this is an option, how should I go about doing it? :) The patch adds to rc.conf the variables: ipf_{enable|program|flags} ipnat_{enable|program|flags} ipmon_{enable_program|flags} and a bunch o' shell lines to /etc/rc.network. Ciao. "Giorgos E. Keramidas" < keramida @ ceid . upatras . gr > -- patch follows -- diff -r -c etc.orig/defaults/rc.conf etc/defaults/rc.conf *** etc.orig/defaults/rc.conf Sun Nov 28 18:02:30 1999 --- etc/defaults/rc.conf Thu Jan 13 00:12:37 2000 *************** *** 44,49 **** --- 44,58 ---- natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. + ipf_program="/sbin/ipf" # path to ipf, if you got it somewhere else + ipf_enable="YES" # Set to YES to enable ipfilter firewall + ipf_flags="-f /etc/ipf.conf" # Additional flags to pass to ipfilter + ipnat_program="/usr/sbin/ipnat" # path to ipnat, ipfilter's nat daemon + ipnat_enable="YES" # Set to YES, to enable ipnat functionality. + ipnat_flags="-f /etc/ipnat.conf" # Additional flags to pass to ipnat daemon + ipmon_program="/usr/sbin/ipmon" # path to ipmon, logger of ipfilter + ipmon_enable="YES" # Set to YES to enable ipfilter logging + ipmon_flags="-a -s" # -a = log everything, -s = to syslogd tcp_extensions="NO" # Disallow RFC1323 extensions (or YES). log_in_vain="NO" # Disallow bad connection logging (or YES). tcp_keepalive="YES" # Kill dead TCP connections (or NO). diff -r -c etc.orig/rc.network etc/rc.network *** etc.orig/rc.network Fri Dec 17 01:47:22 1999 --- etc/rc.network Thu Jan 13 00:02:43 2000 *************** *** 113,118 **** --- 113,146 ---- echo -n 'Starting ppp: '; ppp ${ppp_command} -quiet ${ppp_profile} fi + # Initialize filtering using ipfilter. + echo "" + ipf -F a > /dev/null 2>&1 + if [ $? = 0 ] ; then + ipfilter_in_kernel=1 + else + ipfilter_in_kernel=0 + fi + + if [ $ipfilter_in_kernel = 0 -a "x$ipf_enable" = "xYES" ] ; then + # No kld support for ipfilter yet? + echo "Warning: ipfilter is not supported." + fi + + # Load filters if required + if [ $ipfilter_in_kernel = 1 ] ; then + if [ X"$ipf_enable" = X"YES" ] ; then + echo -n ' ipf'; ${ipf_program} ${ipf_flags} + fi + if [ X"$ipnat_enable" = X"YES" ] ; then + echo -n ' ipnat'; ${ipnat_program} ${ipnat_flags} + fi + if [ X"$ipmon_enable" = X"YES" ] ; then + echo -n ' ipmon'; ${ipmon_program} ${ipmon_flags} & + fi + echo '.' + fi + # Initialize IP filtering using ipfw echo "" /sbin/ipfw -q flush > /dev/null 2>&1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message