Date: Thu, 13 Jan 2000 17:21:52 +0200 From: Giorgos Keramidas <charon@hades.hell.gr> To: freebsd-newbies@freebsd.org Subject: Contributing patch for ipfilter? Message-ID: <20000113172152.G2590@hades.hell.gr>
next in thread | raw e-mail | index | archive | help
I installed Darren's ipfilter yesterday, and after making a few changes
to my /etc files I came up with the patch below. Do you think I could
send the thing to freebsd-hackers for others to test / refine? If this
is an option, how should I go about doing it? :)
The patch adds to rc.conf the variables:
ipf_{enable|program|flags}
ipnat_{enable|program|flags}
ipmon_{enable_program|flags}
and a bunch o' shell lines to /etc/rc.network.
Ciao.
"Giorgos E. Keramidas" < keramida @ ceid . upatras . gr >
-- patch follows --
diff -r -c etc.orig/defaults/rc.conf etc/defaults/rc.conf
*** etc.orig/defaults/rc.conf Sun Nov 28 18:02:30 1999
--- etc/defaults/rc.conf Thu Jan 13 00:12:37 2000
***************
*** 44,49 ****
--- 44,58 ----
natd_enable="NO" # Enable natd (if firewall_enable == YES).
natd_interface="fxp0" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
+ ipf_program="/sbin/ipf" # path to ipf, if you got it somewhere else
+ ipf_enable="YES" # Set to YES to enable ipfilter firewall
+ ipf_flags="-f /etc/ipf.conf" # Additional flags to pass to ipfilter
+ ipnat_program="/usr/sbin/ipnat" # path to ipnat, ipfilter's nat daemon
+ ipnat_enable="YES" # Set to YES, to enable ipnat functionality.
+ ipnat_flags="-f /etc/ipnat.conf" # Additional flags to pass to ipnat daemon
+ ipmon_program="/usr/sbin/ipmon" # path to ipmon, logger of ipfilter
+ ipmon_enable="YES" # Set to YES to enable ipfilter logging
+ ipmon_flags="-a -s" # -a = log everything, -s = to syslogd
tcp_extensions="NO" # Disallow RFC1323 extensions (or YES).
log_in_vain="NO" # Disallow bad connection logging (or YES).
tcp_keepalive="YES" # Kill dead TCP connections (or NO).
diff -r -c etc.orig/rc.network etc/rc.network
*** etc.orig/rc.network Fri Dec 17 01:47:22 1999
--- etc/rc.network Thu Jan 13 00:02:43 2000
***************
*** 113,118 ****
--- 113,146 ----
echo -n 'Starting ppp: '; ppp ${ppp_command} -quiet ${ppp_profile}
fi
+ # Initialize filtering using ipfilter.
+ echo ""
+ ipf -F a > /dev/null 2>&1
+ if [ $? = 0 ] ; then
+ ipfilter_in_kernel=1
+ else
+ ipfilter_in_kernel=0
+ fi
+
+ if [ $ipfilter_in_kernel = 0 -a "x$ipf_enable" = "xYES" ] ; then
+ # No kld support for ipfilter yet?
+ echo "Warning: ipfilter is not supported."
+ fi
+
+ # Load filters if required
+ if [ $ipfilter_in_kernel = 1 ] ; then
+ if [ X"$ipf_enable" = X"YES" ] ; then
+ echo -n ' ipf'; ${ipf_program} ${ipf_flags}
+ fi
+ if [ X"$ipnat_enable" = X"YES" ] ; then
+ echo -n ' ipnat'; ${ipnat_program} ${ipnat_flags}
+ fi
+ if [ X"$ipmon_enable" = X"YES" ] ; then
+ echo -n ' ipmon'; ${ipmon_program} ${ipmon_flags} &
+ fi
+ echo '.'
+ fi
+
# Initialize IP filtering using ipfw
echo ""
/sbin/ipfw -q flush > /dev/null 2>&1
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000113172152.G2590>