etc/rc.d/ipfw

   1 #!/bin/sh
   2 #
   3 # $FreeBSD$
   4 #
   5
   6 # PROVIDE: ipfw
   7 # REQUIRE: ppp
   8 # KEYWORD: nojailvnet
   9
  10 . /etc/rc.subr
  11 . /etc/network.subr
  12
  13 name="ipfw"
  14 rcvar="firewall_enable"
  15 start_cmd="ipfw_start"
  16 start_precmd="ipfw_prestart"
  17 start_postcmd="ipfw_poststart"
  18 stop_cmd="ipfw_stop"
  19 required_modules="ipfw"
  20
  21 set_rcvar_obsolete ipv6_firewall_enable
  22
  23 ipfw_prestart()
  24 {
  25         if checkyesno dummynet_enable; then
  26                 required_modules="$required_modules dummynet"
  27         fi
  28         if checkyesno natd_enable; then
  29                 required_modules="$required_modules ipdivert"
  30         fi
  31         if checkyesno firewall_nat_enable; then
  32                 required_modules="$required_modules ipfw_nat"
  33         fi
  34 }
  35
  36 ipfw_start()
  37 {
  38         local   _firewall_type
  39
  40         _firewall_type=$1
  41
  42         # set the firewall rules script if none was specified
  43         [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
  44
  45         if [ -r "${firewall_script}" ]; then
  46                 /bin/sh "${firewall_script}" "${_firewall_type}"
  47                 echo 'Firewall rules loaded.'
  48         elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
  49                 echo 'Warning: kernel has firewall functionality, but' \
  50                     ' firewall rules are not enabled.'
  51                 echo '           All ip services are disabled.'
  52         fi
  53
  54         # Firewall logging
  55         #
  56         if checkyesno firewall_logging; then
  57                 echo 'Firewall logging enabled.'
  58                 sysctl net.inet.ip.fw.verbose=1 >/dev/null
  59         fi
  60         if checkyesno firewall_logif; then
  61                 ifconfig ipfw0 create
  62                 echo 'Firewall logging pseudo-interface (ipfw0) created.'
  63         fi
  64 }
  65
  66 ipfw_poststart()
  67 {
  68         local   _coscript
  69
  70         # Start firewall coscripts
  71         #
  72         for _coscript in ${firewall_coscripts} ; do
  73                 if [ -f "${_coscript}" ]; then
  74                         ${_coscript} quietstart
  75                 fi
  76         done
  77
  78         # Enable the firewall
  79         #
  80         if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
  81                 warn "failed to enable IPv4 firewall"
  82         fi
  83         if afexists inet6; then
  84                 if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
  85                 then
  86                         warn "failed to enable IPv6 firewall"
  87                 fi
  88         fi
  89 }
  90
  91 ipfw_stop()
  92 {
  93         local   _coscript
  94
  95         # Disable the firewall
  96         #
  97         ${SYSCTL} net.inet.ip.fw.enable=0
  98         if afexists inet6; then
  99                 ${SYSCTL} net.inet6.ip6.fw.enable=0
 100         fi
 101
 102         # Stop firewall coscripts
 103         #
 104         for _coscript in `reverse_list ${firewall_coscripts}` ; do
 105                 if [ -f "${_coscript}" ]; then
 106                         ${_coscript} quietstop
 107                 fi
 108         done
 109 }
 110
 111 load_rc_config $name
 112 firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
 113
 114 run_rc_command $*