etc/rc.d/ipfw

   1 #!/bin/sh
   2 #
   3 # $FreeBSD$
   4 #
   5
   6 # PROVIDE: ipfw
   7 # REQUIRE: ppp
   8 # KEYWORD: nojailvnet
   9
  10 . /etc/rc.subr
  11 . /etc/network.subr
  12
  13 name="ipfw"
  14 rcvar="firewall_enable"
  15 start_cmd="ipfw_start"
  16 start_precmd="ipfw_prestart"
  17 start_postcmd="ipfw_poststart"
  18 stop_cmd="ipfw_stop"
  19 required_modules="ipfw"
  20
  21 set_rcvar_obsolete ipv6_firewall_enable
  22
  23 ipfw_prestart()
  24 {
  25         if checkyesno dummynet_enable; then
  26                 required_modules="$required_modules dummynet"
  27         fi
  28         if checkyesno natd_enable; then
  29                 required_modules="$required_modules ipdivert"
  30         fi
  31         if checkyesno firewall_nat_enable; then
  32                 required_modules="$required_modules ipfw_nat"
  33         fi
  34 }
  35
  36 ipfw_start()
  37 {
  38         local   _firewall_type
  39
  40         _firewall_type=$1
  41
  42         # set the firewall rules script if none was specified
  43         [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
  44
  45         if [ -r "${firewall_script}" ]; then
  46                 /bin/sh "${firewall_script}" "${_firewall_type}"
  47                 echo 'Firewall rules loaded.'
  48         elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
  49                 echo 'Warning: kernel has firewall functionality, but' \
  50                     ' firewall rules are not enabled.'
  51                 echo '           All ip services are disabled.'
  52         fi
  53
  54         # Firewall logging
  55         #
  56         if checkyesno firewall_logging; then
  57                 echo 'Firewall logging enabled.'
  58                 sysctl net.inet.ip.fw.verbose=1 >/dev/null
  59         fi
  60 }
  61
  62 ipfw_poststart()
  63 {
  64         local   _coscript
  65
  66         # Start firewall coscripts
  67         #
  68         for _coscript in ${firewall_coscripts} ; do
  69                 if [ -f "${_coscript}" ]; then
  70                         ${_coscript} quietstart
  71                 fi
  72         done
  73
  74         # Enable the firewall
  75         #
  76         if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
  77                 warn "failed to enable IPv4 firewall"
  78         fi
  79         if afexists inet6; then
  80                 if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
  81                 then
  82                         warn "failed to enable IPv6 firewall"
  83                 fi
  84         fi
  85 }
  86
  87 ipfw_stop()
  88 {
  89         local   _coscript
  90
  91         # Disable the firewall
  92         #
  93         ${SYSCTL} net.inet.ip.fw.enable=0
  94         if afexists inet6; then
  95                 ${SYSCTL} net.inet6.ip6.fw.enable=0
  96         fi
  97
  98         # Stop firewall coscripts
  99         #
 100         for _coscript in `reverse_list ${firewall_coscripts}` ; do
 101                 if [ -f "${_coscript}" ]; then
 102                         ${_coscript} quietstop
 103                 fi
 104         done
 105 }
 106
 107 load_rc_config $name
 108 firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
 109
 110 run_rc_command $*