From 5f4feab6965f42051a8c40691c6add3706f02180 Mon Sep 17 00:00:00 2001 From: Daniel O'Callaghan Date: Thu, 11 Sep 1997 10:59:02 +0000 Subject: [PATCH] Reviewed by: msmith, alex Cosmetic changes to the loading of firewall rules and lkm. --- etc/network.subr | 39 ++++++++++++++--- etc/rc.conf | 6 ++- etc/rc.d/netoptions | 39 ++++++++++++++--- etc/rc.d/network1 | 39 ++++++++++++++--- etc/rc.d/network2 | 39 ++++++++++++++--- etc/rc.d/network3 | 39 ++++++++++++++--- etc/rc.d/routing | 39 ++++++++++++++--- etc/rc.firewall | 104 +++++++++++++++++++++++++------------------- etc/rc.network | 39 ++++++++++++++--- 9 files changed, 295 insertions(+), 88 deletions(-) diff --git a/etc/network.subr b/etc/network.subr index 3c5657dc5717..fb35d2ffb44d 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' - . /etc/rc.firewall + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 fi + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then + . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi + fi + + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.conf b/etc/rc.conf index ffd02d4eeb09..9925a71c6174 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -6,7 +6,7 @@ # # All arguments must be in double or single quotes. # -# $Id: rc.conf,v 1.24 1997/08/17 10:04:52 jkh Exp $ +# $Id: rc.conf,v 1.25 1997/08/19 16:49:30 pst Exp $ ############################################################## ### Important initial Boot-time options ##################### @@ -28,7 +28,9 @@ local_periodic="/usr/local/etc/periodic /usr/X11R6/etc/periodic" # periodic scri ### Basic network options: ### hostname="myname.my.domain" # Set this! nisdomainname="NO" # Set to NIS domain if using NIS (or NO). -firewall="NO" # firewall type (see /etc/rc.firewall) or NO. +firewall_enable="NO" # Set to YES to enable firewall functionality +firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) +firewall_quiet="NO" # Set to YES to suppress rule display tcp_extensions="YES" # Allow RFC1323 & RFC1544 extensions (or NO). network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index 3c5657dc5717..fb35d2ffb44d 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' - . /etc/rc.firewall + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 fi + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then + . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi + fi + + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index 3c5657dc5717..fb35d2ffb44d 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' - . /etc/rc.firewall + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 fi + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then + . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi + fi + + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index 3c5657dc5717..fb35d2ffb44d 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' - . /etc/rc.firewall + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 fi + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then + . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi + fi + + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index 3c5657dc5717..fb35d2ffb44d 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' - . /etc/rc.firewall + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 fi + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then + . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi + fi + + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.d/routing b/etc/rc.d/routing index 3c5657dc5717..fb35d2ffb44d 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' - . /etc/rc.firewall + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 fi + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then + . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi + fi + + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}" diff --git a/etc/rc.firewall b/etc/rc.firewall index b0e29baf309c..5bfaedc69e93 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -1,17 +1,18 @@ ############ # Setup system for firewall service. -# $Id: rc.firewall,v 1.11 1997/05/03 11:22:17 jkh Exp $ +# $Id: rc.firewall,v 1.12 1997/05/05 07:08:31 jkh Exp $ ############ +# Define the firewall type in /etc/rc.conf. Valid values are: +# open - will allow anyone in +# client - will try to protect just this machine +# simple - will try to protect a whole network +# closed - totally disables IP services except via lo0 interface +# UNKNOWN - disables the loading of firewall rules. +# filename - will load the rules in the given filename (full path required) # -# >>Warning<< -# This file is not very old yet, and have been put together without much -# testing of the contents. - -# Set this to be the type of firewall you want: open, client, simple or NONE. -# ``open'' will allow anyone in, ``client'' will try to protect just one -# machine and ``simple'' will try to protect a whole network (entries should -# be customized appropriately below). To let no one in, use NONE. +# For ``client'' and ``simple'' the entries below should be customized +# appropriately. ############ # @@ -36,9 +37,21 @@ # http://www.awl.com/ # +if [ "x$1" != "x" ]; then + firewall_type=$1 +fi + +############ +# Set quiet mode if requested +if [ "x$firewall_quiet" = "xYES" ]; then + fwcmd="/sbin/ipfw -q" +else + fwcmd="/sbin/ipfw" +fi + ############ # Flush out the list before we begin. -/sbin/ipfw -f flush +$fwcmd -f flush ############ # If you just configured ipfw in the kernel as a tool to solve network @@ -46,19 +59,23 @@ # they you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. -# /sbin/ipfw add 65000 pass all from any to any +# $fwcmd add 65000 pass all from any to any ############ # Only in rare cases do you want to change this rule -/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 +$fwcmd add 1000 pass all from 127.0.0.1 to 127.0.0.1 # Prototype setups. -if [ "${firewall}" = "open" ]; then +if [ "${firewall_type}" = "open" ]; then - /sbin/ipfw add 65000 pass all from any to any + $fwcmd add 65000 pass all from any to any -elif [ "${firewall}" = "client" ]; then +elif [ "${firewall_type}" = "simple" ]; then + + $fwcmd add 65000 pass all from any to any via lo0 + +elif [ "${firewall_type}" = "client" ]; then ############ # This is a prototype setup that will protect your system somewhat against @@ -71,32 +88,32 @@ elif [ "${firewall}" = "client" ]; then ip="192.168.4.17" # Allow any traffic to or from my own net. - /sbin/ipfw add pass all from ${ip} to ${net}:${mask} - /sbin/ipfw add pass all from ${net}:${mask} to ${ip} + $fwcmd add pass all from ${ip} to ${net}:${mask} + $fwcmd add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded - /sbin/ipfw add pass tcp from any to any established + $fwcmd add pass tcp from any to any established # Allow setup of incoming email - /sbin/ipfw add pass tcp from any to ${ip} 25 setup + $fwcmd add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only - /sbin/ipfw add pass tcp from ${ip} to any setup + $fwcmd add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections - /sbin/ipfw add deny tcp from any to any setup + $fwcmd add deny tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${ip} - /sbin/ipfw add pass udp from ${ip} to any 53 + $fwcmd add pass udp from any 53 to ${ip} + $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${ip} - /sbin/ipfw add pass udp from ${ip} to any 123 + $fwcmd add pass udp from any 123 to ${ip} + $fwcmd add pass udp from ${ip} to any 123 # Everything else is denied as default. -elif [ "${firewall}" = "simple" ]; then +elif [ "${firewall_type}" = "simple" ]; then ############ # This is a prototype setup for a simple firewall. Configure this machine @@ -117,43 +134,42 @@ elif [ "${firewall}" = "simple" ]; then iip="192.168.3.17" # Stop spoofing - /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} - /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} + $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} + $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface - /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} - /sbin/ipfw add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} - /sbin/ipfw add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} + $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} + $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} + $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} # Allow TCP through if setup succeeded - /sbin/ipfw add pass tcp from any to any established + $fwcmd add pass tcp from any to any established # Allow setup of incoming email - /sbin/ipfw add pass tcp from any to ${oip} 25 setup + $fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS - /sbin/ipfw add pass tcp from any to ${oip} 53 setup + $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW - /sbin/ipfw add pass tcp from any to ${oip} 80 setup + $fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside - /sbin/ipfw add deny log tcp from any to any in via ${oif} setup + $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection - /sbin/ipfw add pass tcp from any to any setup + $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world - /sbin/ipfw add pass udp from any 53 to ${oip} - /sbin/ipfw add pass udp from ${oip} to any 53 + $fwcmd add pass udp from any 53 to ${oip} + $fwcmd add pass udp from ${oip} to any 53 # Allow NTP queries out in the world - /sbin/ipfw add pass udp from any 123 to ${oip} - /sbin/ipfw add pass udp from ${oip} to any 123 + $fwcmd add pass udp from any 123 to ${oip} + $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. -elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; then - - /sbin/ipfw ${firewall} +elif [ "${firewall_type}" != "NONE" -a -r "${firewall_type}" ]; then + $fwcmd ${firewall} fi diff --git a/etc/rc.network b/etc/rc.network index 3c5657dc5717..fb35d2ffb44d 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.8 1997/05/19 07:46:48 jkh Exp $ +# $Id: rc.network,v 1.9 1997/07/06 00:33:34 pst Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -54,13 +54,40 @@ network_pass1() { fi ifconfig ${ifn} done - - # If IP filtering - if [ -n "$firewall" -a "x$firewall" != "xNO" -a -f /etc/rc.firewall ] ; then - echo -n ' firewall' - . /etc/rc.firewall + + # Initialize IP filtering using ipfw + echo "" + /sbin/ipfw -q flush > /dev/null 2>&1 + if [ $? ] ; then + firewall_in_kernel=0 + else + firewall_in_kernel=1 fi + if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then + modload /lkm/ipfw_mod.o + if [ $? = 0 ]; then + firewall_in_kernel=1 # module loaded successfully + echo "Kernel firewall module loaded." + else + echo "Warning: firewall kernel module failed to load." + fi + fi + + # Load the filters if required + if [ $firewall_in_kernel = 1 ]; then + if [ -n "$firewall_enable" -a -f /etc/rc.firewall -a \ + "x$firewall_enable" = "xYES" ] ; then + . /etc/rc.firewall + echo "Firewall rules loaded." + else + echo "Warning: kernel has firewall functionality, but firewall rules are not enabled." + echo " All ip services are disabled." + fi + fi + + # Configure routing + if [ "x$defaultrouter" != "xNO" ] ; then static_routes="default ${static_routes}" route_default="default ${defaultrouter}"