summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoy Marples <uberlord@gentoo.org>2007-03-13 14:36:29 +0000
committerRoy Marples <uberlord@gentoo.org>2007-03-13 14:36:29 +0000
commit1a815804b9af62e41875e403e4986ae72dcb5c91 (patch)
tree111a6cf5b88dd785e359797ad515368c071a5d46 /sys-freebsd/freebsd-sbin
parentx86 stable (diff)
downloadgentoo-2-1a815804b9af62e41875e403e4986ae72dcb5c91.tar.gz
gentoo-2-1a815804b9af62e41875e403e4986ae72dcb5c91.tar.bz2
gentoo-2-1a815804b9af62e41875e403e4986ae72dcb5c91.zip
Scrap the supplied ipfw script and replace with my own ipfw stateful
firewall script. (Portage version: 2.1.2.2)
Diffstat (limited to 'sys-freebsd/freebsd-sbin')
-rw-r--r--sys-freebsd/freebsd-sbin/ChangeLog7
-rw-r--r--sys-freebsd/freebsd-sbin/files/ipfw.confd7
-rw-r--r--sys-freebsd/freebsd-sbin/files/ipfw.initd134
-rw-r--r--sys-freebsd/freebsd-sbin/freebsd-sbin-6.2.ebuild3
4 files changed, 96 insertions, 55 deletions
diff --git a/sys-freebsd/freebsd-sbin/ChangeLog b/sys-freebsd/freebsd-sbin/ChangeLog
index 7194765730b1..f25de4e9bd11 100644
--- a/sys-freebsd/freebsd-sbin/ChangeLog
+++ b/sys-freebsd/freebsd-sbin/ChangeLog
@@ -1,6 +1,11 @@
# ChangeLog for sys-freebsd/freebsd-sbin
# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/ChangeLog,v 1.33 2007/02/23 13:56:05 uberlord Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/ChangeLog,v 1.34 2007/03/13 14:36:29 uberlord Exp $
+
+ 13 Mar 2007; Roy Marples <uberlord@gentoo.org> +files/ipfw.confd,
+ files/ipfw.initd, freebsd-sbin-6.2.ebuild:
+ Scrap the supplied ipfw script and replace with my own ipfw stateful
+ firewall script.
23 Feb 2007; Roy Marples <uberlord@gentoo.org> files/devd.initd,
files/ipfw.initd, files/sysctl.initd:
diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.confd b/sys-freebsd/freebsd-sbin/files/ipfw.confd
new file mode 100644
index 000000000000..78864eef549e
--- /dev/null
+++ b/sys-freebsd/freebsd-sbin/files/ipfw.confd
@@ -0,0 +1,7 @@
+# ipfw provides a stateful firewall.
+# This means we allow everything out, and if we have a connection we allow it
+# back in. This is very flexable and quite secure.
+
+# For ease of use, we allow auth and ssh ports through as well.
+# To override the list of allowed ports
+#PORTS_IN="auth ssh"
diff --git a/sys-freebsd/freebsd-sbin/files/ipfw.initd b/sys-freebsd/freebsd-sbin/files/ipfw.initd
index 71118e7bea22..b0bd26f82fc2 100644
--- a/sys-freebsd/freebsd-sbin/files/ipfw.initd
+++ b/sys-freebsd/freebsd-sbin/files/ipfw.initd
@@ -1,73 +1,101 @@
#!/sbin/runscript
-# Copyright 1999-2005 Gentoo Foundation
+# Copyright 2007 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/files/ipfw.initd,v 1.2 2007/02/23 13:56:05 uberlord Exp $
+
+# This is a nice client firewall script which should suit most desktop users.
+# We allow auth and ssh in by default.
+
+PORTS_IN=${PORTS_IN:-auth ssh}
+
+opts="panic showstatus"
depend() {
- before net
+ before net
+ provide firewall
}
-start() {
- ebegin "Starting firewall"
-
- retval=0
-
- if ! sysctl net.inet.ip.fw.enable &>/dev/null; then
- if ! kldload ipfwl then
+ipfw() {
+ /sbin/ipfw -f -q "$@"
+}
+
+init() {
+ # Load the kernel module
+ if ! sysctl net.inet.ip.fw.enable=1 >/dev/null 2>/dev/null ; then
+ if ! kldload ipfw ; then
eend 1 "Unable to load firewall module"
return 1
fi
fi
- if [ -z "${firewall_script}" ] || [ ! -f "${firewall_script}" ]; then
- firewall_script=/etc/rc.firewall
- fi
+ ipfw flush
- if [ -r "${firewall_script}" ]; then
- source "${firewall_script}"
- einfo "Loaded firewall rules; starting daemons"
-
- if [ "${natd_enable}" = "yes" ]; then
- # Find out whether $natd_interface is using dhcp
- ifconfig_natd_iface=$(
- eval source /etc/conf.d/net\;
- echo \$\{ifconfig_${natd_interface}\})
- if [ "${ifconfig_natd_iface}" = "dhcp" ]; then
- natd_flags="${natd_flags} -dynamic"
- fi
-
- if [ -n "${natd_interface}" ]; then
- # Yes, this is ugly.
- if grep -q -E '^[0-9]+(\.[0-9]+){0,3}$' \
- <<<${natd_interface}; then
- natd_flags="${natd_flags} -a ${natd_interface}"
- else
- natd_flags="${natd_flags} -n ${natd_interface}"
- fi
- fi
- start-stop-daemon --start --exec \
- ${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg} || retval=1
- fi
- elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
- ewarn "Kernel has firewall functionality, but firewall rules aren't enabled!"
- ewarn "All ip services are disabled.
+ ipfw add allow all from any to any via lo0
+ ipfw add allow all from any to 127.0.0.0/8
+ ipfw add deny ip from 127.0.0.0/8 to any
+
+ ipfw add allow ipv6-icmp from :: to ff02::/16
+ ipfw add allow ipv6-icmp from fe80::/10 to fe80::/10
+ ipfw add allow ipv6-icmp from fe80::/10 to ff02::/16
+}
+
+start() {
+ local x=
+ ebegin "Starting firewall rules"
+ if ! init ; then
+ eend 1 "Failed to flush firewall ruleset"
+ return 1
fi
- # Logging
- if [ "${firewall_logging}" = "yes" ]; then
- einfo "Enabling firewall logging"
- sysctl net.inet.ip.fw.verbose=1 >/dev/null
+ # Use a statefull firewall
+ ipfw add check-state
+
+ # Open our configured ports
+ if [ -n "${PORTS_IN}" ] ; then
+ local pin=
+ for x in ${PORTS_IN} ; do
+ [ -n "${pin}" ] && pin="${pin},"
+ pin="${pin}${x}"
+ done
+ ipfw add allow tcp from any to me ${pin} setup keep-state
+ ipfw add allow tcp from any to me6 ${pin} setup keep-state
+ ipfw add allow udp from any to me ${pin} keep-state
+ ipfw add allow udp from any to me6 ${pin} keep-state
fi
- # And enable the firewall.
- sysctl -w net.inet.ip.fw.enable=1
-
- eend $retval "Failed to properly start firewall"
+ # Nice flexable rules that disallow incoming except for stuff we
+ # have asked for, and allow all outgoing.
+ ipfw add allow tcp from me to any setup keep-state
+ ipfw add allow tcp from me6 to any setup keep-state
+ ipfw add deny tcp from any to any
+ ipfw add allow udp from me to any keep-state
+ ipfw add allow udp from me6 to any keep-state
+ ipfw add deny udp from any to any
+
+ # Be a good firewall and allow some ICMP traffic.
+ # Remove 8 if you really want to disallow ping.
+ ipfw add allow icmp from any to any icmptypes 0,3,8,11,12
+ ipfw add allow ip6 from any to any proto ipv6-icmp
+
+ eend 0
}
stop() {
- ebegin "Stopping the firewall"
- sysctl -w net.inet.ip.fw.enable=0
- start-stop-daemon --stop --name "$(basename ${natd_program:-/sbin/natd})"
- eend $? "Failed to properly stop the firewall"
+ ebegin "Stopping firewall rules"
+ # We don't unload the kernel module as that action
+ # can cause memory leaks as of FreeBSD 6.x
+ sysctl net.inet.ip.fw.enable=0 >/dev/null
+ eend $?
+}
+
+panic() {
+ ebegin "Stopping firewall rules - hard"
+ if ! init ; then
+ eend 1 "Failed to flush firewall ruleset"
+ return 1
+ fi
+ eend 0
+}
+
+showstatus() {
+ ipfw show
}
diff --git a/sys-freebsd/freebsd-sbin/freebsd-sbin-6.2.ebuild b/sys-freebsd/freebsd-sbin/freebsd-sbin-6.2.ebuild
index f04d59a96e2c..a65ebe627453 100644
--- a/sys-freebsd/freebsd-sbin/freebsd-sbin-6.2.ebuild
+++ b/sys-freebsd/freebsd-sbin/freebsd-sbin-6.2.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2007 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/freebsd-sbin-6.2.ebuild,v 1.1 2007/01/15 21:38:54 drizzt Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-sbin/freebsd-sbin-6.2.ebuild,v 1.2 2007/03/13 14:36:29 uberlord Exp $
inherit flag-o-matic bsdmk freebsd
@@ -64,6 +64,7 @@ src_install() {
newinitd "${FILESDIR}/devd.initd" devd
newinitd "${FILESDIR}/ipfw.initd" ipfw
+ newconfd "${FILESDIR}/ipfw.confd" ipfw
newinitd "${FILESDIR}/sysctl.initd" sysctl
# Gentoo devd.conf