1 | #!/bin/sh -
|
---|
2 |
|
---|
3 | # Based on /etc/rc.firewall
|
---|
4 |
|
---|
5 | # Suck in the configuration variables.
|
---|
6 | if [ -z "${source_rc_confs_defined}" ]; then
|
---|
7 | if [ -r /etc/defaults/rc.conf ]; then
|
---|
8 | . /etc/defaults/rc.conf
|
---|
9 | source_rc_confs
|
---|
10 | elif [ -r /etc/rc.conf ]; then
|
---|
11 | . /etc/rc.conf
|
---|
12 | fi
|
---|
13 | fi
|
---|
14 |
|
---|
15 | setup_loopback () {
|
---|
16 | ############
|
---|
17 | # Only in rare cases do you want to change these rules
|
---|
18 | #
|
---|
19 | ${fwcmd} add 100 pass all from any to any via lo0
|
---|
20 | ${fwcmd} add 200 deny all from any to 127.0.0.0/8
|
---|
21 | ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
|
---|
22 | }
|
---|
23 |
|
---|
24 | ############
|
---|
25 | # Set quiet mode if requested
|
---|
26 | #
|
---|
27 | case ${firewall_quiet} in
|
---|
28 | [Yy][Ee][Ss])
|
---|
29 | fwcmd="/sbin/ipfw -q"
|
---|
30 | ;;
|
---|
31 | *)
|
---|
32 | fwcmd="/sbin/ipfw"
|
---|
33 | ;;
|
---|
34 | esac
|
---|
35 |
|
---|
36 | ############
|
---|
37 | # Flush out the list before we begin.
|
---|
38 | #
|
---|
39 | ${fwcmd} -f flush
|
---|
40 |
|
---|
41 | setup_loopback
|
---|
42 |
|
---|
43 | ############
|
---|
44 |
|
---|
45 | # By default no firewalling
|
---|
46 | ${fwcmd} add 65000 pass all from any to any
|
---|
47 |
|
---|
48 | # Transproxy/WLportal/Captive portal
|
---|
49 | ${fwcmd} add 10000 allow tcp from any to localhost 80
|
---|
50 | ${fwcmd} add 10001 allow tcp from any to me 80
|
---|
51 |
|
---|
52 | ############
|
---|
53 | # Reserved: Whitelist rule numbers
|
---|
54 | # 10002 - 10009
|
---|
55 | NR=10002
|
---|
56 | for IP in $captive_portal_whitelist; do
|
---|
57 | ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80
|
---|
58 | NR=`expr $NR + 1`
|
---|
59 | done
|
---|
60 |
|
---|
61 | ############
|
---|
62 | # Reserved: WLPortal rule numbers
|
---|
63 | # 10010 - 10099
|
---|
64 |
|
---|
65 | # Forward rules work without a base address, so needed a loop over all inet4 adresses
|
---|
66 | for INF in $captive_portal_interfaces; do
|
---|
67 | ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF}
|
---|
68 | ${fwcmd} add 11000 deny ip from any to not 172.16.0.0/12 443 in via ${INF}
|
---|
69 | done
|
---|