Changeset 10199 in hybrid for branches/releng-9.0/nanobsd
- Timestamp:
- Mar 17, 2012, 12:50:33 PM (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/releng-9.0/nanobsd/files/etc/ipfw.sh
r10185 r10199 1 ## Building options 2 dumpdev="NO" # No kernel dumps as we don't have a place to 3 # store them 4 ipv6_enable="NO" # No IPv6 support for now, near feature... ;-) 1 #!/bin/sh - 5 2 6 # NTP server needs working config with WL network or internet on boot 7 # so some warnings might pop up, but no harm 8 ntpdate_enable="YES" 9 ntpd_enable="YES" 10 ntpd_sync_on_start="YES" 11 ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntp.drift" 3 # Based on /etc/rc.firewall 12 4 13 # We need no running mail server 14 sendmail_enable="NONE" 5 # Suck in the configuration variables. 6 if [ -z "${source_rc_confs_defined}" ]; then 7 if [ -r /etc/defaults/rc.conf ]; then 8 . /etc/defaults/rc.conf 9 source_rc_confs 10 elif [ -r /etc/rc.conf ]; then 11 . /etc/rc.conf 12 fi 13 fi 15 14 16 # Don't let syslog accept input from other remote hosts 17 syslogd_enable="YES" 18 syslogd_flags="-s -A -c" 15 setup_loopback () { 16 ############ 17 # Only in rare cases do you want to change these rules 18 # 19 ${fwcmd} add 100 pass all from any to any via lo0 20 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 21 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any 22 } 19 23 20 # Remote login without DNS checking as it might not also be functionable 21 # -u0 prevent sshd from making DNS requests unless the authentication mechanism 22 # or configuration requires it. 23 sshd_enable="YES" 24 sshd_flags="-u0" 24 ############ 25 # Set quiet mode if requested 26 # 27 case ${firewall_quiet} in 28 [Yy][Ee][Ss]) 29 fwcmd="/sbin/ipfw -q" 30 ;; 31 *) 32 fwcmd="/sbin/ipfw" 33 ;; 34 esac 25 35 26 # Don't update the motd as it not writeable, the update_nanobsd_motd is a27 # simple wrapper found at /usr/local/etc/rc.d supporting this featureg28 update_motd="NO" 29 update_nanobsd_motd="YES" 36 ############ 37 # Flush out the list before we begin. 38 # 39 ${fwcmd} -f flush 30 40 31 # Monitoring deamons 32 nrpe2_enable="YES" 33 snmpd_enable="YES" 34 snmpd_flags="-a -LF w /var/log/snmpd.log" 41 setup_loopback 35 42 36 # HTTP(S) proxy server 37 tinyproxy_enable="YES" 43 ############ 38 44 39 # Make sure generated ssh keys are saved40 nanobsd_save_sshkeys_enable="YES" 45 # By default no firewalling 46 ${fwcmd} add 65000 pass all from any to any 41 47 42 ## Port extentions 43 # Serve our clients some pretty cool IP address to at least get connected 44 # Also some low-memory footprint dns resolver 45 dnsmasq_enable="YES" 48 # Transproxy/WLportal/Captive portal 49 ${fwcmd} add 10000 allow tcp from any to localhost 80 50 ${fwcmd} add 10001 allow tcp from any to me 80 46 51 47 ## WL ports extentions 48 thttpd_enable="YES" 49 http302_enable="YES" 52 ############ 53 # Reserved: Whitelist rule numbers 54 # 10002 - 10009 55 NR=10002 56 for IP in $captive_portal_whitelist; do 57 ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80 58 NR=`expr $NR + 1` 59 done 50 60 51 # Make sure generated ssh keys are saved 52 nanobsd_save_sshkeys_enable="YES" 61 ############ 62 # Reserved: WLPortal rule numbers 63 # 10010 - 10099 53 64 54 #Hybrid 55 openvpn_enable="YES" 56 openvpn_if="tap" 57 cloned_interfaces="bridge0" 58 gateway_enable="YES" 59 pf_enable="YES" 60 pf_rules="/etc/pf.conf.ileiden" 61 pf_flags="" 62 pf2_enable="YES" 65 # Forward rules work without a base address, so needed a loop over all inet4 adresses 66 for INF in $captive_portal_interfaces; do 67 ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF} 68 done
Note:
See TracChangeset
for help on using the changeset viewer.