Changeset 10199 in hybrid for branches/releng-9.0/nanobsd/files/etc

Timestamp:

Mar 17, 2012, 12:50:33 PM (13 years ago)

Author:

richardvm

Message:

rc.conf and ipfw.sh were not the same :-)

File:

• branches/releng-9.0/nanobsd/files/etc/ipfw.sh (modified) (1 diff)

branches/releng-9.0/nanobsd/files/etc/ipfw.sh

@@ -1 @@
-## Building options
-dumpdev="NO"                    # No kernel dumps as we don't have a place to
-                                # store them 
-ipv6_enable="NO"                # No IPv6 support for now, near feature... ;-)
+#!/bin/sh -
 
-# NTP server needs working config with WL network or internet on boot
-# so some warnings might pop up, but no harm
-ntpdate_enable="YES"
-ntpd_enable="YES"
-ntpd_sync_on_start="YES"
-ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntp.drift"
+# Based on /etc/rc.firewall
 
-# We need no running mail server
-sendmail_enable="NONE"
+# Suck in the configuration variables.
+if [ -z "${source_rc_confs_defined}" ]; then
+        if [ -r /etc/defaults/rc.conf ]; then
+                . /etc/defaults/rc.conf
+                source_rc_confs
+        elif [ -r /etc/rc.conf ]; then
+                . /etc/rc.conf
+        fi
+fi
 
-# Don't let syslog accept input from other remote hosts
-syslogd_enable="YES"
-syslogd_flags="-s -A -c"
+setup_loopback () {
+        ############
+        # Only in rare cases do you want to change these rules
+        #
+        ${fwcmd} add 100 pass all from any to any via lo0
+        ${fwcmd} add 200 deny all from any to 127.0.0.0/8
+        ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+}
 
-# Remote login without DNS checking as it might not also be functionable
-# -u0 prevent sshd from making DNS requests unless the authentication mechanism
-# or configuration requires it.
-sshd_enable="YES"
-sshd_flags="-u0"
+############
+# Set quiet mode if requested
+#
+case ${firewall_quiet} in
+[Yy][Ee][Ss])
+        fwcmd="/sbin/ipfw -q"
+        ;;
+*)
+        fwcmd="/sbin/ipfw"
+        ;;
+esac
 
-# Don't update the motd as it not writeable, the update_nanobsd_motd is a
-# simple wrapper found at /usr/local/etc/rc.d supporting this featureg
-update_motd="NO"
-update_nanobsd_motd="YES"
+############
+# Flush out the list before we begin.
+#
+${fwcmd} -f flush
 
-# Monitoring deamons
-nrpe2_enable="YES"
-snmpd_enable="YES"
-snmpd_flags="-a -LF w /var/log/snmpd.log"
+setup_loopback
 
-# HTTP(S) proxy server
-tinyproxy_enable="YES"
+############
 
-# Make sure generated ssh keys are saved 
-nanobsd_save_sshkeys_enable="YES"
+# By default no firewalling
+${fwcmd} add 65000 pass all from any to any
 
-## Port extentions
-# Serve our clients some pretty cool IP address to at least get connected
-# Also some low-memory footprint dns resolver
-dnsmasq_enable="YES"
+# Transproxy/WLportal/Captive portal
+${fwcmd} add 10000 allow tcp from any to localhost 80
+${fwcmd} add 10001 allow tcp from any to me 80
 
-## WL ports extentions
-thttpd_enable="YES"
-http302_enable="YES"
+############
+# Reserved: Whitelist rule numbers
+# 10002 - 10009
+NR=10002
+  for IP in $captive_portal_whitelist; do
+  ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80
+  NR=`expr $NR + 1`
+done
 
-# Make sure generated ssh keys are saved 
-nanobsd_save_sshkeys_enable="YES"
+############
+# Reserved: WLPortal rule numbers
+# 10010 - 10099
 
-#Hybrid
-openvpn_enable="YES"
-openvpn_if="tap"
-cloned_interfaces="bridge0"
-gateway_enable="YES"
-pf_enable="YES"
-pf_rules="/etc/pf.conf.ileiden"
-pf_flags=""
-pf2_enable="YES"
+# Forward rules work without a base address, so needed a loop over all inet4 adresses
+for INF in $captive_portal_interfaces; do
+  ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF}
+done