Index: /branches/releng-9.0/nanobsd/files/etc/ipfw.sh =================================================================== --- /branches/releng-9.0/nanobsd/files/etc/ipfw.sh (revision 10186) +++ /branches/releng-9.0/nanobsd/files/etc/ipfw.sh (revision 10199) @@ -1,62 +1,68 @@ -## Building options -dumpdev="NO" # No kernel dumps as we don't have a place to - # store them -ipv6_enable="NO" # No IPv6 support for now, near feature... ;-) +#!/bin/sh - -# NTP server needs working config with WL network or internet on boot -# so some warnings might pop up, but no harm -ntpdate_enable="YES" -ntpd_enable="YES" -ntpd_sync_on_start="YES" -ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntp.drift" +# Based on /etc/rc.firewall -# We need no running mail server -sendmail_enable="NONE" +# Suck in the configuration variables. +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi -# Don't let syslog accept input from other remote hosts -syslogd_enable="YES" -syslogd_flags="-s -A -c" +setup_loopback () { + ############ + # Only in rare cases do you want to change these rules + # + ${fwcmd} add 100 pass all from any to any via lo0 + ${fwcmd} add 200 deny all from any to 127.0.0.0/8 + ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any +} -# Remote login without DNS checking as it might not also be functionable -# -u0 prevent sshd from making DNS requests unless the authentication mechanism -# or configuration requires it. -sshd_enable="YES" -sshd_flags="-u0" +############ +# Set quiet mode if requested +# +case ${firewall_quiet} in +[Yy][Ee][Ss]) + fwcmd="/sbin/ipfw -q" + ;; +*) + fwcmd="/sbin/ipfw" + ;; +esac -# Don't update the motd as it not writeable, the update_nanobsd_motd is a -# simple wrapper found at /usr/local/etc/rc.d supporting this featureg -update_motd="NO" -update_nanobsd_motd="YES" +############ +# Flush out the list before we begin. +# +${fwcmd} -f flush -# Monitoring deamons -nrpe2_enable="YES" -snmpd_enable="YES" -snmpd_flags="-a -LF w /var/log/snmpd.log" +setup_loopback -# HTTP(S) proxy server -tinyproxy_enable="YES" +############ -# Make sure generated ssh keys are saved -nanobsd_save_sshkeys_enable="YES" +# By default no firewalling +${fwcmd} add 65000 pass all from any to any -## Port extentions -# Serve our clients some pretty cool IP address to at least get connected -# Also some low-memory footprint dns resolver -dnsmasq_enable="YES" +# Transproxy/WLportal/Captive portal +${fwcmd} add 10000 allow tcp from any to localhost 80 +${fwcmd} add 10001 allow tcp from any to me 80 -## WL ports extentions -thttpd_enable="YES" -http302_enable="YES" +############ +# Reserved: Whitelist rule numbers +# 10002 - 10009 +NR=10002 + for IP in $captive_portal_whitelist; do + ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80 + NR=`expr $NR + 1` +done -# Make sure generated ssh keys are saved -nanobsd_save_sshkeys_enable="YES" +############ +# Reserved: WLPortal rule numbers +# 10010 - 10099 -#Hybrid -openvpn_enable="YES" -openvpn_if="tap" -cloned_interfaces="bridge0" -gateway_enable="YES" -pf_enable="YES" -pf_rules="/etc/pf.conf.ileiden" -pf_flags="" -pf2_enable="YES" +# Forward rules work without a base address, so needed a loop over all inet4 adresses +for INF in $captive_portal_interfaces; do + ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF} +done