source: hybrid/branches/releng-9.0/nanobsd/files/etc/ipfw.sh@ 10609

Last change on this file since 10609 was 10206, checked in by richardvm, 13 years ago

firewalling a bit better

  • Property svn:eol-style set to LF
  • Property svn:executable set to *
File size: 1.5 KB
Line 
1#!/bin/sh -
2
3# Based on /etc/rc.firewall
4
5# Suck in the configuration variables.
6if [ -z "${source_rc_confs_defined}" ]; then
7 if [ -r /etc/defaults/rc.conf ]; then
8 . /etc/defaults/rc.conf
9 source_rc_confs
10 elif [ -r /etc/rc.conf ]; then
11 . /etc/rc.conf
12 fi
13fi
14
15setup_loopback () {
16 ############
17 # Only in rare cases do you want to change these rules
18 #
19 ${fwcmd} add 100 pass all from any to any via lo0
20 ${fwcmd} add 200 deny all from any to 127.0.0.0/8
21 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
22}
23
24############
25# Set quiet mode if requested
26#
27case ${firewall_quiet} in
28[Yy][Ee][Ss])
29 fwcmd="/sbin/ipfw -q"
30 ;;
31*)
32 fwcmd="/sbin/ipfw"
33 ;;
34esac
35
36############
37# Flush out the list before we begin.
38#
39${fwcmd} -f flush
40
41setup_loopback
42
43############
44
45# By default no firewalling
46${fwcmd} add 65000 pass all from any to any
47
48# Transproxy/WLportal/Captive portal
49${fwcmd} add 10000 allow tcp from any to localhost 80
50${fwcmd} add 10001 allow tcp from any to me 80
51
52############
53# Reserved: Whitelist rule numbers
54# 10002 - 10009
55NR=10002
56 for IP in $captive_portal_whitelist; do
57 ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80
58 NR=`expr $NR + 1`
59done
60
61############
62# Reserved: WLPortal rule numbers
63# 10010 - 10099
64
65# Forward rules work without a base address, so needed a loop over all inet4 adresses
66for INF in $captive_portal_interfaces; do
67 ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF}
68 ${fwcmd} add 11000 deny ip from any to not 172.16.0.0/12 443 in via ${INF}
69done
Note: See TracBrowser for help on using the repository browser.