pf startup script
Max Laier
max at love2party.net
Sun Mar 21 11:14:06 PST 2004
On Sat, Mar 20, 2004 at 11:25:04PM +0100, Claus Guttesen wrote:
> > Is there supposed to be a startup script for pf
> > installed now that it's part
> > of the base system, or am I missing something?
>
> A bsd-fellow suggested I used the startup-script from
> pf in the ports-col. I placed it in
> /usr/local/etc/rc.d and changed the script, so it
> would load the pf-mod. from /boot/kernel.
>
> You cold copy ipfilter/ipfw and make a pf-script.
I planned to commit something for a while, but real-life (i.e. exams) and
missing libpcap-support -> missing pflogd stopped me until now. Attached is
my wip-version of rc.d/pf and required diff to defaults/rc.conf. Comments
welcome, as I am not very familiar with rcNG (it's more or less a copy of
the ipfilter script).
--
Best regards, | mlaier at freebsd.org
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net/ | mlaier at EFnet
-------------- next part --------------
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: pf
# REQUIRE: root beforenetlkm mountcritlocal netif
# BEFORE: DAEMON LOGIN
# KEYWORD: FreeBSD nojail
. /etc/rc.subr
name="pf"
rcvar=`set_rcvar`
load_rc_config $name
stop_precmd="test -f ${pf_rules}"
start_precmd="pf_prestart"
start_cmd="pf_start"
stop_cmd="pf_stop"
reload_precmd="$stop_precmd"
reload_cmd="pf_reload"
resync_precmd="$stop_precmd"
resync_cmd="pf_resync"
status_precmd="$stop_precmd"
status_cmd="pf_status"
extra_commands="reload resync status"
pf_prestart()
{
# load pf kernel module if needed
if ! kldstat -v | grep -q pf\$; then
if kldload pf; then
info 'pf module loaded.'
else
err 1 'pf module failed to load.'
fi
fi
# check for pf rules
if [ ! -r "${pf_rules}" ]
then
warn 'pf: NO PF RULESET FOUND'
return 1
fi
}
pf_start()
{
echo "Enabling pf."
if ! ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then
${pf_program:-/sbin/pfctl} -e
fi
${pf_program:-/sbin/pfctl} -Fa 2>&1 > /dev/null
if [ -r "${pf_rules}" ]; then
${pf_program:-/sbin/pfctl} \
-f "${pf_rules}" ${pf_flags}
fi
}
pf_stop()
{
if ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then
echo "Disabling pf."
${pf_program:-/sbin/pfctl} -d
fi
}
pf_reload()
{
echo "Reloading pf rules."
${pf_program:-/sbin/pfctl} -Fa 2>&1 > /dev/null
if [ -r "${pf_rules}" ]; then
${pf_program:-/sbin/pfctl} \
-f "${pf_rules}" ${pf_flags}
fi
}
pf_resync()
{
# Don't resync if pf is not loaded
if ! kldstat -v | grep -q pf\$ ; then
return
fi
${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
}
pf_status()
{
${pf_program:-/sbin/pfctl} -si
}
run_rc_command "$1"
-------------- next part --------------
--- rc.conf~ Sat Mar 20 03:22:02 2004
+++ rc.conf Sun Mar 21 20:07:41 2004
@@ -98,6 +98,10 @@
# of state tables at shutdown and boot
ipfs_program="/sbin/ipfs" # where the ipfs program lives
ipfs_flags="" # additional flags for ipfs
+pf_enable="NO" # Set to YES to enable packet filter (pf)
+pf_rules="/etc/pf.conf" # rules definition file for pf
+pf_program="/sbin/pfctl" # where the pfctl program lives
+pf_flags="" # additional flags for pfctl
tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions.
log_in_vain="0" # >=1 to log connects to ports w/o listeners.
tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040321/cd135617/attachment.bin
More information about the freebsd-current
mailing list