Latest revision |
Your text |
Line 19: |
Line 19: |
| If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included. | | If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included. |
| | | |
− |
| |
| [[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/> | | [[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/> |
| | | |
| The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file. You have to create that file as it does not exist by default.<br/> | | The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file. You have to create that file as it does not exist by default.<br/> |
| | | |
− | However, OpenRC (main branch) defines the firewall rules within the '''/etc/ipfw.rules''' file itself.<br/> | + | However, OpenRC (main branch) defines the firewall rules within the /etc/ipfw.conf file itself. |
− | If the file does not exist on GhostBSD you have to create it.
| + | |
− | | + | |
− | See examples:
| + | |
− | * [https://gist.github.com/nileshgr/5990712 Nilesh on Github]
| + | |
− | * [https://unixguide.net/freebsd/fbsd_installguide71/06.09.4-IPFW_Rule_Sets.htm unixguide]
| + | |
− | * [https://sirtoffski.github.io/docs/freebsd-ipfw/ ipfw.rules]
| + | |
| | | |
| See: [https://github.com/OpenRC/openrc/blob/master/conf.d/ipfw ipfw on OpenRC] | | See: [https://github.com/OpenRC/openrc/blob/master/conf.d/ipfw ipfw on OpenRC] |
| | | |
− | ==IPFW Script==
| |
− | #!/sbin/openrc-run
| |
− | name="ipfw"
| |
− | description="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
| |
− | firewall_coscripts="natd ${firewall_coscripts}"
| |
− | SYSCTL="/sbin/sysctl"
| |
− | . /etc/network.subr
| |
− | depend()
| |
− | {
| |
− | before net
| |
− | provide firewall
| |
− | keyword -jail -stop -shutdown
| |
− | }
| |
− | load_kld()
| |
− | {
| |
− | kldload -nq $1
| |
− | }
| |
− | start_pre()
| |
− | {
| |
− | load_kld ipfw
| |
− | if yesno dummynet_enable; then
| |
− | load_kld "dummynet"
| |
− | fi
| |
− | if yesno natd_enable; then
| |
− | load_kld "ipdivert"
| |
− | fi
| |
− | if yesno firewall_nat_enable; then
| |
− | load_kld "ipfw_nat"
| |
− | fi
| |
− | }
| |
− | start()
| |
− | {
| |
− | local _firewall_type
| |
− | _firewall_type=$1
| |
− | ebegin "Starting $name"
| |
− | # set the firewall rules script if none was specified
| |
− | [ -z "${firewall_script}" ] && firewall_script='''/etc/ipfw.rules'''
| |
− | if [ -r "${firewall_script}" ]; then
| |
− | /bin/sh "${firewall_script}" "${_firewall_type}"
| |
− | elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
| |
− | ewarn 'Warning: kernel has firewall functionality, but' \
| |
− | ' firewall rules are not enabled.' ewarn ' All ip services are disabled.'
| |
− | fi
| |
− | # Firewall logging
| |
− | #
| |
− | if yesno firewall_logging; then
| |
− | sysctl net.inet.ip.fw.verbose=1 >/dev/null
| |
− | fi
| |
− | if yesno firewall_logif; then
| |
− | ifconfig ipfw0 create
| |
− | fi
| |
− | eend 0
| |
− | }
| |
− | start_post()
| |
− | {
| |
− | local _coscript
| |
− | # Start firewall coscripts
| |
− | #
| |
− | for _coscript in ${firewall_coscripts} ; do
| |
− | if [ -f "${_coscript}" ]; then
| |
− | service ${_coscript} start >/dev/null 2>/dev/null
| |
− | fi
| |
− | done
| |
− | # Enable the firewall
| |
− | #
| |
− | if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
| |
− | ewarn "failed to enable IPv4 firewall"
| |
− | fi
| |
− | if afexists inet6; then
| |
− | if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
| |
− | then
| |
− | ewarn "failed to enable IPv6 firewall"
| |
− | fi
| |
− | fi
| |
− | }
| |
− | reverse_list()
| |
− | {
| |
− | _revlist=
| |
− | for _revfile; do
| |
− | _revlist="$_revfile $_revlist"
| |
− | done
| |
− | echo $_revlist
| |
− | }
| |
− | stop()
| |
− | {
| |
− | local _coscript
| |
− | # Disable the firewall
| |
− | #
| |
− | ebegin "Stopping $name"
| |
− | ${SYSCTL} net.inet.ip.fw.enable=0
| |
− | if afexists inet6; then
| |
− | ${SYSCTL} net.inet6.ip6.fw.enable=0
| |
− | fi
| |
− | # Stop firewall coscripts
| |
− | #
| |
− | for _coscript in `reverse_list ${firewall_coscripts}` ; do
| |
− | if [ -f "${_coscript}" ]; then
| |
− | service ${_coscript} stop >/dev/null 2>/dev/null
| |
− | fi
| |
− | done
| |
− | eend 0
| |
− | }
| |
| | | |
− | ==Some ideas about Firewalls==
| |
− | An interesting article about firewalls you will find on the [https://wiki.gentoo.org/wiki/Security_Handbook/Firewalls Gentoo wiki].
| |
| | | |
| | | |