Editing Firewall

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 19: Line 19:
 
If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included.  
 
If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included.  
 
   
 
   
 +
==Settings==
  
[[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/>
 
 
The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file.  You have to create that file as it does not exist by default.<br/>
 
  
However, OpenRC (main branch) defines the firewall rules within the '''/etc/ipfw.rules''' file itself.<br/>
 
If the file does not exist on GhostBSD you have to create it.
 
 
See examples:
 
* [https://gist.github.com/nileshgr/5990712 Nilesh on Github]
 
* [https://unixguide.net/freebsd/fbsd_installguide71/06.09.4-IPFW_Rule_Sets.htm unixguide]
 
* [https://sirtoffski.github.io/docs/freebsd-ipfw/ ipfw.rules]
 
 
See: [https://github.com/OpenRC/openrc/blob/master/conf.d/ipfw ipfw on OpenRC]
 
 
==IPFW Script==
 
#!/sbin/openrc-run
 
 
  name="ipfw"
 
  name="ipfw"
 
  description="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
 
  description="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
 
  firewall_coscripts="natd ${firewall_coscripts}"
 
  firewall_coscripts="natd ${firewall_coscripts}"
 
  SYSCTL="/sbin/sysctl"
 
  SYSCTL="/sbin/sysctl"
 +
 
  . /etc/network.subr
 
  . /etc/network.subr
  depend()  
+
 
{
+
  depend() {
before net
+
before net
provide firewall
+
provide firewall
keyword -jail -stop -shutdown
+
keyword -jail -stop -shutdown
 
  }
 
  }
  load_kld()
+
 
{
+
  load_kld(){
kldload -nq $1
+
kldload -nq $1
 
  }
 
  }
 +
 
  start_pre()
 
  start_pre()
 
  {
 
  {
load_kld ipfw
+
load_kld ipfw
if yesno dummynet_enable; then
+
if yesno dummynet_enable; then
load_kld "dummynet"
+
load_kld "dummynet"
fi
+
fi
if yesno natd_enable; then
+
if yesno natd_enable; then
load_kld "ipdivert"
+
load_kld "ipdivert"
fi
+
fi
if yesno firewall_nat_enable; then
+
if yesno firewall_nat_enable; then
load_kld "ipfw_nat"
+
load_kld "ipfw_nat"
fi
+
fi
 
  }
 
  }
 +
 
  start()
 
  start()
 
  {
 
  {
local  _firewall_type
+
local  _firewall_type
_firewall_type=$1
+
 
ebegin "Starting $name"
+
_firewall_type=$1
# set the firewall rules script if none was specified
+
 
[ -z "${firewall_script}" ] && firewall_script='''/etc/ipfw.rules'''
+
ebegin "Starting $name"
if [ -r "${firewall_script}" ]; then
+
# set the firewall rules script if none was specified
/bin/sh "${firewall_script}" "${_firewall_type}"
+
[ -z "${firewall_script}" ] && firewall_script=/etc/ipfw.rules
elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
+
 
ewarn 'Warning: kernel has firewall functionality, but' \
+
if [ -r "${firewall_script}" ]; then
' firewall rules are not enabled.' ewarn '          All ip services are disabled.'
+
/bin/sh "${firewall_script}" "${_firewall_type}"
fi
+
elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
# Firewall logging
+
ewarn 'Warning: kernel has firewall functionality, but' \
#
+
    ' firewall rules are not enabled.'
if yesno firewall_logging; then
+
ewarn '          All ip services are disabled.'
sysctl net.inet.ip.fw.verbose=1 >/dev/null
+
fi
fi
+
 
if yesno firewall_logif; then
+
# Firewall logging
ifconfig ipfw0 create
+
#
fi
+
if yesno firewall_logging; then
eend 0
+
sysctl net.inet.ip.fw.verbose=1 >/dev/null
 +
fi
 +
if yesno firewall_logif; then
 +
ifconfig ipfw0 create
 +
fi
 +
eend 0
 
  }
 
  }
 +
 
  start_post()
 
  start_post()
 
  {
 
  {
local _coscript
+
local _coscript
# Start firewall coscripts
+
 
#
+
# Start firewall coscripts
for _coscript in ${firewall_coscripts} ; do
+
#
if [ -f "${_coscript}" ]; then
+
for _coscript in ${firewall_coscripts} ; do
service ${_coscript} start >/dev/null 2>/dev/null
+
if [ -f "${_coscript}" ]; then
fi
+
service ${_coscript} start >/dev/null 2>/dev/null
done
+
fi
# Enable the firewall
+
done
#
+
 
if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
+
# Enable the firewall
ewarn "failed to enable IPv4 firewall"
+
#
fi
+
if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
if afexists inet6; then
+
ewarn "failed to enable IPv4 firewall"
if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
+
fi
then
+
if afexists inet6; then
ewarn "failed to enable IPv6 firewall"
+
if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
fi
+
then
fi
+
ewarn "failed to enable IPv6 firewall"
 +
fi
 +
fi
 
  }
 
  }
 +
 
  reverse_list()
 
  reverse_list()
 
  {
 
  {
_revlist=
+
_revlist=
for _revfile; do
+
for _revfile; do
_revlist="$_revfile $_revlist"
+
_revlist="$_revfile $_revlist"
done
+
done
echo $_revlist
+
echo $_revlist
 
  }
 
  }
 +
 
  stop()
 
  stop()
 
  {
 
  {
local _coscript
+
local _coscript
# Disable the firewall
+
 
#
+
# Disable the firewall
ebegin "Stopping $name"
+
#
${SYSCTL} net.inet.ip.fw.enable=0
+
ebegin "Stopping $name"
if afexists inet6; then
+
${SYSCTL} net.inet.ip.fw.enable=0
${SYSCTL} net.inet6.ip6.fw.enable=0
+
if afexists inet6; then
fi
+
${SYSCTL} net.inet6.ip6.fw.enable=0
# Stop firewall coscripts
+
fi
#
+
 
for _coscript in `reverse_list ${firewall_coscripts}` ; do
+
# Stop firewall coscripts
if [ -f "${_coscript}" ]; then
+
#
service ${_coscript} stop >/dev/null 2>/dev/null
+
for _coscript in `reverse_list ${firewall_coscripts}` ; do
fi
+
if [ -f "${_coscript}" ]; then
done
+
service ${_coscript} stop >/dev/null 2>/dev/null
eend 0
+
fi
 +
done
 +
eend 0
 
  }
 
  }
 +
 +
 +
[[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/>
 +
 +
The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file.  You have to create that file as it does not exist by default.<br/>
 +
 +
However, OpenRC (main branch) defines the firewall rules within the /etc/ipfw.conf file itself.
 +
 +
See: [https://github.com/OpenRC/openrc/blob/master/conf.d/ipfw ipfw on OpenRC]
  
 
==Some ideas about Firewalls==
 
==Some ideas about Firewalls==

Please note that all contributions to GhostBSD Wiki are considered to be released under the Creative Commons Attribution (see GhostBSD Wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel | Editing help (opens in new window)

Template used on this page:

Retrieved from "http://wiki.ghostbsd.org/index.php/Firewall"