xref: /freebsd/libexec/rc/rc.d/ipfw (revision e9b1dc32c9bd2ebae5f9e140bfa0e0321bc366b5)
1#!/bin/sh
2#
3# $FreeBSD$
4#
5
6# PROVIDE: ipfw
7# REQUIRE: ppp
8# KEYWORD: nojailvnet
9
10. /etc/rc.subr
11. /etc/network.subr
12
13name="ipfw"
14desc="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
15rcvar="firewall_enable"
16start_cmd="ipfw_start"
17start_precmd="ipfw_prestart"
18start_postcmd="ipfw_poststart"
19stop_cmd="ipfw_stop"
20status_cmd="ipfw_status"
21required_modules="ipfw"
22extra_commands="status"
23
24set_rcvar_obsolete ipv6_firewall_enable
25
26ipfw_prestart()
27{
28	if checkyesno dummynet_enable; then
29		required_modules="$required_modules dummynet"
30	fi
31	if checkyesno natd_enable; then
32		required_modules="$required_modules ipdivert"
33	fi
34	if checkyesno firewall_nat_enable; then
35		required_modules="$required_modules ipfw_nat"
36	fi
37}
38
39ipfw_start()
40{
41	local   _firewall_type
42
43	if [ -n "${1}" ]; then
44		_firewall_type=$1
45	else
46		_firewall_type=${firewall_type}
47	fi
48
49	# set the firewall rules script if none was specified
50	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
51
52	if [ -r "${firewall_script}" ]; then
53		/bin/sh "${firewall_script}" "${_firewall_type}"
54		echo 'Firewall rules loaded.'
55	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
56		echo 'Warning: kernel has firewall functionality, but' \
57		    ' firewall rules are not enabled.'
58		echo '           All ip services are disabled.'
59	fi
60
61	# Firewall logging
62	#
63	if checkyesno firewall_logging; then
64		echo 'Firewall logging enabled.'
65		${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
66	fi
67	if checkyesno firewall_logif; then
68		ifconfig ipfw0 create
69		echo 'Firewall logging pseudo-interface (ipfw0) created.'
70	fi
71}
72
73ipfw_poststart()
74{
75	local	_coscript
76
77	# Start firewall coscripts
78	#
79	for _coscript in ${firewall_coscripts} ; do
80		if [ -f "${_coscript}" ]; then
81			${_coscript} quietstart
82		fi
83	done
84
85	# Enable the firewall
86	#
87	if ! ${SYSCTL} net.inet.ip.fw.enable=1 >/dev/null 2>&1; then
88		warn "failed to enable IPv4 firewall"
89	fi
90	if afexists inet6; then
91		if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 >/dev/null 2>&1
92		then
93			warn "failed to enable IPv6 firewall"
94		fi
95	fi
96}
97
98ipfw_stop()
99{
100	local	_coscript
101
102	# Disable the firewall
103	#
104	${SYSCTL} net.inet.ip.fw.enable=0 >/dev/null
105	if afexists inet6; then
106		${SYSCTL} net.inet6.ip6.fw.enable=0 >/dev/null
107	fi
108
109	# Stop firewall coscripts
110	#
111	for _coscript in `reverse_list ${firewall_coscripts}` ; do
112		if [ -f "${_coscript}" ]; then
113			${_coscript} quietstop
114		fi
115	done
116}
117
118ipfw_status()
119{
120	status=$(sysctl -i -n net.inet.ip.fw.enable)
121	if [ ${status:-0} -eq 0 ]; then
122		echo "ipfw is not enabled"
123		exit 1
124	else
125		echo "ipfw is enabled"
126		exit 0
127	fi
128}
129
130load_rc_config $name
131firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
132
133run_rc_command $*
134