[BACK]Return to pf CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / etc / rc.d

File: [cvs.NetBSD.org] / src / etc / rc.d / pf (download)

Revision 1.6, Tue Aug 23 12:12:56 2005 UTC (14 years, 3 months ago) by peter
Branch: MAIN
CVS Tags: wrstuden-fixsa-newbase, wrstuden-fixsa-base-1, wrstuden-fixsa-base, wrstuden-fixsa, netbsd-4-base, netbsd-4-0-RELEASE, netbsd-4-0-RC5, netbsd-4-0-RC4, netbsd-4-0-RC3, netbsd-4-0-RC2, netbsd-4-0-RC1, netbsd-4-0-1-RELEASE, netbsd-4-0, netbsd-4, abandoned-netbsd-4-base, abandoned-netbsd-4
Changes since 1.5: +9 -4 lines

pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security

#!/bin/sh
#
# $NetBSD: pf,v 1.6 2005/08/23 12:12:56 peter Exp $
#

# PROVIDE: pf
# REQUIRE: root beforenetlkm mountcritlocal tty network dhclient
# BEFORE: NETWORKING

$_rc_subr_loaded . /etc/rc.subr

name="pf"
rcvar=$name
start_precmd="pf_prestart"
start_cmd="pf_start"
stop_cmd="pf_stop"
reload_cmd="pf_reload"
status_cmd="pf_status"
extra_commands="reload status"

pf_prestart()
{
	if [ ! -f ${pf_rules} ]; then
		warn "${pf_rules} not readable; pf start aborted."

		# If booting directly to multiuser, send SIGTERM to
		# the parent (/etc/rc) to abort the boot
		if [ "$autoboot" = yes ]; then
			echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
			kill -TERM $$
			exit 1
		fi
		return 1
	fi
	return 0
}

pf_start()
{
	echo "Enabling pf firewall."

	# The pf_boot script has enabled pf already.
	if [ "$autoboot" != yes ]; then
		/sbin/pfctl -q -e 
	fi

	if [ -f ${pf_rules} ]; then
		/sbin/pfctl -q -f ${pf_rules}
	else
		warn "${pf_rules} not found; no pf rules loaded."
	fi
}

pf_stop()
{
	echo "Disabling pf firewall."
	/sbin/pfctl -q -Fa -d
}

pf_reload()
{
	echo "Reloading pf rules."
	if [ -f ${pf_rules} ]; then
		/sbin/pfctl -q -f ${pf_rules}
	else
		warn "${pf_rules} not found; no pf rules loaded."
	fi
}

pf_status()
{
	/sbin/pfctl -s info
}

load_rc_config $name
run_rc_command "$1"