mirror of
https://git.FreeBSD.org/ports.git
synced 2024-11-26 00:55:14 +00:00
ca5a2552a5
- Replace broken ipf* script - RCng script PR: ports/81615 Submitted by: Lupe Christoph <lupe@lupe-christoph.de> (maintainer)
74 lines
2.4 KiB
Bash
74 lines
2.4 KiB
Bash
#!/bin/sh
|
|
#
|
|
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
|
#
|
|
# WARNING!
|
|
#
|
|
# This script has not been tested. The author does not run this kind
|
|
# of firewall rules and is too lazy to build a firewall that does
|
|
# just for testing.
|
|
#
|
|
# If you use this script and either find it *does* work (surprise!)
|
|
# or have modifications that make it work, please send mail to
|
|
# tke FreeBSD port maintainer. (See port Makefile).
|
|
#
|
|
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
|
|
|
# *********************************************************************
|
|
# This script is used with IPFilter if the ruleset (/etc/ipf.rules)
|
|
# does not contain explicit drop rules that mask a rule added at the end.
|
|
#
|
|
# The script will add it's rules at the end.
|
|
#
|
|
# Note that it does not use locking, so concurrent accesses may
|
|
# interfere with each other.
|
|
# *********************************************************************
|
|
#
|
|
# file "ipf_add.atend"
|
|
# IPFilter add script, called by "doormand".
|
|
# This add "pass in quick" rules to the firewall.
|
|
#
|
|
# Called with five arguments:
|
|
#
|
|
# $1 : name of the interface (e.g. ne0)
|
|
# $2 : source IP; i.e. dotted-decimal address of the 'knock' client
|
|
# $3 : source port; when this script is called for the first time
|
|
# for a connection (man 8 doormand), this argument will be set
|
|
# to a single "0" (0x30) character. This means that the source
|
|
# port is not yet known, and a broad rule allowing any source
|
|
# port is required.
|
|
# $4 : destination IP; that is, the IP address of the interface
|
|
# in argument 1.
|
|
# $5 : The port number of the requested service (e.g. 22 for ssh, etc.)
|
|
#
|
|
|
|
# This script expects the IPFilter ruleset to have two rules like this:
|
|
inblock="block in log quick on $1 from any to any"
|
|
outblock="block out log quick on $1 from any to any"
|
|
# The new rules will be inserted just before these blocking rules.
|
|
|
|
if [ $3 = 0 ]; then
|
|
inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5"
|
|
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2"
|
|
else
|
|
inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5"
|
|
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3"
|
|
fi
|
|
|
|
#
|
|
# acquire lock (not implemented)
|
|
#
|
|
|
|
# Insert new rules.
|
|
ret=`(echo $inrule; echo $outrule) | /sbin/ipf -f - 2>&1`
|
|
|
|
#
|
|
# release lock (not implemented)
|
|
#
|
|
|
|
if [ -z "$ret" ]; then
|
|
echo 0
|
|
else
|
|
echo -1 3 $ret
|
|
fi
|