OpenBSD-3/3.5-rc-diffs - net/ipfilter - Rivoreo Source Code Repositories

 diff -c tmp/etc/netstart etc/netstart
 *** etc/netstart.orig	Tue Mar 23 10:15:38 2004
 --- etc/netstart	Sat Jul 10 11:56:56 2004
 ***************
 *** 194,199 ****
 --- 194,209 ----
   	domainname `cat /etc/defaultdomain`
   fi

 + # Configure the IP filter before configuring network interfaces
 + if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then
 + 	echo 'configuring IP filter'
 + 	ipf -Fa -f ${ipfilter_rules}
 + 	ipfresync="ipf -y"
 + else
 + 	ipfilter=NO
 + 	ipfresync=NO
 + fi
 +
   # Set the address for the loopback interface.  Bringing the
   # interface up, automatically invokes the IPv6 address ::1)
   ifconfig lo0 inet 127.0.0.1
 ***************
 *** 354,356 ****
 --- 364,379 ----

   	bridgestart $if
   done
 +
 + # Configure NAT after configuring network interfaces
 + if [ "${ipnat}" = "YES" -a "${ipfilter}" = "YES" -a -f "${ipnat_rules}" ]; then
 + 	echo 'configuring NAT'
 + 	ipnat -CF -f ${ipnat_rules}
 + else
 + 	ipnat=NO
 + fi
 +
 + # Interfaces have come up so we should do an ipf -y if we're using IP filter.
 + if [ "${ipfresync}" != "NO" ]; then
 + 	${ipfresync}
 + fi
 diff -c tmp/etc/rc etc/rc
 *** tmp/etc/rc	23 Mar 2003 18:45:34 -0000	1.225
 --- etc/rc	8 Jun 2003 07:40:22 -0000
 ***************
 *** 220,225 ****
 --- 220,229 ----
   	echo 'starting named';		named $named_flags
   fi

 + if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then
 + 	echo 'starting ipmon';	ipmon ${ipmon_flags}
 + fi
 +
   # $isakmpd_flags is imported from /etc/rc.conf;
   # If $isakmpd_flags == NO or /etc/isakmpd/isakmpd.policy doesn't exist, then
   # isakmpd isn't run.
 diff -c tmp/etc/rc.conf etc/rc.conf
 *** tmp/etc/rc.conf	10 Mar 2003 01:05:28 -0000	1.86
 --- etc/rc.conf	8 Jun 2003 07:40:24 -0000
 ***************
 *** 52,58 ****
   lockd=NO
   gated=NO
   amd=NO
 ! pf=NO			# Packet filter / NAT
   portmap=NO		# Note: inetd(8) rpc services need portmap too
   inetd=YES		# almost always needed
   check_quotas=YES	# NO may be desirable in some YP environments
 --- 52,60 ----
   lockd=NO
   gated=NO
   amd=NO
 ! ipfilter=NO		# To enable ipfilter, set to YES
 ! ipnat=NO		# for "YES", ipfilter must also be "YES"
 ! pf=NO			# Enable pf(4) Packet filter / NAT
   portmap=NO		# Note: inetd(8) rpc services need portmap too
   inetd=YES		# almost always needed
   check_quotas=YES	# NO may be desirable in some YP environments
 ***************
 *** 76,81 ****
 --- 78,86 ----
   nfsd_flags="-tun 4"		# Crank the 4 for a busy NFS fileserver
   amd_dir=/tmp_mnt		# AMD's mount directory
   amd_master=/etc/amd/master	# AMD 'master' map
 + ipfilter_rules=/etc/ipf.rules	# Rules for IP packet filtering with IP Filter
 + ipnat_rules=/etc/ipnat.rules	# Rules for Network Address Translation
 + ipmon_flags=-Ds			# To disable logging, use ipmon_flags=NO
   syslogd_flags=			# add more flags, ie. "-u -a /chroot/dev/log"
   pf_rules=/etc/pf.conf		# Packet filter rules file
   pflogd_flags=			# add more flags, ie. "-s 256"
	diff -c tmp/etc/netstart etc/netstart
	*** etc/netstart.orig Tue Mar 23 10:15:38 2004
	--- etc/netstart Sat Jul 10 11:56:56 2004
	***************
	* 194,199 **
	--- 194,209 ----
	domainname `cat /etc/defaultdomain`
	fi

	+ # Configure the IP filter before configuring network interfaces
	+ if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then
	+ echo 'configuring IP filter'
	+ ipf -Fa -f ${ipfilter_rules}
	+ ipfresync="ipf -y"
	+ else
	+ ipfilter=NO
	+ ipfresync=NO
	+ fi
	+
	# Set the address for the loopback interface. Bringing the
	# interface up, automatically invokes the IPv6 address ::1)
	ifconfig lo0 inet 127.0.0.1
	***************
	* 354,356 **
	--- 364,379 ----

	bridgestart $if
	done
	+
	+ # Configure NAT after configuring network interfaces
	+ if [ "${ipnat}" = "YES" -a "${ipfilter}" = "YES" -a -f "${ipnat_rules}" ]; then
	+ echo 'configuring NAT'
	+ ipnat -CF -f ${ipnat_rules}
	+ else
	+ ipnat=NO
	+ fi
	+
	+ # Interfaces have come up so we should do an ipf -y if we're using IP filter.
	+ if [ "${ipfresync}" != "NO" ]; then
	+ ${ipfresync}
	+ fi
	diff -c tmp/etc/rc etc/rc
	*** tmp/etc/rc 23 Mar 2003 18:45:34 -0000 1.225
	--- etc/rc 8 Jun 2003 07:40:22 -0000
	***************
	* 220,225 **
	--- 220,229 ----
	echo 'starting named'; named $named_flags
	fi

	+ if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then
	+ echo 'starting ipmon'; ipmon ${ipmon_flags}
	+ fi
	+
	# $isakmpd_flags is imported from /etc/rc.conf;
	# If $isakmpd_flags == NO or /etc/isakmpd/isakmpd.policy doesn't exist, then
	# isakmpd isn't run.
	diff -c tmp/etc/rc.conf etc/rc.conf
	*** tmp/etc/rc.conf 10 Mar 2003 01:05:28 -0000 1.86
	--- etc/rc.conf 8 Jun 2003 07:40:24 -0000
	***************
	* 52,58 **
	lockd=NO
	gated=NO
	amd=NO
	! pf=NO # Packet filter / NAT
	portmap=NO # Note: inetd(8) rpc services need portmap too
	inetd=YES # almost always needed
	check_quotas=YES # NO may be desirable in some YP environments
	--- 52,60 ----
	lockd=NO
	gated=NO
	amd=NO
	! ipfilter=NO # To enable ipfilter, set to YES
	! ipnat=NO # for "YES", ipfilter must also be "YES"
	! pf=NO # Enable pf(4) Packet filter / NAT
	portmap=NO # Note: inetd(8) rpc services need portmap too
	inetd=YES # almost always needed
	check_quotas=YES # NO may be desirable in some YP environments
	***************
	* 76,81 **
	--- 78,86 ----
	nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver
	amd_dir=/tmp_mnt # AMD's mount directory
	amd_master=/etc/amd/master # AMD 'master' map
	+ ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering with IP Filter
	+ ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation
	+ ipmon_flags=-Ds # To disable logging, use ipmon_flags=NO
	syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log"
	pf_rules=/etc/pf.conf # Packet filter rules file
	pflogd_flags= # add more flags, ie. "-s 256"