#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_pf v5.0.0.3556 # # Generated Tue Jul 5 18:05:07 2011 PDT by vadim # # files: * firewall101.fw /etc/fw/pf.fw # files: firewall101.conf /etc/fw/path\ with\ space/pf.conf # # Compiled for pf 4.7 # # routing rules, shell script format # firewall101:Routing:1: error: Gateway and interface are both empty in the rule # firewall101:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd # firewall101:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning FWDIR=`dirname $0` IFCONFIG="/sbin/ifconfig" PFCTL="/sbin/pfctl" IPFW="/sbin/ipfw" IPF="/sbin/ipf" IPNAT="/sbin/ipnat" SYSCTL="/sbin/sysctl" LOGGER="/usr/bin/logger" log() { echo "$1" command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS if echo "$addr" | grep -q ':' then inet="inet6" addr=$(echo "$addr" | sed 's!/! prefixlen !') else inet="inet" addr=$(echo "$addr" | sed 's!/! netmask !') fi parameter="" test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" parameter="alias" } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" parameter="delete" } $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1 $FWBDEBUG $IFCONFIG $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 scope_regex="1" if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi $IFCONFIG $interface | sed "s/%$interface//" | \ awk -v IGNORED="$ignore_list" \ "BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IFCONFIG $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } echo "$interface" | grep -q carp && { diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add } || { diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } } verify_interfaces() { : } set_kernel_vars() { : $SYSCTL -w net.inet.ip.forwarding=1 } prolog_commands() { : } epilog_commands() { : } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { : update_addresses_of_interface "em0 10.3.14.81/0xffffff00" "" $IFCONFIG em0 mtu 1490 update_addresses_of_interface "em1 10.1.1.81/0xffffff00" "" } log "Activating firewall script generated Tue Jul 5 18:05:07 2011 by vadim" set_kernel_vars configure_interfaces prolog_commands $PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1 # ============== ROUTING RULES ============== TMPDIRNAME=`mktemp -d /tmp/.fwbuilder.XXXXXXXXXX` || exit 1 TMPFILENAME="$TMPDIRNAME/.fwbuilder.out" # # This function stops stdout redirection # and sends previously saved output to terminal restore_script_output() { exec 1>&3 2>&1 cat $TMPFILENAME rm -rf $TMPDIRNAME } # if any routing rule fails we do our best to prevent freezing the firewall route_command_error() { echo "Error: Routing rule $1 couldn't be activated" echo "Recovering previous routing configuration..." # delete current routing rules netstat -rn -f inet | awk '$3 ~ /S/ && $NF !~ /lo0/ { print $0;}' | \ while read route gw rest; do route delete $route $gw; done # restore old routing rules (IFS=" "; for route_cmd in $oldRoutes; do (IFS=' '; $route_cmd); done) echo "...done" restore_script_output epilog_commands exit 1 } # redirect output to prevent ssh session from stalling exec 3>&1 exec 1> $TMPFILENAME exec 2>&1 oldRoutes=$(netstat -rn -f inet | awk '/^$|Destination|Routing tables|Internet:/ {next;} {printf "route add %s %s\n",$1,$2;}') echo "Deleting routing rules previously set by user space processes..." netstat -rn -f inet | awk '$3 ~ /S/ { print $0;}' | grep -Ev 'lo0' | \ while read route gw rest; do route delete $route $gw; done echo "Activating routing rules..." # # Rule 0 (main) # echo "Routing rule 0 (main)" # # setting default via gateway # line 2 comment # route add default 10.1.1.1 || route_command_error "0 (main)" # # Rule 1 (main) # echo "Routing rule 1 (main)" # # empty rule # # firewall101:Routing:1: error: Gateway and interface are both empty in the rule # firewall101:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd route add default || route_command_error "1 (main)" # # Rule 2 (main) # echo "Routing rule 2 (main)" # route add 192.168.171.2 10.1.1.1 || route_command_error "2 (main)" # # Rule 3 (main) # echo "Routing rule 3 (main)" # route add 22.22.22.0/24 10.1.1.1 || route_command_error "3 (main)" # # Rule 4 (main) # echo "Routing rule 4 (main)" # # firewall101:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning route add 33.33.33.0/24 10.1.1.1 || route_command_error "4 (main)" restore_script_output echo "...done." epilog_commands