mirror of
https://github.com/fwbuilder/fwbuilder
synced 2025-10-17 07:57:43 +02:00
a544492ced
appropriate". Compiler for PF now uses keyword 'self' in rules where firewall object is used in Source or Destination.
278 lines
6.6 KiB
Bash
Executable File
278 lines
6.6 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# This is automatically generated file. DO NOT MODIFY !
|
|
#
|
|
# Firewall Builder fwb_pf v4.3.0.3546
|
|
#
|
|
# Generated Thu May 26 14:08:56 2011 PDT by vadim
|
|
#
|
|
# files: * firewall101.fw /etc/fw/pf.fw
|
|
# files: firewall101.conf /etc/fw/path\ with\ space/pf.conf
|
|
#
|
|
# Compiled for pf 4.7
|
|
#
|
|
# routing rules, shell script format
|
|
|
|
# firewall101:Routing:1: error: Gateway and interface are both empty in the rule
|
|
# firewall101:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd
|
|
# firewall101:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning
|
|
|
|
|
|
|
|
FWDIR=`dirname $0`
|
|
|
|
IFCONFIG="/sbin/ifconfig"
|
|
PFCTL="/sbin/pfctl"
|
|
IPFW="/sbin/ipfw"
|
|
IPF="/sbin/ipf"
|
|
IPNAT="/sbin/ipnat"
|
|
SYSCTL="/sbin/sysctl"
|
|
LOGGER="/usr/bin/logger"
|
|
|
|
log() {
|
|
echo "$1"
|
|
command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
|
|
}
|
|
|
|
diff_intf() {
|
|
func=$1
|
|
list1=$2
|
|
list2=$3
|
|
cmd=$4
|
|
for intf in $list1
|
|
do
|
|
echo $list2 | grep -q $intf || {
|
|
# $vlan is absent in list 2
|
|
$func $intf $cmd
|
|
}
|
|
done
|
|
}
|
|
|
|
|
|
missing_address() {
|
|
address=$1
|
|
cmd=$2
|
|
|
|
oldIFS=$IFS
|
|
IFS="@"
|
|
set $address
|
|
addr=$1
|
|
interface=$2
|
|
IFS=$oldIFS
|
|
|
|
if echo "$addr" | grep -q ':'
|
|
then
|
|
inet="inet6"
|
|
addr=$(echo "$addr" | sed 's!/! prefixlen !')
|
|
else
|
|
inet="inet"
|
|
addr=$(echo "$addr" | sed 's!/! netmask !')
|
|
fi
|
|
|
|
parameter=""
|
|
test "$cmd" = "add" && {
|
|
echo "# Adding ip address: $interface $addr"
|
|
parameter="alias"
|
|
}
|
|
test "$cmd" = "del" && {
|
|
echo "# Removing ip address: $interface $addr"
|
|
parameter="delete"
|
|
}
|
|
|
|
$FWBDEBUG $IFCONFIG $interface $inet $addr $parameter || exit 1
|
|
$FWBDEBUG $IFCONFIG $interface up
|
|
}
|
|
|
|
list_addresses_by_scope() {
|
|
interface=$1
|
|
scope=$2
|
|
ignore_list=$3
|
|
|
|
scope_regex="1"
|
|
if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi
|
|
|
|
$IFCONFIG $interface | sed "s/%$interface//" | \
|
|
awk -v IGNORED="$ignore_list" \
|
|
"BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
|
}
|
|
(/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \
|
|
while read addr; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
|
|
}
|
|
|
|
update_addresses_of_interface() {
|
|
ignore_list=$2
|
|
set $1
|
|
interface=$1
|
|
shift
|
|
|
|
FWB_ADDRS=$(
|
|
for addr in $*; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
)
|
|
|
|
CURRENT_ADDRS_ALL_SCOPES=""
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=""
|
|
|
|
$IFCONFIG $interface >/dev/null 2>&1 && {
|
|
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list")
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list")
|
|
} || {
|
|
echo "# Interface $interface does not exist"
|
|
# Stop the script if we are not in test mode
|
|
test -z "$FWBDEBUG" && exit 1
|
|
}
|
|
|
|
|
|
echo "$interface" | grep -q carp && {
|
|
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
|
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
|
} || {
|
|
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
|
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
|
}
|
|
}
|
|
|
|
verify_interfaces() {
|
|
:
|
|
|
|
}
|
|
|
|
set_kernel_vars() {
|
|
:
|
|
$SYSCTL -w net.inet.ip.forwarding=1
|
|
}
|
|
|
|
prolog_commands() {
|
|
:
|
|
|
|
}
|
|
|
|
epilog_commands() {
|
|
:
|
|
|
|
}
|
|
|
|
run_epilog_and_exit() {
|
|
epilog_commands
|
|
exit $1
|
|
}
|
|
|
|
configure_interfaces() {
|
|
:
|
|
update_addresses_of_interface "em0 10.3.14.81/0xffffff00" ""
|
|
$IFCONFIG em0 mtu 1490
|
|
update_addresses_of_interface "em1 10.1.1.81/0xffffff00" ""
|
|
}
|
|
|
|
log "Activating firewall script generated Thu May 26 14:08:56 2011 by vadim"
|
|
|
|
set_kernel_vars
|
|
configure_interfaces
|
|
prolog_commands
|
|
|
|
$PFCTL -f /etc/fw/path\ with\ space/pf.conf || exit 1
|
|
|
|
|
|
|
|
|
|
|
|
# ============== ROUTING RULES ==============
|
|
|
|
TMPDIRNAME=`mktemp -d /tmp/.fwbuilder.XXXXXXXXXX` || exit 1
|
|
TMPFILENAME="$TMPDIRNAME/.fwbuilder.out"
|
|
|
|
#
|
|
# This function stops stdout redirection
|
|
# and sends previously saved output to terminal
|
|
restore_script_output()
|
|
{
|
|
exec 1>&3 2>&1
|
|
cat $TMPFILENAME
|
|
rm -rf $TMPDIRNAME
|
|
}
|
|
|
|
# if any routing rule fails we do our best to prevent freezing the firewall
|
|
route_command_error()
|
|
{
|
|
echo "Error: Routing rule $1 couldn't be activated"
|
|
echo "Recovering previous routing configuration..."
|
|
# delete current routing rules
|
|
netstat -rn -f inet | awk '$3 ~ /S/ && $NF !~ /lo0/ { print $0;}' | \
|
|
while read route gw rest; do route delete $route $gw; done
|
|
# restore old routing rules
|
|
(IFS="
|
|
"; for route_cmd in $oldRoutes; do (IFS=' '; $route_cmd); done)
|
|
echo "...done"
|
|
restore_script_output
|
|
epilog_commands
|
|
exit 1
|
|
}
|
|
|
|
# redirect output to prevent ssh session from stalling
|
|
exec 3>&1
|
|
exec 1> $TMPFILENAME
|
|
exec 2>&1
|
|
|
|
oldRoutes=$(netstat -rn -f inet | awk '/^$|Destination|Routing tables|Internet:/ {next;} {printf "route add %s %s\n",$1,$2;}')
|
|
|
|
echo "Deleting routing rules previously set by user space processes..."
|
|
netstat -rn -f inet | awk '$3 ~ /S/ { print $0;}' | grep -Ev 'lo0' | \
|
|
while read route gw rest; do route delete $route $gw; done
|
|
|
|
echo "Activating routing rules..."
|
|
#
|
|
# Rule 0 (main)
|
|
#
|
|
echo "Routing rule 0 (main)"
|
|
#
|
|
# setting default via gateway
|
|
# line 2 comment
|
|
#
|
|
route add default 10.1.1.1 || route_command_error "0 (main)"
|
|
|
|
#
|
|
# Rule 1 (main)
|
|
#
|
|
echo "Routing rule 1 (main)"
|
|
#
|
|
# empty rule
|
|
#
|
|
# firewall101:Routing:1: error: Gateway and interface are both empty in the rule
|
|
# firewall101:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd
|
|
|
|
route add default || route_command_error "1 (main)"
|
|
|
|
#
|
|
# Rule 2 (main)
|
|
#
|
|
echo "Routing rule 2 (main)"
|
|
#
|
|
route add 192.168.171.2 10.1.1.1 || route_command_error "2 (main)"
|
|
|
|
#
|
|
# Rule 3 (main)
|
|
#
|
|
echo "Routing rule 3 (main)"
|
|
#
|
|
route add 22.22.22.0/24 10.1.1.1 || route_command_error "3 (main)"
|
|
|
|
#
|
|
# Rule 4 (main)
|
|
#
|
|
echo "Routing rule 4 (main)"
|
|
#
|
|
# firewall101:Routing:4: warning: Two of the routing commands created from the gui routing rules 3 (main) and 4 (main) are identical, skipping the second. Revise them to avoid this warning
|
|
|
|
route add 33.33.33.0/24 10.1.1.1 || route_command_error "4 (main)"
|
|
|
|
|
|
restore_script_output
|
|
echo "...done."
|
|
|
|
epilog_commands |