Surne: Dial-Up + ppp + routovanie - neviem co je s tym....

FreeBSD - Devnet freebsd at devnet.sk
Sat Mar 27 16:28:40 CET 2004


Potreboval by som vediet, ako nastavit routovanie:
mam normalne klasicke Dialup pripujenie cez modem,
lokalnu IP:192.168.0.1  a ip na nete mi dynamicky nastavuje provider

chcel by som vas poprosit, ako mam nastavit routovanie a ako by trebalo
pozmenit ppp.conf, k internetu sa cez kppp pripojim normalne, ale neche
vpustat ani odosielat nijake pakety..... predchadzajuce odpovede nefunguju

Vopred moc diky...
 Dole pripajamm routovaciu tabulku a subory:
/etc/rc.network (cely)
/etc/rc.firewall (cely)
/etc/rc.conf (len cast)
/etc/networks (cely)
/etc/ppp/ppp.conf (cely)
/var/log/messages (len cast)

----------------------------------------------------
ROUTOVACIA TABULKA
------------------------
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGSc        0        0    vr0
127.0.0.1          127.0.0.1          UH          0        8    lo0
192.168.0/31       ppp0               USc         1        6   ppp0 =>
192.168.0          link#1             UC          1        0    vr0
213.151.195.147    213.151.214.55     UH          0        0   ppp0
213.151.214.55     127.0.0.1          UH          0        0    lo0

Internet6:
Destination                       Gateway                       Flags      
Netif Expire
::1                               ::1                           UH          
lo0
fe80::%vr0/64                     link#1                        UC          
vr0
fe80::20c:76ff:fe12:5f82%vr0      00:0c:76:12:5f:82             UHL         
lo0
fe80::%lo0/64                     fe80::1%lo0                   Uc          
lo0
fe80::1%lo0                       link#3                        UHL         
lo0
ff01::/32                         ::1                           U           
lo0
ff02::%vr0/32                     link#1                        UC          
vr0
ff02::%lo0/32                     ::1                           UC          
lo0

/etc/rc.conf
--------------------------
defaultrouter="192.168.0.1"
gateway_enable="YES"
net.inet.ip.forwarding=1
hostname="devnet.dev"
ifconfig_vr0="inet 192.168.0.1  netmask 255.255.255.0"
inetd_enable="NO"
router_flags="-q"
router="/sbin/routed"
router_enable="YES"


/etc/network
---------------------------
your-net	127				# your comment
your-netmask	255.255.255			# subnet mask for your-net

#
# Your subnets
#
subnet1		127.0.1		alias1		# comment 1
subnet2		127.0.2		alias2		# comment 2

/etc/ppp/ppp.conf
----------------------------
default:
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)

 set device /dev/cual0

 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
           \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
 set timeout 180			# 3 minute idle timer (the default)
 enable dns				# request DNS info (for resolv.conf)

 set phone PHONE_NUM
 set authname USERNAME
 set authkey PASSWORD

 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR			# Add a (sticky) default route

 nat enable yes


/var/log/messages
-------------------------------
Mar 27 14:34:30 devnet /kernel: arplookup 192.168.0.1 failed: could not 
allocate llinfo
Mar 27 14:34:30 devnet /kernel: arpresolve: can't allocate llinfo for 
192.168.0.1rt
Mar 27 14:34:36 devnet /kernel: arplookup 192.168.0.1 failed: could not 
allocate llinfo
Mar 27 14:34:36 devnet /kernel: arpresolve: can't allocate llinfo for 
192.168.0.1rt
Mar 27 14:34:49 devnet /kernel: arplookup 192.168.0.1 failed: could not 
allocate llinfo
Mar 27 14:34:49 devnet /kernel: arpresolve: can't allocate llinfo for 
192.168.0.1rt
Mar 27 14:41:03 devnet pppd[388]: pppd 2.3.5 started by amon, uid 1002
Mar 27 14:41:03 devnet pppd[388]: Connect: ppp0 <--> /dev/cual0
Mar 27 14:41:04 devnet routed[54]: IP_ADD_MEMBERSHIP ALLHOSTS: Can't assign 
requested address
Mar 27 14:41:04 devnet pppd[388]: Couldn't add default route: File exists
Mar 27 14:41:04 devnet routed[54]: setsockopt(IP_ADD_MEMBERSHIP RIP): Can't 
assign requested address
Mar 27 14:41:04 devnet pppd[388]: local  IP address 213.151.214.55
Mar 27 14:41:04 devnet pppd[388]: remote IP address 213.151.195.147
Mar 27 14:43:03 devnet routed[54]: static route 192.168.0.0/31 --> 
213.151.214.55 impossibly lacks ifp
Mar 27 14:43:47 devnet su: amon to root on /dev/ttyp3
Mar 27 14:43:52 devnet routed[54]: interface ppp0 to 213.151.195.147 turned 
off
Mar 27 14:43:52 devnet pppd[388]: Connection terminated, connected for 2 
minutes
Mar 27 14:48:03 devnet routed[54]: 192.168.0.0/31 --> 213.151.214.55 
disappeared from kernel



/etc/rc.network
--------------------------------
network_pass1() {
	echo -n 'Doing initial network setup:'

	# Set the host name if it is not already set
	#
	if [ -z "`hostname -s`" ]; then
		hostname ${hostname}
		echo -n ' hostname'
	fi

	# Establish ipfilter ruleset as early as possible (best in
	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)

	# check whether ipfilter and/or ipnat is enabled
	ipfilter_active="NO"
	case ${ipfilter_enable} in
	[Yy][Ee][Ss])
		ipfilter_active="YES"
		;;
	esac
	case ${ipnat_enable} in
	[Yy][Ee][Ss])
		ipfilter_active="YES"
		;;
	esac
	case ${ipfilter_active} in
	[Yy][Ee][Ss])
		# load ipfilter kernel module if needed
		if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
			if kldload ipl; then
				echo 'IP-filter module loaded.'
			else
				echo 'Warning: IP-filter module failed to load.'
				# avoid further errors
				ipfilter_active="NO"
				ipmon_enable="NO"
				ipfilter_enable="NO"
				ipnat_enable="NO"
				ipfs_enable="NO"
			fi
		fi
		# start ipmon before loading any rules
		case "${ipmon_enable}" in
		[Yy][Ee][Ss])
			echo -n ' ipmon'
			${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
			;;
		esac
		case "${ipfilter_enable}" in
		[Yy][Ee][Ss])
			if [ -r "${ipfilter_rules}" -o \
			     -r "${ipv6_ipfilter_rules}" ]; then
				echo -n ' ipfilter'
				${ipfilter_program:-/sbin/ipf} -Fa
				if [ -r "${ipfilter_rules}" ]; then
					${ipfilter_program:-/sbin/ipf} \
					    -f "${ipfilter_rules}" \
					    ${ipfilter_flags}
				fi
				if [ -r "${ipv6_ipfilter_rules}" ]; then
					${ipfilter_program:-/sbin/ipf} -6 \
					    -f "${ipv6_ipfilter_rules}" \
					    ${ipfilter_flags}
				fi
			else
				ipfilter_enable="NO"
				echo -n ' NO IPF RULES'
			fi
			;;
		esac
		case "${ipnat_enable}" in
		[Yy][Ee][Ss])
			if [ -r "${ipnat_rules}" ]; then
				echo -n ' ipnat'
				eval ${ipnat_program:-/sbin/ipnat} -CF -f \
				    "${ipnat_rules}" ${ipnat_flags}
			else
				ipnat_enable="NO"
				echo -n ' NO IPNAT RULES'
			fi
			;;
		esac
		# restore filter/NAT state tables after loading the rules
		case "${ipfs_enable}" in
		[Yy][Ee][Ss])
			if [ -r "/var/db/ipf/ipstate.ipf" ]; then
				echo -n ' ipfs'
				${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags}
				# remove files to avoid reloading old state
				# after an ungraceful shutdown
				rm -f /var/db/ipf/ipstate.ipf
				rm -f /var/db/ipf/ipnat.ipf
			fi
			;;
		esac
		;;
	esac

	# Set the domainname if we're using NIS
	#
	case ${nisdomainname} in
	[Nn][Oo] | '')
		;;
	*)
		domainname ${nisdomainname}
		echo -n ' domain'
		;;
	esac

	echo '.'

	# Initial ATM interface configuration
	#
	case ${atm_enable} in
	[Yy][Ee][Ss])
		if [ -r /etc/rc.atm ]; then
			. /etc/rc.atm
			atm_pass1
		fi
		;;
	esac

	# Attempt to create cloned interfaces.
	for ifn in ${cloned_interfaces}; do
		ifconfig ${ifn} create
	done

	# Special options for sppp(4) interfaces go here.  These need
	# to go _before_ the general ifconfig section, since in the case
	# of hardwired (no link1 flag) but required authentication, you
	# cannot pass auth parameters down to the already running interface.
	#
	for ifn in ${sppp_interfaces}; do
		eval spppcontrol_args=\$spppconfig_${ifn}
		if [ -n "${spppcontrol_args}" ]; then
			# The auth secrets might contain spaces; in order
			# to retain the quotation, we need to eval them
			# here.
			eval spppcontrol ${ifn} ${spppcontrol_args}
		fi
	done

	# gifconfig
	network_gif_setup

	# Set up all the network interfaces, calling startup scripts if needed
	#
	case ${network_interfaces} in
	[Aa][Uu][Tt][Oo])
		network_interfaces="`ifconfig -l`"
		;;
	*)
		network_interfaces="${network_interfaces} ${cloned_interfaces}"
		;;
	esac

	dhcp_interfaces=""
	for ifn in ${network_interfaces}; do
		if [ -r /etc/start_if.${ifn} ]; then
			. /etc/start_if.${ifn}
			eval showstat_$ifn=1
		fi

		# Do the primary ifconfig if specified
		#
		eval ifconfig_args=\$ifconfig_${ifn}

		case ${ifconfig_args} in
		'')
			;;
		[Dd][Hh][Cc][Pp])
			# DHCP inits are done all in one go below
			dhcp_interfaces="$dhcp_interfaces $ifn"
			eval showstat_$ifn=1
			;;
		*)
			ifconfig ${ifn} ${ifconfig_args}
			eval showstat_$ifn=1
			;;
		esac
	done

	if [ ! -z "${dhcp_interfaces}" ]; then
		${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
	fi

	for ifn in ${network_interfaces}; do
		# Check to see if aliases need to be added
		#
		alias=0
		while : ; do
			eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
			if [ -n "${ifconfig_args}" ]; then
				ifconfig ${ifn} ${ifconfig_args} alias
				eval showstat_$ifn=1
				alias=$((${alias} + 1))
			else
				break;
			fi
		done

		# Do ipx address if specified
		#
		eval ifconfig_args=\$ifconfig_${ifn}_ipx
		if [ -n "${ifconfig_args}" ]; then
			ifconfig ${ifn} ${ifconfig_args}
			eval showstat_$ifn=1
		fi
	done

	for ifn in ${network_interfaces}; do
		eval showstat=\$showstat_${ifn}
		if [ ! -z ${showstat} ]; then
			ifconfig ${ifn}
		fi
	done

	# ISDN subsystem startup
	#
	case ${isdn_enable} in
	[Yy][Ee][Ss])
		if [ -r /etc/rc.isdn ]; then
			. /etc/rc.isdn
		fi
		;;
	esac

	# Start user ppp if required.  This must happen before natd.
	#
	case ${ppp_enable} in
	[Yy][Ee][Ss])
		# Establish ppp mode.
		#
		if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
			-a "${ppp_mode}" != "dedicated" \
			-a "${ppp_mode}" != "background" ]; then
			ppp_mode="auto"
		fi

		ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"

		# Switch on NAT mode?
		#
		case ${ppp_nat} in
		[Yy][Ee][Ss])
			ppp_command="${ppp_command} -nat"
			;;
		esac

		ppp_command="${ppp_command} ${ppp_profile}"

		echo "Starting ppp as \"${ppp_user}\""
		su -m ${ppp_user} -c "exec ${ppp_command}"
		;;
	esac

	# Re-Sync ipfilter so it picks up any new network interfaces
	#
	case ${ipfilter_active} in
	[Yy][Ee][Ss])
		${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
		;;
	esac
	unset ipfilter_active

	# Initialize IP filtering using ipfw
	#
	if /sbin/ipfw -q flush > /dev/null 2>&1; then
		firewall_in_kernel=1
	else
		firewall_in_kernel=0
	fi

	case ${firewall_enable} in
	[Yy][Ee][Ss])
		if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
			firewall_in_kernel=1
			echo 'Kernel firewall module loaded'
		elif [ "${firewall_in_kernel}" -eq 0 ]; then
			echo 'Warning: firewall kernel module failed to load'
		fi
		;;
	esac

	# Load the filters if required
	#
	case ${firewall_in_kernel} in
	1)
		if [ -z "${firewall_script}" ]; then
			firewall_script=/etc/rc.firewall
		fi

		case ${firewall_enable} in
		[Yy][Ee][Ss])
			if [ -r "${firewall_script}" ]; then
				. "${firewall_script}"
				echo -n 'Firewall rules loaded, starting divert daemons:'

				# Network Address Translation daemon
				#
				case ${natd_enable} in
				[Yy][Ee][Ss])
					if [ -n "${natd_interface}" ]; then
						if echo ${natd_interface} | \
							grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
							natd_flags="$natd_flags -a ${natd_interface}"
						else
							natd_flags="$natd_flags -n ${natd_interface}"
						fi
					fi
					echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags}
					;;
				esac

				echo '.'

			elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
				echo 'Warning: kernel has firewall functionality,' \
				     'but firewall rules are not enabled.'
				echo '		 All ip services are disabled.'
			fi

			case ${firewall_logging} in
			[Yy][Ee][Ss] | '')
				echo 'Firewall logging=YES'
				sysctl net.inet.ip.fw.verbose=1 >/dev/null
				;;
			*)
				;;
			esac

			;;
		esac
		;;
	esac

	# Additional ATM interface configuration
	#
	if [ -n "${atm_pass1_done}" ]; then
		atm_pass2
	fi

	# Configure routing
	#
	case ${defaultrouter} in
	[Nn][Oo] | '')
		;;
	*)
		static_routes="default ${static_routes}"
		route_default="default ${defaultrouter}"
		;;
	esac

	# Set up any static routes.  This should be done before router discovery.
	#
	if [ -n "${static_routes}" ]; then
		for i in ${static_routes}; do
			eval route_args=\$route_${i}
			route add ${route_args}
		done
	fi

	echo -n 'Additional routing options:'
	case ${tcp_extensions} in
	[Yy][Ee][Ss] | '')
		;;
	*)
		echo -n ' tcp extensions=NO'
		sysctl net.inet.tcp.rfc1323=0 >/dev/null
		;;
	esac

	case ${icmp_bmcastecho} in
	[Yy][Ee][Ss])
		echo -n ' broadcast ping responses=YES'
		sysctl net.inet.icmp.bmcastecho=1 >/dev/null
		;;
	esac

	case ${icmp_drop_redirect} in
	[Yy][Ee][Ss])
		echo -n ' ignore ICMP redirect=YES'
		sysctl net.inet.icmp.drop_redirect=1 >/dev/null
		;;
	esac

	case ${icmp_log_redirect} in
	[Yy][Ee][Ss])
		echo -n ' log ICMP redirect=YES'
		sysctl net.inet.icmp.log_redirect=1 >/dev/null
		;;
	esac

	case ${gateway_enable} in
	[Yy][Ee][Ss])
		echo -n ' IP gateway=YES'
		sysctl net.inet.ip.forwarding=1 >/dev/null
		;;
	esac

	case ${forward_sourceroute} in
	[Yy][Ee][Ss])
		echo -n ' do source routing=YES'
		sysctl net.inet.ip.sourceroute=1 >/dev/null
		;;
	esac

	case ${accept_sourceroute} in
	[Yy][Ee][Ss])
		echo -n ' accept source routing=YES'
		sysctl net.inet.ip.accept_sourceroute=1 >/dev/null
		;;
	esac

	case ${tcp_keepalive} in
	[Yy][Ee][Ss])
		echo -n ' TCP keepalive=YES'
		sysctl net.inet.tcp.always_keepalive=1 >/dev/null
		;;
	esac

	case ${tcp_drop_synfin} in
	[Yy][Ee][Ss])
		echo -n ' drop SYN+FIN packets=YES'
		sysctl net.inet.tcp.drop_synfin=1 >/dev/null
		;;
	esac

	case ${ipxgateway_enable} in
	[Yy][Ee][Ss])
		echo -n ' IPX gateway=YES'
		sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null
		;;
	esac

	case ${arpproxy_all} in
	[Yy][Ee][Ss])
		echo -n ' ARP proxyall=YES'
		sysctl net.link.ether.inet.proxyall=1 >/dev/null
		;;
	esac

	case ${ip_portrange_first} in
	[Nn][Oo] | '')
		;;
	*)
		echo -n " ip_portrange_first=$ip_portrange_first"
		sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
		;;
	esac

	case ${ip_portrange_last} in
	[Nn][Oo] | '')
		;;
	*)
		echo -n " ip_portrange_last=$ip_portrange_last"
		sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
		;;
	esac

	echo '.'

	case ${ipsec_enable} in
	[Yy][Ee][Ss])
		if [ -f ${ipsec_file} ]; then
		    echo ' ipsec: enabled'
		    setkey -f ${ipsec_file}
		else
		    echo ' ipsec: file not found'
		fi
		;;
	esac

	echo -n 'Routing daemons:'
	case ${router_enable} in
	[Yy][Ee][Ss])
		echo -n " ${router}";	${router} ${router_flags}
		;;
	esac

	case ${ipxrouted_enable} in
	[Yy][Ee][Ss])
		echo -n ' IPXrouted'
		IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
		;;
	esac

	case ${mrouted_enable} in
	[Yy][Ee][Ss])
		echo -n ' mrouted';	mrouted ${mrouted_flags}
		;;
	esac

	case ${rarpd_enable} in
	[Yy][Ee][Ss])
		echo -n ' rarpd';	rarpd ${rarpd_flags}
		;;
	esac
	echo '.'

	# Let future generations know we made it.
	#
	network_pass1_done=YES
}

network_pass2() {
	echo -n 'Doing additional network setup:'
	case ${named_enable} in
	[Yy][Ee][Ss])
		echo -n ' named';	${named_program:-named} ${named_flags}
		;;
	esac

	case ${ntpdate_enable} in
	[Yy][Ee][Ss])
		echo -n ' ntpdate'
		${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
		;;
	esac

	case ${xntpd_enable} in
	[Yy][Ee][Ss])
		echo -n ' ntpd';	${xntpd_program:-ntpd} ${xntpd_flags}
		;;
	esac

	case ${timed_enable} in
	[Yy][Ee][Ss])
		echo -n ' timed';	timed ${timed_flags}
		;;
	esac

	case ${portmap_enable} in
	[Yy][Ee][Ss])
		echo -n ' portmap';	${portmap_program:-/usr/sbin/portmap} ${portmap_flags}
		;;
	esac

	# Start ypserv if we're an NIS server.
	# Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
	#
	case ${nis_server_enable} in
	[Yy][Ee][Ss])
		echo -n ' ypserv'; ypserv ${nis_server_flags}

		case ${nis_ypxfrd_enable} in
		[Yy][Ee][Ss])
			echo -n ' rpc.ypxfrd'
			rpc.ypxfrd ${nis_ypxfrd_flags}
			;;
		esac

		case ${nis_yppasswdd_enable} in
		[Yy][Ee][Ss])
			echo -n ' rpc.yppasswdd'
			rpc.yppasswdd ${nis_yppasswdd_flags}
			;;
		esac
		;;
	esac

	# Start ypbind if we're an NIS client
	#
	case ${nis_client_enable} in
	[Yy][Ee][Ss])
		echo -n ' ypbind'; ypbind ${nis_client_flags}
		case ${nis_ypset_enable} in
		[Yy][Ee][Ss])
			echo -n ' ypset';	ypset ${nis_ypset_flags}
			;;
		esac
		;;
	esac

	# Start keyserv if we are running Secure RPC
	#
	case ${keyserv_enable} in
	[Yy][Ee][Ss])
		echo -n ' keyserv';	keyserv ${keyserv_flags}
		;;
	esac

	# Start ypupdated if we are running Secure RPC and we are NIS master
	#
	case ${rpc_ypupdated_enable} in
	[Yy][Ee][Ss])
		echo -n ' rpc.ypupdated';	rpc.ypupdated
		;;
	esac

	# Start ATM daemons
	if [ -n "${atm_pass2_done}" ]; then
		atm_pass3
	fi

	echo '.'
	network_pass2_done=YES
}

network_pass3() {
	echo -n 'Starting final network daemons:'

	case ${nfs_server_enable} in
	[Yy][Ee][Ss])
		if [ -r /etc/exports ]; then
			echo -n ' mountd'

			case ${weak_mountd_authentication} in
			[Yy][Ee][Ss])
				mountd_flags="${mountd_flags} -n"
				;;
			esac

			mountd ${mountd_flags}

			case ${nfs_reserved_port_only} in
			[Yy][Ee][Ss])
				echo -n ' NFS on reserved port only=YES'
				sysctl vfs.nfs.nfs_privport=1 >/dev/null
				;;
			esac

			echo -n ' nfsd';	nfsd ${nfs_server_flags}

			case ${rpc_lockd_enable} in
			[Yy][Ee][Ss])
				echo -n ' rpc.lockd';	rpc.lockd
				;;
			esac

			case ${rpc_statd_enable} in
			[Yy][Ee][Ss])
				echo -n ' rpc.statd';	rpc.statd
				;;
			esac
		fi
		;;
	*)
		case ${single_mountd_enable} in
		[Yy][Ee][Ss])
			if [ -r /etc/exports ]; then
				echo -n ' mountd'

				case ${weak_mountd_authentication} in
				[Yy][Ee][Ss])
					mountd_flags="-n"
					;;
				esac

				mountd ${mountd_flags}
			fi
			;;
		esac
		;;
	esac

	case ${nfs_client_enable} in
	[Yy][Ee][Ss])
		nfs_in_kernel=0
		# Handle absent nfs client support
		if sysctl vfs.nfs >/dev/null 2>&1; then
			nfs_in_kernel=1
		else
			kldload nfs && nfs_in_kernel=1
		fi
		if [ ${nfs_in_kernel} -eq 1 ]
		then
			echo -n ' nfsiod';	nfsiod ${nfs_client_flags}
			if [ -n "${nfs_access_cache}" ]; then
				echo -n " NFS access cache time=${nfs_access_cache}"
				sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null
			fi

			if [ -n "${nfs_bufpackets}" ]; then
				sysctl vfs.nfs.bufpackets=${nfs_bufpackets} \
					> /dev/null
			fi

			case ${amd_enable} in
			[Yy][Ee][Ss])
				echo -n ' amd'
				case ${amd_map_program} in
				[Nn][Oo] | '')
					;;
				*)
					amd_flags="${amd_flags} `eval \
						${amd_map_program}`"
					;;
				esac

				case "${amd_flags}" in
				'')
					if [ -r /etc/amd.conf ]; then
						amd &
					else
						echo ''
			echo 'Warning: amd will not load without arguments'
					fi
					;;
				*)
					amd -p ${amd_flags} >/var/run/amd.pid \
						2>/dev/null &
					;;
				esac
				;;
			esac
		fi
		;;
	esac

	# If /var/db/mounttab exists, some nfs-server has not been
	# sucessfully notified about a previous client shutdown.
	# If there is no /var/db/mounttab, we do nothing.
	if [ -f /var/db/mounttab ]; then
		rpc.umntall -k
	fi

	case ${rwhod_enable} in
	[Yy][Ee][Ss])
		echo -n ' rwhod';	rwhod ${rwhod_flags}
		;;
	esac

	# Kerberos servers run ONLY on the Kerberos server machine
	case ${kerberos_server_enable} in
	[Yy][Ee][Ss])
		case ${kerberos_stash} in
		[Yy][Ee][Ss])
			stash_flag=-n
			;;
		*)
			stash_flag=
			;;
		esac

		echo -n ' kerberosIV'
		kerberos ${stash_flag} >> /var/log/kerberos.log &

		case ${kadmind_server_enable} in
		[Yy][Ee][Ss])
			echo -n ' kadmindIV'
			(
				sleep 20;
				kadmind ${stash_flag} >/dev/null 2>&1 &
			) &
			;;
		esac
		unset stash_flag
		;;
	esac

	case ${kerberos5_server_enable} in
	[Yy][Ee][Ss])
		echo -n ' kerberos5'
		${kerberos5_server} &

		case ${kadmind5_server_enable} in
		[Yy][Ee][Ss])
			echo -n ' kadmind5'
			${kadmind5_server} &
			;;
		esac

		case ${kpasswdd5_server_enable} in
		[Yy][Ee][Ss])
			echo -n ' kpasswdd5'
			${kpasswdd5_server} &
			;;
		esac
		;;
	esac

	case ${pppoed_enable} in
	[Yy][Ee][Ss])
		if [ -n "${pppoed_provider}" ]; then
			pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
		fi
		echo -n ' pppoed';
		_opts=$-; set -f
		/usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
		set +f; set -${_opts}
		;;
	esac

	case ${sshd_enable} in
	[Yy][Ee][Ss])
		if [ -x /usr/bin/ssh-keygen ]; then
			if [ ! -f /etc/ssh/ssh_host_key ]; then
				echo ' creating ssh1 RSA host key';
				/usr/bin/ssh-keygen -t rsa1 -N "" \
					-f /etc/ssh/ssh_host_key
			fi
			if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
				echo ' creating ssh2 RSA host key';
				/usr/bin/ssh-keygen -t rsa -N "" \
					-f /etc/ssh/ssh_host_rsa_key
			fi
			if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
				echo ' creating ssh2 DSA host key';
				/usr/bin/ssh-keygen -t dsa -N "" \
					-f /etc/ssh/ssh_host_dsa_key
			fi
		fi
		;;
	esac

	echo '.'
	network_pass3_done=YES
}

network_pass4() {
	echo -n 'Additional TCP options:'
	case ${log_in_vain} in
	[Nn][Oo] | '')
		log_in_vain=0
		;;
	[Yy][Ee][Ss])
		log_in_vain=1
		;;
	[0-9]*)
		;;
	*)
		echo " invalid log_in_vain setting: ${log_in_vain}"
		log_in_vain=0
		;;
	esac

	if [ "${log_in_vain}" -ne 0 ]; then
		echo -n " log_in_vain=${log_in_vain}"
		sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
		sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
	fi

	echo '.'
	network_pass4_done=YES
}

network_gif_setup() {
	case ${gif_interfaces} in
	[Nn][Oo] | '')
		;;
	*)
		for i in ${gif_interfaces}; do
			eval peers=\$gifconfig_$i
			case ${peers} in
			'')
				continue
				;;
			*)
				ifconfig $i create >/dev/null 2>&1
				ifconfig $i tunnel ${peers}
				ifconfig $i up
				;;
			esac
		done
		;;
	esac
}


/etc/rc.firewall
--------------------------
if [ -z "${source_rc_confs_defined}" ]; then
	if [ -r /etc/defaults/rc.conf ]; then
		. /etc/defaults/rc.conf
		source_rc_confs
	elif [ -r /etc/rc.conf ]; then
		. /etc/rc.conf
	fi
fi
setup_loopback () {
	############
	# Only in rare cases do you want to change these rules
	#
	${fwcmd} add 100 pass all from any to any via lo0
	${fwcmd} add 200 deny all from any to 127.0.0.0/8
	${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
	firewall_type="${1}"
fi
case ${firewall_quiet} in
[Yy][Ee][Ss])
	fwcmd="/sbin/ipfw -q"
	;;
*)
	fwcmd="/sbin/ipfw"
	;;
esac
${fwcmd} -f flush
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
	case ${natd_enable} in
	[Yy][Ee][Ss])
		if [ -n "${natd_interface}" ]; then
			${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
		fi
		;;
	esac
esac
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
	setup_loopback
	${fwcmd} add 65000 pass all from any to any
	;;

[Cc][Ll][Ii][Ee][Nn][Tt])
	# set these to your network and netmask and ip
	net="192.0.2.0"
	mask="255.255.255.0"
	ip="192.0.2.1"

	setup_loopback
{fwcmd} add pass all from ${ip} to ${net}:${mask}
	${fwcmd} add pass all from ${net}:${mask} to ${ip}

	# Allow TCP through if setup succeeded
	${fwcmd} add pass tcp from any to any established

	# Allow IP fragments to pass through
	${fwcmd} add pass all from any to any frag

	# Allow setup of incoming email
	${fwcmd} add pass tcp from any to ${ip} 25 setup

	# Allow setup of outgoing TCP connections only
	${fwcmd} add pass tcp from ${ip} to any setup

	# Disallow setup of all other TCP connections
	${fwcmd} add deny tcp from any to any setup

	# Allow DNS queries out in the world
	${fwcmd} add pass udp from ${ip} to any 53 keep-state

	# Allow NTP queries out in the world
	${fwcmd} add pass udp from ${ip} to any 123 keep-state

	# Everything else is denied by default, unless the
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
	# config file.
	;;

[Ss][Ii][Mm][Pp][Ll][Ee])
	############
	# This is a prototype setup for a simple firewall.  Configure this
	# machine as a named server and ntp server, and point all the machines
	# on the inside at this machine for those services.
	############

	# set these to your outside interface network and netmask and ip
	oif="ed0"
	onet="192.0.2.0"
	omask="255.255.255.240"
	oip="192.0.2.1"

	# set these to your inside interface network and netmask and ip
	iif="ed1"
	inet="192.0.2.16"
	imask="255.255.255.240"
	iip="192.0.2.17"

	setup_loopback

	# Stop spoofing
	${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

	# Stop RFC1918 nets on the outside interface
	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
	${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
	# on the outside interface
	${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
	${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
	${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
	${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
	${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

	# Network Address Translation.  This rule is placed here deliberately
	# so that it does not interfere with the surrounding address-checking
	# rules.  If for example one of your internal LAN machines had its IP
	# address set to 192.0.2.1 then an incoming packet for it after being
	# translated by natd(8) would match the `deny' rule above.  Similarly
	# an outgoing packet originated from it before being translated would
	# match the `deny' rule below.
	case ${natd_enable} in
	[Yy][Ee][Ss])
		if [ -n "${natd_interface}" ]; then
			${fwcmd} add divert natd all from any to any via ${natd_interface}
		fi
		;;
	esac

	# Stop RFC1918 nets on the outside interface
	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
	# on the outside interface
	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

	# Allow TCP through if setup succeeded
	${fwcmd} add pass tcp from any to any established

	# Allow IP fragments to pass through
	${fwcmd} add pass all from any to any frag

	# Allow setup of incoming email
	${fwcmd} add pass tcp from any to ${oip} 25 setup

	# Allow access to our DNS
	${fwcmd} add pass tcp from any to ${oip} 53 setup
	${fwcmd} add pass udp from any to ${oip} 53
	${fwcmd} add pass udp from ${oip} 53 to any

	# Allow access to our WWW
	${fwcmd} add pass tcp from any to ${oip} 80 setup

	# Reject&Log all setup of incoming connections from the outside
	${fwcmd} add deny log tcp from any to any in via ${oif} setup

	# Allow setup of any other TCP connection
	${fwcmd} add pass tcp from any to any setup

	# Allow DNS queries out in the world
	${fwcmd} add pass udp from ${oip} to any 53 keep-state

	# Allow NTP queries out in the world
	${fwcmd} add pass udp from ${oip} to any 123 keep-state

	# Everything else is denied by default, unless the
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
	# config file.
	;;

[Cc][Ll][Oo][Ss][Ee][Dd])
	setup_loopback
	;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
	;;
*)
	if [ -r "${firewall_type}" ]; then
		${fwcmd} ${firewall_flags} ${firewall_type}
	fi
	;;
esac




More information about the Users-l mailing list