Surne: Dial-Up + ppp + routovanie - neviem co je s tym....
FreeBSD - Devnet
freebsd at devnet.sk
Sat Mar 27 16:28:40 CET 2004
Potreboval by som vediet, ako nastavit routovanie:
mam normalne klasicke Dialup pripujenie cez modem,
lokalnu IP:192.168.0.1 a ip na nete mi dynamicky nastavuje provider
chcel by som vas poprosit, ako mam nastavit routovanie a ako by trebalo
pozmenit ppp.conf, k internetu sa cez kppp pripojim normalne, ale neche
vpustat ani odosielat nijake pakety..... predchadzajuce odpovede nefunguju
Vopred moc diky...
Dole pripajamm routovaciu tabulku a subory:
/etc/rc.network (cely)
/etc/rc.firewall (cely)
/etc/rc.conf (len cast)
/etc/networks (cely)
/etc/ppp/ppp.conf (cely)
/var/log/messages (len cast)
----------------------------------------------------
ROUTOVACIA TABULKA
------------------------
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 0 0 vr0
127.0.0.1 127.0.0.1 UH 0 8 lo0
192.168.0/31 ppp0 USc 1 6 ppp0 =>
192.168.0 link#1 UC 1 0 vr0
213.151.195.147 213.151.214.55 UH 0 0 ppp0
213.151.214.55 127.0.0.1 UH 0 0 lo0
Internet6:
Destination Gateway Flags
Netif Expire
::1 ::1 UH
lo0
fe80::%vr0/64 link#1 UC
vr0
fe80::20c:76ff:fe12:5f82%vr0 00:0c:76:12:5f:82 UHL
lo0
fe80::%lo0/64 fe80::1%lo0 Uc
lo0
fe80::1%lo0 link#3 UHL
lo0
ff01::/32 ::1 U
lo0
ff02::%vr0/32 link#1 UC
vr0
ff02::%lo0/32 ::1 UC
lo0
/etc/rc.conf
--------------------------
defaultrouter="192.168.0.1"
gateway_enable="YES"
net.inet.ip.forwarding=1
hostname="devnet.dev"
ifconfig_vr0="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="NO"
router_flags="-q"
router="/sbin/routed"
router_enable="YES"
/etc/network
---------------------------
your-net 127 # your comment
your-netmask 255.255.255 # subnet mask for your-net
#
# Your subnets
#
subnet1 127.0.1 alias1 # comment 1
subnet2 127.0.2 alias2 # comment 2
/etc/ppp/ppp.conf
----------------------------
default:
set log Phase Chat LCP IPCP CCP tun command
ident user-ppp VERSION (built COMPILATIONDATE)
set device /dev/cual0
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
set timeout 180 # 3 minute idle timer (the default)
enable dns # request DNS info (for resolv.conf)
set phone PHONE_NUM
set authname USERNAME
set authkey PASSWORD
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR # Add a (sticky) default route
nat enable yes
/var/log/messages
-------------------------------
Mar 27 14:34:30 devnet /kernel: arplookup 192.168.0.1 failed: could not
allocate llinfo
Mar 27 14:34:30 devnet /kernel: arpresolve: can't allocate llinfo for
192.168.0.1rt
Mar 27 14:34:36 devnet /kernel: arplookup 192.168.0.1 failed: could not
allocate llinfo
Mar 27 14:34:36 devnet /kernel: arpresolve: can't allocate llinfo for
192.168.0.1rt
Mar 27 14:34:49 devnet /kernel: arplookup 192.168.0.1 failed: could not
allocate llinfo
Mar 27 14:34:49 devnet /kernel: arpresolve: can't allocate llinfo for
192.168.0.1rt
Mar 27 14:41:03 devnet pppd[388]: pppd 2.3.5 started by amon, uid 1002
Mar 27 14:41:03 devnet pppd[388]: Connect: ppp0 <--> /dev/cual0
Mar 27 14:41:04 devnet routed[54]: IP_ADD_MEMBERSHIP ALLHOSTS: Can't assign
requested address
Mar 27 14:41:04 devnet pppd[388]: Couldn't add default route: File exists
Mar 27 14:41:04 devnet routed[54]: setsockopt(IP_ADD_MEMBERSHIP RIP): Can't
assign requested address
Mar 27 14:41:04 devnet pppd[388]: local IP address 213.151.214.55
Mar 27 14:41:04 devnet pppd[388]: remote IP address 213.151.195.147
Mar 27 14:43:03 devnet routed[54]: static route 192.168.0.0/31 -->
213.151.214.55 impossibly lacks ifp
Mar 27 14:43:47 devnet su: amon to root on /dev/ttyp3
Mar 27 14:43:52 devnet routed[54]: interface ppp0 to 213.151.195.147 turned
off
Mar 27 14:43:52 devnet pppd[388]: Connection terminated, connected for 2
minutes
Mar 27 14:48:03 devnet routed[54]: 192.168.0.0/31 --> 213.151.214.55
disappeared from kernel
/etc/rc.network
--------------------------------
network_pass1() {
echo -n 'Doing initial network setup:'
# Set the host name if it is not already set
#
if [ -z "`hostname -s`" ]; then
hostname ${hostname}
echo -n ' hostname'
fi
# Establish ipfilter ruleset as early as possible (best in
# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
# check whether ipfilter and/or ipnat is enabled
ipfilter_active="NO"
case ${ipfilter_enable} in
[Yy][Ee][Ss])
ipfilter_active="YES"
;;
esac
case ${ipnat_enable} in
[Yy][Ee][Ss])
ipfilter_active="YES"
;;
esac
case ${ipfilter_active} in
[Yy][Ee][Ss])
# load ipfilter kernel module if needed
if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
if kldload ipl; then
echo 'IP-filter module loaded.'
else
echo 'Warning: IP-filter module failed to load.'
# avoid further errors
ipfilter_active="NO"
ipmon_enable="NO"
ipfilter_enable="NO"
ipnat_enable="NO"
ipfs_enable="NO"
fi
fi
# start ipmon before loading any rules
case "${ipmon_enable}" in
[Yy][Ee][Ss])
echo -n ' ipmon'
${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
;;
esac
case "${ipfilter_enable}" in
[Yy][Ee][Ss])
if [ -r "${ipfilter_rules}" -o \
-r "${ipv6_ipfilter_rules}" ]; then
echo -n ' ipfilter'
${ipfilter_program:-/sbin/ipf} -Fa
if [ -r "${ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} \
-f "${ipfilter_rules}" \
${ipfilter_flags}
fi
if [ -r "${ipv6_ipfilter_rules}" ]; then
${ipfilter_program:-/sbin/ipf} -6 \
-f "${ipv6_ipfilter_rules}" \
${ipfilter_flags}
fi
else
ipfilter_enable="NO"
echo -n ' NO IPF RULES'
fi
;;
esac
case "${ipnat_enable}" in
[Yy][Ee][Ss])
if [ -r "${ipnat_rules}" ]; then
echo -n ' ipnat'
eval ${ipnat_program:-/sbin/ipnat} -CF -f \
"${ipnat_rules}" ${ipnat_flags}
else
ipnat_enable="NO"
echo -n ' NO IPNAT RULES'
fi
;;
esac
# restore filter/NAT state tables after loading the rules
case "${ipfs_enable}" in
[Yy][Ee][Ss])
if [ -r "/var/db/ipf/ipstate.ipf" ]; then
echo -n ' ipfs'
${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags}
# remove files to avoid reloading old state
# after an ungraceful shutdown
rm -f /var/db/ipf/ipstate.ipf
rm -f /var/db/ipf/ipnat.ipf
fi
;;
esac
;;
esac
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
[Nn][Oo] | '')
;;
*)
domainname ${nisdomainname}
echo -n ' domain'
;;
esac
echo '.'
# Initial ATM interface configuration
#
case ${atm_enable} in
[Yy][Ee][Ss])
if [ -r /etc/rc.atm ]; then
. /etc/rc.atm
atm_pass1
fi
;;
esac
# Attempt to create cloned interfaces.
for ifn in ${cloned_interfaces}; do
ifconfig ${ifn} create
done
# Special options for sppp(4) interfaces go here. These need
# to go _before_ the general ifconfig section, since in the case
# of hardwired (no link1 flag) but required authentication, you
# cannot pass auth parameters down to the already running interface.
#
for ifn in ${sppp_interfaces}; do
eval spppcontrol_args=\$spppconfig_${ifn}
if [ -n "${spppcontrol_args}" ]; then
# The auth secrets might contain spaces; in order
# to retain the quotation, we need to eval them
# here.
eval spppcontrol ${ifn} ${spppcontrol_args}
fi
done
# gifconfig
network_gif_setup
# Set up all the network interfaces, calling startup scripts if needed
#
case ${network_interfaces} in
[Aa][Uu][Tt][Oo])
network_interfaces="`ifconfig -l`"
;;
*)
network_interfaces="${network_interfaces} ${cloned_interfaces}"
;;
esac
dhcp_interfaces=""
for ifn in ${network_interfaces}; do
if [ -r /etc/start_if.${ifn} ]; then
. /etc/start_if.${ifn}
eval showstat_$ifn=1
fi
# Do the primary ifconfig if specified
#
eval ifconfig_args=\$ifconfig_${ifn}
case ${ifconfig_args} in
'')
;;
[Dd][Hh][Cc][Pp])
# DHCP inits are done all in one go below
dhcp_interfaces="$dhcp_interfaces $ifn"
eval showstat_$ifn=1
;;
*)
ifconfig ${ifn} ${ifconfig_args}
eval showstat_$ifn=1
;;
esac
done
if [ ! -z "${dhcp_interfaces}" ]; then
${dhcp_program:-/sbin/dhclient} ${dhcp_flags} ${dhcp_interfaces}
fi
for ifn in ${network_interfaces}; do
# Check to see if aliases need to be added
#
alias=0
while : ; do
eval ifconfig_args=\$ifconfig_${ifn}_alias${alias}
if [ -n "${ifconfig_args}" ]; then
ifconfig ${ifn} ${ifconfig_args} alias
eval showstat_$ifn=1
alias=$((${alias} + 1))
else
break;
fi
done
# Do ipx address if specified
#
eval ifconfig_args=\$ifconfig_${ifn}_ipx
if [ -n "${ifconfig_args}" ]; then
ifconfig ${ifn} ${ifconfig_args}
eval showstat_$ifn=1
fi
done
for ifn in ${network_interfaces}; do
eval showstat=\$showstat_${ifn}
if [ ! -z ${showstat} ]; then
ifconfig ${ifn}
fi
done
# ISDN subsystem startup
#
case ${isdn_enable} in
[Yy][Ee][Ss])
if [ -r /etc/rc.isdn ]; then
. /etc/rc.isdn
fi
;;
esac
# Start user ppp if required. This must happen before natd.
#
case ${ppp_enable} in
[Yy][Ee][Ss])
# Establish ppp mode.
#
if [ "${ppp_mode}" != "ddial" -a "${ppp_mode}" != "direct" \
-a "${ppp_mode}" != "dedicated" \
-a "${ppp_mode}" != "background" ]; then
ppp_mode="auto"
fi
ppp_command="/usr/sbin/ppp -quiet -${ppp_mode}"
# Switch on NAT mode?
#
case ${ppp_nat} in
[Yy][Ee][Ss])
ppp_command="${ppp_command} -nat"
;;
esac
ppp_command="${ppp_command} ${ppp_profile}"
echo "Starting ppp as \"${ppp_user}\""
su -m ${ppp_user} -c "exec ${ppp_command}"
;;
esac
# Re-Sync ipfilter so it picks up any new network interfaces
#
case ${ipfilter_active} in
[Yy][Ee][Ss])
${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
;;
esac
unset ipfilter_active
# Initialize IP filtering using ipfw
#
if /sbin/ipfw -q flush > /dev/null 2>&1; then
firewall_in_kernel=1
else
firewall_in_kernel=0
fi
case ${firewall_enable} in
[Yy][Ee][Ss])
if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then
firewall_in_kernel=1
echo 'Kernel firewall module loaded'
elif [ "${firewall_in_kernel}" -eq 0 ]; then
echo 'Warning: firewall kernel module failed to load'
fi
;;
esac
# Load the filters if required
#
case ${firewall_in_kernel} in
1)
if [ -z "${firewall_script}" ]; then
firewall_script=/etc/rc.firewall
fi
case ${firewall_enable} in
[Yy][Ee][Ss])
if [ -r "${firewall_script}" ]; then
. "${firewall_script}"
echo -n 'Firewall rules loaded, starting divert daemons:'
# Network Address Translation daemon
#
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
if echo ${natd_interface} | \
grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
natd_flags="$natd_flags -a ${natd_interface}"
else
natd_flags="$natd_flags -n ${natd_interface}"
fi
fi
echo -n ' natd'; ${natd_program:-/sbin/natd} ${natd_flags}
;;
esac
echo '.'
elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
echo 'Warning: kernel has firewall functionality,' \
'but firewall rules are not enabled.'
echo ' All ip services are disabled.'
fi
case ${firewall_logging} in
[Yy][Ee][Ss] | '')
echo 'Firewall logging=YES'
sysctl net.inet.ip.fw.verbose=1 >/dev/null
;;
*)
;;
esac
;;
esac
;;
esac
# Additional ATM interface configuration
#
if [ -n "${atm_pass1_done}" ]; then
atm_pass2
fi
# Configure routing
#
case ${defaultrouter} in
[Nn][Oo] | '')
;;
*)
static_routes="default ${static_routes}"
route_default="default ${defaultrouter}"
;;
esac
# Set up any static routes. This should be done before router discovery.
#
if [ -n "${static_routes}" ]; then
for i in ${static_routes}; do
eval route_args=\$route_${i}
route add ${route_args}
done
fi
echo -n 'Additional routing options:'
case ${tcp_extensions} in
[Yy][Ee][Ss] | '')
;;
*)
echo -n ' tcp extensions=NO'
sysctl net.inet.tcp.rfc1323=0 >/dev/null
;;
esac
case ${icmp_bmcastecho} in
[Yy][Ee][Ss])
echo -n ' broadcast ping responses=YES'
sysctl net.inet.icmp.bmcastecho=1 >/dev/null
;;
esac
case ${icmp_drop_redirect} in
[Yy][Ee][Ss])
echo -n ' ignore ICMP redirect=YES'
sysctl net.inet.icmp.drop_redirect=1 >/dev/null
;;
esac
case ${icmp_log_redirect} in
[Yy][Ee][Ss])
echo -n ' log ICMP redirect=YES'
sysctl net.inet.icmp.log_redirect=1 >/dev/null
;;
esac
case ${gateway_enable} in
[Yy][Ee][Ss])
echo -n ' IP gateway=YES'
sysctl net.inet.ip.forwarding=1 >/dev/null
;;
esac
case ${forward_sourceroute} in
[Yy][Ee][Ss])
echo -n ' do source routing=YES'
sysctl net.inet.ip.sourceroute=1 >/dev/null
;;
esac
case ${accept_sourceroute} in
[Yy][Ee][Ss])
echo -n ' accept source routing=YES'
sysctl net.inet.ip.accept_sourceroute=1 >/dev/null
;;
esac
case ${tcp_keepalive} in
[Yy][Ee][Ss])
echo -n ' TCP keepalive=YES'
sysctl net.inet.tcp.always_keepalive=1 >/dev/null
;;
esac
case ${tcp_drop_synfin} in
[Yy][Ee][Ss])
echo -n ' drop SYN+FIN packets=YES'
sysctl net.inet.tcp.drop_synfin=1 >/dev/null
;;
esac
case ${ipxgateway_enable} in
[Yy][Ee][Ss])
echo -n ' IPX gateway=YES'
sysctl net.ipx.ipx.ipxforwarding=1 >/dev/null
;;
esac
case ${arpproxy_all} in
[Yy][Ee][Ss])
echo -n ' ARP proxyall=YES'
sysctl net.link.ether.inet.proxyall=1 >/dev/null
;;
esac
case ${ip_portrange_first} in
[Nn][Oo] | '')
;;
*)
echo -n " ip_portrange_first=$ip_portrange_first"
sysctl net.inet.ip.portrange.first=$ip_portrange_first >/dev/null
;;
esac
case ${ip_portrange_last} in
[Nn][Oo] | '')
;;
*)
echo -n " ip_portrange_last=$ip_portrange_last"
sysctl net.inet.ip.portrange.last=$ip_portrange_last >/dev/null
;;
esac
echo '.'
case ${ipsec_enable} in
[Yy][Ee][Ss])
if [ -f ${ipsec_file} ]; then
echo ' ipsec: enabled'
setkey -f ${ipsec_file}
else
echo ' ipsec: file not found'
fi
;;
esac
echo -n 'Routing daemons:'
case ${router_enable} in
[Yy][Ee][Ss])
echo -n " ${router}"; ${router} ${router_flags}
;;
esac
case ${ipxrouted_enable} in
[Yy][Ee][Ss])
echo -n ' IPXrouted'
IPXrouted ${ipxrouted_flags} > /dev/null 2>&1
;;
esac
case ${mrouted_enable} in
[Yy][Ee][Ss])
echo -n ' mrouted'; mrouted ${mrouted_flags}
;;
esac
case ${rarpd_enable} in
[Yy][Ee][Ss])
echo -n ' rarpd'; rarpd ${rarpd_flags}
;;
esac
echo '.'
# Let future generations know we made it.
#
network_pass1_done=YES
}
network_pass2() {
echo -n 'Doing additional network setup:'
case ${named_enable} in
[Yy][Ee][Ss])
echo -n ' named'; ${named_program:-named} ${named_flags}
;;
esac
case ${ntpdate_enable} in
[Yy][Ee][Ss])
echo -n ' ntpdate'
${ntpdate_program:-ntpdate} ${ntpdate_flags} >/dev/null 2>&1
;;
esac
case ${xntpd_enable} in
[Yy][Ee][Ss])
echo -n ' ntpd'; ${xntpd_program:-ntpd} ${xntpd_flags}
;;
esac
case ${timed_enable} in
[Yy][Ee][Ss])
echo -n ' timed'; timed ${timed_flags}
;;
esac
case ${portmap_enable} in
[Yy][Ee][Ss])
echo -n ' portmap'; ${portmap_program:-/usr/sbin/portmap} ${portmap_flags}
;;
esac
# Start ypserv if we're an NIS server.
# Run rpc.ypxfrd and rpc.yppasswdd only on the NIS master server.
#
case ${nis_server_enable} in
[Yy][Ee][Ss])
echo -n ' ypserv'; ypserv ${nis_server_flags}
case ${nis_ypxfrd_enable} in
[Yy][Ee][Ss])
echo -n ' rpc.ypxfrd'
rpc.ypxfrd ${nis_ypxfrd_flags}
;;
esac
case ${nis_yppasswdd_enable} in
[Yy][Ee][Ss])
echo -n ' rpc.yppasswdd'
rpc.yppasswdd ${nis_yppasswdd_flags}
;;
esac
;;
esac
# Start ypbind if we're an NIS client
#
case ${nis_client_enable} in
[Yy][Ee][Ss])
echo -n ' ypbind'; ypbind ${nis_client_flags}
case ${nis_ypset_enable} in
[Yy][Ee][Ss])
echo -n ' ypset'; ypset ${nis_ypset_flags}
;;
esac
;;
esac
# Start keyserv if we are running Secure RPC
#
case ${keyserv_enable} in
[Yy][Ee][Ss])
echo -n ' keyserv'; keyserv ${keyserv_flags}
;;
esac
# Start ypupdated if we are running Secure RPC and we are NIS master
#
case ${rpc_ypupdated_enable} in
[Yy][Ee][Ss])
echo -n ' rpc.ypupdated'; rpc.ypupdated
;;
esac
# Start ATM daemons
if [ -n "${atm_pass2_done}" ]; then
atm_pass3
fi
echo '.'
network_pass2_done=YES
}
network_pass3() {
echo -n 'Starting final network daemons:'
case ${nfs_server_enable} in
[Yy][Ee][Ss])
if [ -r /etc/exports ]; then
echo -n ' mountd'
case ${weak_mountd_authentication} in
[Yy][Ee][Ss])
mountd_flags="${mountd_flags} -n"
;;
esac
mountd ${mountd_flags}
case ${nfs_reserved_port_only} in
[Yy][Ee][Ss])
echo -n ' NFS on reserved port only=YES'
sysctl vfs.nfs.nfs_privport=1 >/dev/null
;;
esac
echo -n ' nfsd'; nfsd ${nfs_server_flags}
case ${rpc_lockd_enable} in
[Yy][Ee][Ss])
echo -n ' rpc.lockd'; rpc.lockd
;;
esac
case ${rpc_statd_enable} in
[Yy][Ee][Ss])
echo -n ' rpc.statd'; rpc.statd
;;
esac
fi
;;
*)
case ${single_mountd_enable} in
[Yy][Ee][Ss])
if [ -r /etc/exports ]; then
echo -n ' mountd'
case ${weak_mountd_authentication} in
[Yy][Ee][Ss])
mountd_flags="-n"
;;
esac
mountd ${mountd_flags}
fi
;;
esac
;;
esac
case ${nfs_client_enable} in
[Yy][Ee][Ss])
nfs_in_kernel=0
# Handle absent nfs client support
if sysctl vfs.nfs >/dev/null 2>&1; then
nfs_in_kernel=1
else
kldload nfs && nfs_in_kernel=1
fi
if [ ${nfs_in_kernel} -eq 1 ]
then
echo -n ' nfsiod'; nfsiod ${nfs_client_flags}
if [ -n "${nfs_access_cache}" ]; then
echo -n " NFS access cache time=${nfs_access_cache}"
sysctl vfs.nfs.access_cache_timeout=${nfs_access_cache} >/dev/null
fi
if [ -n "${nfs_bufpackets}" ]; then
sysctl vfs.nfs.bufpackets=${nfs_bufpackets} \
> /dev/null
fi
case ${amd_enable} in
[Yy][Ee][Ss])
echo -n ' amd'
case ${amd_map_program} in
[Nn][Oo] | '')
;;
*)
amd_flags="${amd_flags} `eval \
${amd_map_program}`"
;;
esac
case "${amd_flags}" in
'')
if [ -r /etc/amd.conf ]; then
amd &
else
echo ''
echo 'Warning: amd will not load without arguments'
fi
;;
*)
amd -p ${amd_flags} >/var/run/amd.pid \
2>/dev/null &
;;
esac
;;
esac
fi
;;
esac
# If /var/db/mounttab exists, some nfs-server has not been
# sucessfully notified about a previous client shutdown.
# If there is no /var/db/mounttab, we do nothing.
if [ -f /var/db/mounttab ]; then
rpc.umntall -k
fi
case ${rwhod_enable} in
[Yy][Ee][Ss])
echo -n ' rwhod'; rwhod ${rwhod_flags}
;;
esac
# Kerberos servers run ONLY on the Kerberos server machine
case ${kerberos_server_enable} in
[Yy][Ee][Ss])
case ${kerberos_stash} in
[Yy][Ee][Ss])
stash_flag=-n
;;
*)
stash_flag=
;;
esac
echo -n ' kerberosIV'
kerberos ${stash_flag} >> /var/log/kerberos.log &
case ${kadmind_server_enable} in
[Yy][Ee][Ss])
echo -n ' kadmindIV'
(
sleep 20;
kadmind ${stash_flag} >/dev/null 2>&1 &
) &
;;
esac
unset stash_flag
;;
esac
case ${kerberos5_server_enable} in
[Yy][Ee][Ss])
echo -n ' kerberos5'
${kerberos5_server} &
case ${kadmind5_server_enable} in
[Yy][Ee][Ss])
echo -n ' kadmind5'
${kadmind5_server} &
;;
esac
case ${kpasswdd5_server_enable} in
[Yy][Ee][Ss])
echo -n ' kpasswdd5'
${kpasswdd5_server} &
;;
esac
;;
esac
case ${pppoed_enable} in
[Yy][Ee][Ss])
if [ -n "${pppoed_provider}" ]; then
pppoed_flags="${pppoed_flags} -p ${pppoed_provider}"
fi
echo -n ' pppoed';
_opts=$-; set -f
/usr/libexec/pppoed ${pppoed_flags} ${pppoed_interface}
set +f; set -${_opts}
;;
esac
case ${sshd_enable} in
[Yy][Ee][Ss])
if [ -x /usr/bin/ssh-keygen ]; then
if [ ! -f /etc/ssh/ssh_host_key ]; then
echo ' creating ssh1 RSA host key';
/usr/bin/ssh-keygen -t rsa1 -N "" \
-f /etc/ssh/ssh_host_key
fi
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
echo ' creating ssh2 RSA host key';
/usr/bin/ssh-keygen -t rsa -N "" \
-f /etc/ssh/ssh_host_rsa_key
fi
if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
echo ' creating ssh2 DSA host key';
/usr/bin/ssh-keygen -t dsa -N "" \
-f /etc/ssh/ssh_host_dsa_key
fi
fi
;;
esac
echo '.'
network_pass3_done=YES
}
network_pass4() {
echo -n 'Additional TCP options:'
case ${log_in_vain} in
[Nn][Oo] | '')
log_in_vain=0
;;
[Yy][Ee][Ss])
log_in_vain=1
;;
[0-9]*)
;;
*)
echo " invalid log_in_vain setting: ${log_in_vain}"
log_in_vain=0
;;
esac
if [ "${log_in_vain}" -ne 0 ]; then
echo -n " log_in_vain=${log_in_vain}"
sysctl net.inet.tcp.log_in_vain="${log_in_vain}" >/dev/null
sysctl net.inet.udp.log_in_vain="${log_in_vain}" >/dev/null
fi
echo '.'
network_pass4_done=YES
}
network_gif_setup() {
case ${gif_interfaces} in
[Nn][Oo] | '')
;;
*)
for i in ${gif_interfaces}; do
eval peers=\$gifconfig_$i
case ${peers} in
'')
continue
;;
*)
ifconfig $i create >/dev/null 2>&1
ifconfig $i tunnel ${peers}
ifconfig $i up
;;
esac
done
;;
esac
}
/etc/rc.firewall
--------------------------
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
${fwcmd} -f flush
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
fi
;;
esac
esac
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
setup_loopback
${fwcmd} add 65000 pass all from any to any
;;
[Cc][Ll][Ii][Ee][Nn][Tt])
# set these to your network and netmask and ip
net="192.0.2.0"
mask="255.255.255.0"
ip="192.0.2.1"
setup_loopback
{fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${ip} 25 setup
# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
${fwcmd} add deny tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${ip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${ip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="ed0"
onet="192.0.2.0"
omask="255.255.255.240"
oip="192.0.2.1"
# set these to your inside interface network and netmask and ip
iif="ed1"
inet="192.0.2.16"
imask="255.255.255.240"
iip="192.0.2.17"
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Cc][Ll][Oo][Ss][Ee][Dd])
setup_loopback
;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
;;
*)
if [ -r "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac
More information about the Users-l
mailing list