ports/52121: pf4freebsd port OpenBSD's pf ported
Max Laier
max at love2party.net
Mon May 12 15:20:11 UTC 2003
>Number: 52121
>Category: ports
>Synopsis: pf4freebsd port OpenBSD's pf ported
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon May 12 08:20:08 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Max Laier
>Release: FreeBSD 5.0-RELEASE-p7 i386
>Organization:
>Environment:
System: FreeBSD router.laiers.local 5.0-RELEASE-p7 FreeBSD 5.0-RELEASE-p7 #0: Mon Apr 14 13:13:41 CEST 2003 root at router.laiers.local:/usr/src/sys/i386/compile/MAX_SMP i386
>Description:
OpenBSD's pf (packetfilter) as in OpenBSD 3.3 as a loadable
kernel module.
>How-To-Repeat:
>Fix:
--- pf_port.shar begins here ---
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# pf
# pf/files
# pf/files/pf.conf.default
# pf/files/pf.sh.sample
# pf/Makefile
# pf/distinfo
# pf/pkg-descr
# pf/pkg-install
# pf/pkg-message
# pf/pkg-plist
#
echo c - pf
mkdir -p pf > /dev/null 2>&1
echo c - pf/files
mkdir -p pf/files > /dev/null 2>&1
echo x - pf/files/pf.conf.default
sed 's/^X//' >pf/files/pf.conf.default << 'END-of-pf/files/pf.conf.default'
X# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
X#
X# See pf.conf(5) and /usr/share/pf for syntax and examples.
X# Required order: options, normalization, queueing, translation, filtering.
X# Macros and tables may be defined and used anywhere.
X# Note that translation rules are first match while filter rules are last match.
X
X# Macros: define common values, so they can be referenced and changed easily.
X#ext_if="ext0" # replace with actual external interface name i.e., dc0
X#int_if="int0" # replace with actual internal interface name i.e., dc1
X#internal_net="10.1.1.1/8"
X#external_addr="192.168.1.1"
X
X# Tables: similar to macros, but more flexible for many addresses.
X#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
X
X# Options: tune the behavior of pf, default values are given.
X#set timeout { interval 30, frag 10 }
X#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
X#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
X#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
X#set timeout { icmp.first 20, icmp.error 10 }
X#set timeout { other.first 60, other.single 30, other.multiple 60 }
X#set limit { states 10000, frags 5000 }
X#set loginterface none
X#set optimization normal
X#set block-policy drop
X#set require-order yes
X
X# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
X#scrub in all
X
X# Queueing: rule-based bandwidth control.
X#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
X#queue dflt bandwidth 5% cbq(default)
X#queue developers bandwidth 80%
X#queue marketing bandwidth 15%
X
X# Translation: specify how addresses are to be mapped or redirected.
X# nat: packets going out through $ext_if with source address $internal_net will
X# get translated as coming from the address of $ext_if, a state is created for
X# such packets, and incoming packets will be redirected to the internal address.
X#nat on $ext_if from $internal_net to any -> ($ext_if)
X
X# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
X# be redirected to 10.1.1.1:5678. A state is created for such packets, and
X# outgoing packets will be translated as coming from the external address.
X#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
X
X# rdr outgoing FTP requests to the ftp-proxy
X#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
X
X# spamd-setup puts addresses to be redirected into table <spamd>.
X#table <spamd> persist
X#no rdr on { lo0, lo1 } from any to any
X#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
X
X# Filtering: the implicit first two rules are
X#pass in all
X#pass out all
X
X# block all incoming packets but allow ssh, pass all outgoing tcp and udp
X# connections and keep state, logging blocked packets.
X#block in log all
X#pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
X#pass out on $ext_if proto { tcp, udp } all keep state
X
X# pass incoming packets destined to the addresses given in table <foo>.
X#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
X
X# pass incoming ports for ftp-proxy
X#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
X
X# assign packets to a queue.
X#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
X#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
END-of-pf/files/pf.conf.default
echo x - pf/files/pf.sh.sample
sed 's/^X//' >pf/files/pf.sh.sample << 'END-of-pf/files/pf.sh.sample'
X#!/bin/sh
X#
X# $FreeBSD$
X
Xif ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/$(basename $0)\$"); then
X echo "$0: Cannot determine the PREFIX" >&2
X echo "Please use the complete pathname." >&2
X exit 1
Xfi
X
Xif [ -z "${source_rc_confs_defined}" ]; then
X if [ -r /etc/defaults/rc.conf ]; then
X . /etc/defaults/rc.conf
X source_rc_confs
X elif [ -r /etc/rc.conf ]; then
X . /etc/rc.conf
X fi
Xfi
X
Xcase "$1" in
Xstart)
X case "${pf_enable}" in
X [Yy][Ee][Ss])
X echo -n ' pf'
X kldload ${PREFIX}/modules/pflog.ko
X kldload ${PREFIX}/modules/pfsync.ko
X if [ -f ${PREFIX}/modules/pfaltq.ko ]; then
X kldload ${PREFIX}/modules/pfaltq.ko
X fi
X ifconfig pflog0 up
X ifconfig pfsync0 up
X case "${pf_logd}" in
X [Yy][Ee][Ss])
X if [ -x ${PREFIX}/sbin/pflogd ]; then
X echo -n ' pflogd'
X ${PREFIX}/sbin/pflogd
X fi
X ;;
X esac
X kldload ${PREFIX}/modules/pf.ko
X if [ -f ${pf_conf:-${PREFIX}/etc/pf.conf} ]; then
X if [ -x ${PREFIX}/sbin/pfctl ]; then
X ${PREFIX}/sbin/pfctl -e \
X -f ${pf_conf:-${PREFIX}/etc/pf.conf} \
X ${pfctl_flags}
X fi
X fi
X ;;
X esac
X ;;
Xstop)
X if [ -x ${PREFIX}/sbin/pfctl ]; then
X ${PREFIX}/sbin/pfctl -d
X fi
X killall pflogd
X kldunload pf
X if [ -f ${PREFIX}/modules/pfaltq.ko ]; then
X kldunload pfaltq
X fi
X kldunload pflog
X kldunload pfsync
X ;;
X*)
X echo "Usage: `basename $0` {start|stop}" >&2
X ;;
Xesac
X
Xexit 0
END-of-pf/files/pf.sh.sample
echo x - pf/Makefile
sed 's/^X//' >pf/Makefile << 'END-of-pf/Makefile'
X# New ports collection makefile for: pf_freebsd
X# Date created: 08 May 2003
X# Whom: Max Laier <max at love2party.net>
X#
X# $FreeBSD$
X#
X
XPORTNAME= pf_freebsd
XPORTVERSION= 1.0
XCATEGORIES= security ipv6
XMASTER_SITES= http://pf4freebsd.love2party.net/
X.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
XPKGNAMESUFFIX= -altq
X.endif
XDISTNAME= ${PORTNAME}_${PORTVERSION}
X
XMAINTAINER= max at love2party.net
XCOMMENT= OpenBSD pf as a kldmodule
X
X.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
XIS_INTERACTIVE= yes
X.endif
X
XSTARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample
XSAMPLE_CONFIG= ${PREFIX}/etc/pf.conf.default
X
XMAN1= pftcpdump.1
XMAN4= pf.4
XMAN4+= pflog.4
XMAN4+= pfsync.4
XMAN5= pf.conf.5
XMAN8+= ftp-proxy.8
XMAN8+= pfctl.8
XMAN8+= pflogd.8
XMAN8+= pftop.8
X
XMANCOMPRESSED= maybe
X
XKMODDIR?= ${PREFIX}/modules
XMAKE_ARGS= KMODDIR="${KMODDIR}" MANDIR="${PREFIX}/man/man"
X
X.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
XSYS_ALTQ?= /usr/src/sys.altq
XMAKE_ARGS+= WITH_ALTQ="yes" SYS_ALTQ="${SYS_ALTQ}"
XPLIST_SUB+= WITH_ALTQ=""
X.else
XPLIST_SUB+= WITH_ALTQ="@comment "
X.endif
X
X.include <bsd.port.pre.mk>
X
X.if ${OSVERSION} < 500000
XBROKEN= "Sorry only for 5.0 and above"
X.endif
X
XSRC_BASE?= /usr/src
X.if !exists(${SRC_BASE}/sys/Makefile) && \
X (defined(WITH_ALTQ) && !exists(${SYS_ALTQ}/Makefile)
XBROKEN= "Kernel source files required"
X.endif
X
X.if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes")
Xpre-fetch:
X @${ECHO_CMD} "======================================================="
X @${ECHO_CMD} "* If you have ALTQ support from: *"
X @${ECHO_CMD} "* http://www.rofug.ro/projects/freebsd-altq/ *"
X @${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it *"
X @${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src *"
X @${ECHO_CMD} "* *"
X @${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=/usr/src/sys.altq *"
X @${ECHO_CMD} "* *"
X @${ECHO_CMD} "======================================================="
X @sleep 2
X.endif
X
Xpre-install:
X ${MKDIR} ${KMODDIR}
X ${MKDIR} ${PREFIX}/include/pf
X ${MKDIR} ${PREFIX}/include/pf/net
X.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
X @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
X.endif
X
Xpost-install:
X ${ECHO} "Installing include files ..."
X ${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h \
X ${PREFIX}/include/pf/net
X ${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h \
X ${PREFIX}/include/pf/net
X ${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h \
X ${PREFIX}/include/pf/net
X @if [ -f ${WRKSRC}/man/pf.4.gz ]; then \
X ${ECHO} "Installing pftcpdump(1) man page."; \
X gzip -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 > \
X ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ; \
X ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz \
X ${PREFIX}/man/man1/pftcpdump.1.gz ; \
X else \
X ${ECHO} "Installing pftcpdump(1) man page."; \
X ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1 \
X ${PREFIX}/man/man1/pftcpdump.1 ; \
X fi
X @if [ ! -f ${STARTUP_SCRIPT} ]; then \
X ${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ; \
X ${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample \
X ${STARTUP_SCRIPT} ; \
X fi
X @if [ ! -f ${SAMPLE_CONFIG} ]; then \
X ${ECHO} "Installing ${SAMPLE_CONFIG} config file." ; \
X ${INSTALL_DATA} ${FILESDIR}/pf.conf.default \
X ${SAMPLE_CONFIG}; \
X fi
X ${SED} -e 's!%%PREFIX%%!${PREFIX}!' pkg-message
X
X.include <bsd.port.post.mk>
END-of-pf/Makefile
echo x - pf/distinfo
sed 's/^X//' >pf/distinfo << 'END-of-pf/distinfo'
XMD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e
END-of-pf/distinfo
echo x - pf/pkg-descr
sed 's/^X//' >pf/pkg-descr << 'END-of-pf/pkg-descr'
XThis is a port of OpenBSD's pf (packet filter) to FreeBSD as a loadable
Xkernel module ported by Pyun YongHyeon. Information about pf can be found
Xat: http://www.benzendrine.cx/pf.html the website of Daniel Hartmeier the
Xoriginal author of pf.
XYou have to have:
X=========================================================================
Xoptions PFIL_HOOKS
Xoptions RANDOM_IP_ID # Recommend, but may work without
X=========================================================================
Xin your kernel in oder to use pf.
X
XWWW: http://pf4freebsd.love2party.net/
X
X-Max <reports at pf4freebsd.love2party.net>
END-of-pf/pkg-descr
echo x - pf/pkg-install
sed 's/^X//' >pf/pkg-install << 'END-of-pf/pkg-install'
X#!/bin/sh
X# an installation script for pf_freebsd copied from Wnn6
X
Xcheck_pw()
X{
X if which -s pw; then
X :
X else
X cat <<EOF
X
XThis system looks like a pre-2.2 version of FreeBSD. We see that it
Xis missing the "pw" utility. We need this utility. Please get and
Xinstall it, and try again. You can get the source from:
X
X ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz
X
XEOF
X exit 1
X fi
X}
X
Xask() {
X local question default answer
X
X question=$1
X default=$2
X if [ -z "${PACKAGE_BUILDING}" ]; then
X read -p "${question} (y/n) [${default}]? " answer
X fi
X if [ x${answer} = x ]; then
X answer=${default}
X fi
X echo ${answer}
X}
X
Xyesno() {
X local dflt question answer
X
X question=$1
X dflt=$2
X while :; do
X answer=$(ask "${question}" "${dflt}")
X case "${answer}" in
X [Yy]*) return 0;;
X [Nn]*) return 1;;
X esac
X echo "Please answer yes or no."
X done
X}
X
Xcheck_service() {
X local name number type comment
X
X name=$1
X number=$2
X type=$3
X comment=$4
X
X FILE="/etc/services"
X # check
X OK=no
X HAS_SERVICE=no
X COUNT=1
X for i in `grep $name $FILE `; do
X if [ $COUNT = 1 ] && [ X"$i" = X"$name" ]; then
X HAS_SERVICE=yes
X elif [ $COUNT = 2 ] && [ $HAS_SERVICE = yes ] && \
X [ X"$i" = X"$number/$type" ]; then
X OK=yes
X break
X fi
X COUNT=`expr ${COUNT} + 1`
X done
X # add an entry for SERVICE to /etc/services
X if [ $OK = no ]; then
X echo "This system has no entry for $name in ${FILE}"
X if yesno "Would you like to add it automatically?" y; then
X mv ${FILE} ${FILE}.bak
X (grep -v $name ${FILE}.bak ; \
X echo "$name $number/$type # $comment") \
X >> ${FILE}
X rm ${FILE}.bak
X else
X echo "Please add '$name $number/$type' into ${FILE}, and try again."
X return 1
X fi
X fi
X return 0
X}
X
Xcheck_group() {
X local name id
X
X name=$1
X id=$2
X #check
X # We need a command 'pw(8)'
X check_pw
X if pw groupshow $name -q ; then
X return 0
X fi
X if pw groupadd -g $id -n $name -N -q ; then
X echo ""
X echo "You need a group '$name' whose ID number is $id"
X if yesno "Would you like to create it automatically?" y; then
X pw groupadd -g $id -n $name
X return 0
X fi
X fi
X echo ""
X echo "I was not able to add group 'proxy:*:71:' as pw reported:"
X pw groupadd -g $id -n $name -N
X echo "Please correct this and try again!"
X echo ""
X return 1
X}
X
Xcheck_user() {
X local name id group
X
X name=$1
X id=$2
X group=$3
X # check
X id_id=`id -u $id 2> /dev/null`
X id_name=`id -u $name 2> /dev/null`
X if [ X"$id_name" = X$id ];then
X return 0
X elif [ X"$id_id" != X ]; then
Xcat <<EOF
X
X+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
XThis system already has an account whose name is not '$name' and ID
Xnumber is $id.
X
X '`id $id`'
X
XFor ftp-proxy in this port or package, ID number of '$name' has to be $id.
XPlease try again after you delete the account.
X+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
XEOF
X exit 1
X elif [ X"$id_name" != X ]; then
X cat <<EOF
X
XThere is a user '$name' with ID '$id_name'. I'll try to use this account.
X
XEOF
X return 0
X fi
X
X # add an account '$name' to this system
X echo ""
X echo "You need an account '$name' whose ID number is $id"
X if yesno "Would you like to create it automatically?" y; then
X # We need a command 'pw(8)'
X check_pw
X pw useradd $name -u $id -g $group -h - -d /nonexistent \
X -s /nonexistent -c $name || exit
X else
X echo "Please create it, and try again."
X return 1
X fi
X return 0
X}
X
Xcase $2 in
XPRE-INSTALL)
X
X if ! check_service ftp-proxy 8021 tcp "# ftp-proxy service port"; then
X exit 1
X fi
X if [ "`grep ftp-proxy /etc/inetd.conf`" ]; then
X echo "Found ftp-proxy entry in inetd.conf ..."
X else
X echo "Adding sample entry for ftp-proxy to /etc/inetd.conf"
X echo "#ftp-proxy stream tcp nowait root ${PKG_PREFIX}/libexec/ftp-proxy ftp-proxy" >> /etc/inetd.conf
X fi
X if ! check_group proxy 71 ; then
X exit 1
X fi
X groupid=`pw groupshow proxy | awk \
X '{ split ($1,var,":"); print var[3] }' `
X if ! check_user proxy 71 $groupid; then
X exit 1
X fi
X ;;
X
Xesac
END-of-pf/pkg-install
echo x - pf/pkg-message
sed 's/^X//' >pf/pkg-message << 'END-of-pf/pkg-message'
X===========================================================================
XPlease set the folloing variables in rc.conf according to your needs:
X
X pf_enable = "Yes"
X pf_logd = "Yes"
X pf_conf = "%%PREFIX%%/etc/pf.conf"
X
XThey are used within %%PREFIX%%/etc/rc.d/pf.sh to bring pf up!
X===========================================================================
END-of-pf/pkg-message
echo x - pf/pkg-plist
sed 's/^X//' >pf/pkg-plist << 'END-of-pf/pkg-plist'
Xlibexec/ftp-proxy
X
Xmodules/linker.hints
Xmodules/pf.ko
Xmodules/pflog.ko
Xmodules/pfsync.ko
X%%WITH_ALTQ%%modules/pfaltq.ko
X
Xsbin/pfctl
Xsbin/pflogd
Xsbin/pftcpdump
Xsbin/pftop
X
Xetc/rc.d/pf.sh.sample
Xetc/pf.conf.default
X
Xinclude/pf/net/pfvar.h
Xinclude/pf/net/if_pflog.h
Xinclude/pf/net/if_pfsync.h
X
X at dirrm modules
X at dirrm include/pf/net
X at dirrm include/pf
END-of-pf/pkg-plist
exit
--- pf_port.shar ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list