From Gerhard.Sittig@gmx.net  Wed Jul 26 14:26:27 2000
Return-Path: <Gerhard.Sittig@gmx.net>
Received: from mail.gmx.net (pop.gmx.net [194.221.183.20])
	by hub.freebsd.org (Postfix) with SMTP id D17AE37B674
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 26 Jul 2000 14:26:24 -0700 (PDT)
	(envelope-from Gerhard.Sittig@gmx.net)
Received: (qmail 28219 invoked by uid 0); 26 Jul 2000 21:26:20 -0000
Received: from p3ee0b80b.dip.t-dialin.net (HELO speedy.gsinet) (62.224.184.11)
  by mail.gmx.net with SMTP; 26 Jul 2000 21:26:20 -0000
Received: (from sittig@localhost)
	by speedy.gsinet (8.8.8/8.8.8) id XAA27938
	for FreeBSD-gnats-submit@freebsd.org; Wed, 26 Jul 2000 23:19:46 +0200
Message-Id: <20000726231946.L24476@speedy.gsinet>
Date: Wed, 26 Jul 2000 23:19:46 +0200
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfilter hooks in rc.network
X-Send-Pr-Version: 3.2

>Number:         20202
>Category:       conf
>Synopsis:       ipfilter hooks in rc.network
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          wish
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 26 14:30:00 PDT 2000
>Closed-Date:    Thu Nov 23 14:23:07 PST 2000
>Last-Modified:  Thu Nov 23 14:23:25 PST 2000
>Originator:     Gerhard Sittig
>Release:        FreeBSD 4.0-STABLE i386
>Organization:
in private
>Environment:

FreeBSD 4.0-R up to 4.1-RC (I'm sure about -STABLE up to
2000-06-12, but haven't seen any related commit until today when
the 4.1 release build was done)

FreeBSD 3.x branch too (with different rc notation style, I
guess)

>Description:

FreeBSD has ipfilter in the contrib subtree, but the rc scripts
don't have hooks for the involved programs.  This PR wants to
provide these hooks.  I feel that a /usr/local/etc/rc.d script
comes in too late.  And using the firewall_script setting in
rc.conf will load ipfw which I fear to collide with ipf (if not
now then maybe in future versions -- I just want to be sure).
That's why I think that the below patch is the most intuitive and
maintainable approach to employing ipfilter in a FreeBSD
environment.

Of course all admins running ipfilter on a FreeBSD system could
do these modifications (if only to rc.network and rc.conf) by
themselves, but chances are that these will prevent upgrades and
other merges from applying cleanly.  That's why I feel these ipf
hooks should come with FreeBSD right from installation time.
IIUC now that Darren has direct commit priviledges ipfilter seems
to make it even closer into the FreeBSD core system.

>How-To-Repeat:

Just install a FreeBSD system (or step in front of an existing
one) and try to find the lever to throw which will start your ipf
ruleset -- it's missing, or it's not obvious where to slip in in
the existing firewall knobs for the desired effect. :)

>Fix:

I was inspired by the http://www.free-x.ch/pub/ipf-conf-en.html
document which discusses how to configure ipf on FreeBSD, but it
seems a little outdated and no longer fits the 4.x rc script
style -- see the message

-------------------------------------------------------
Date: Mon, 26 Jun 2000 22:08:52 +0200
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: security@FreeBSD.ORG
Subject: ipfilter hooks in rc.network
Message-ID: <20000626220852.M9883@speedy.gsinet>
-------------------------------------------------------

and the mini thread it started on what confusion it caused on my
side. :)  And how it was refused for not fitting into today's rc
script style. :(

So I cleaned it up and hope I found all the involved places
(code, config, doc).  The diff to follow is the result of running
'rcsdiff -u -r1.1 /usr/src/etc/rc.network
/usr/src/etc/defaults/rc.conf /usr/src/share/man/man5/rc.conf.5'
on a locally modified copy of FreeBSD RELENG_4 as of June 12th
(although white spaces could be mangled by copy&paste and mail
transfer -- I'm reluctant to use attachments when filing a PR).

Example usage could look like editing /etc/ipf.rules and
/etc/ipnat.rules and putting

---------------------------------------------
ipfilter_enable="YES"
ipfilter_flags=""
ipnat_enable="YES"
ipmon_flags="-D /var/log/ipmon.log"
---------------------------------------------

into /etc/rc.conf.

The manpage diff surely is in need of some rewording or markup
checking -- neither troff nor English are native languages to me.
But I tried my best to "look like what's already there".  And I
tried to keep future diffs as short as possible in case some
points are missing or wrong -- hence the short and mucho broken
lines in the doc part.

Have the appropriate amount of fun ... :)

===================================================================
RCS file: /usr/src/etc/rc.network,v
retrieving revision 1.1
diff -u -r1.1 /usr/src/etc/rc.network
--- /usr/src/etc/rc.network	2000/07/26 17:52:35	1.1
+++ /usr/src/etc/rc.network	2000/07/26 18:00:04
@@ -20,6 +20,39 @@
 		echo -n ' hostname'
 	fi
 
+	# Establish ipfilter ruleset as early as possible (best in
+	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+	#
+	case "${ipfilter_enable}" in
+	[Yy][Ee][Ss])
+		if [ -r "${ipfilter_rules}" ]; then
+			echo -n ' ipfilter';
+			${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+			case "${ipmon_flags}" in
+			[Nn][Oo])
+				;;
+			*)
+				echo -n ' ipmon'
+				ipmon ${ipmon_flags}
+				;;
+			esac
+			case "${ipnat_enable}" in
+			[Yy][Ee][Ss])
+				if [ -r "${ipnat_rules}" ]; then
+					echo -n ' ipnat';
+					${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+				else
+					echo -n ' NO IPNAT RULES'
+				fi
+				;;
+			esac
+		else
+			ipfilter_enable="NO"
+			echo -n ' NO IPF RULES'
+		fi
+		;;
+	esac
+
 	# Set the domainname if we're using NIS
 	#
 	case ${nisdomainname} in
===================================================================
RCS file: /usr/src/etc/defaults/rc.conf,v
retrieving revision 1.1
diff -u -r1.1 /usr/src/etc/defaults/rc.conf
--- /usr/src/etc/defaults/rc.conf	2000/07/26 18:00:40	1.1
+++ /usr/src/etc/defaults/rc.conf	2000/07/26 18:05:17
@@ -51,6 +51,21 @@
 natd_enable="NO"                # Enable natd (if firewall_enable == YES).
 natd_interface="fxp0"           # Public interface or IPaddress to use.
 natd_flags=""                   # Additional flags for natd.
+ipfilter_enable="NO"		# Set to YES to enable ipfilter functionality
+ipfilter_program="/sbin/ipf -Fa -f"
+				# program and how to specify the rules file,
+				# see /etc/rc.network (pass1) for details
+ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
+				# /usr/src/contrib/ipfilter/rules for examples
+ipfilter_flags="-E"		# should be *empty* when ipf is _not_ a module
+				# (i.e. compiled into the kernel) to
+				# avoid a warning about "already initialized"
+ipnat_enable="NO"		# Set to YES for ipnat; needs ipfilter, too!
+ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
+ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
+ipnat_flags=""			# additional flags for ipnat
+ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog",
+				# can be "NO" as well to deactivate ipmon
 tcp_extensions="NO"		# Set to YES to turn on RFC1323 extensions.
 log_in_vain="NO"		# YES to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
===================================================================
RCS file: /usr/src/share/man/man5/rc.conf.5,v
retrieving revision 1.1
diff -u -r1.1 /usr/src/share/man/man5/rc.conf.5
--- /usr/src/share/man/man5/rc.conf.5	2000/07/26 18:07:06	1.1
+++ /usr/src/share/man/man5/rc.conf.5	2000/07/26 20:37:43
@@ -154,6 +154,8 @@
 .Ar YES ,
 and the kernel was not built with IPFIREWALL, the ipfw
 kernel module will be loaded.
+See also
+.Ar ipfilter_enable .
 .It Ar firewall_script
 (str) If you want to run a firewall script other than
 .Pa /etc/rc.firewall ,
@@ -206,6 +208,165 @@
 flag is automatically added with the above
 .Ar natd_interface
 as an argument.
+.\" ----- ipfilter_enable seting --------------------------------
+.It Ar ipfilter_enable
+(bool) Set to
+.Ar NO
+by default.
+Setting this to
+.Ar YES
+enables
+.Xr ipf 8
+packet filtering.
+Strictly speaking almost any filter could be established
+"abusing" this setting and the fact that
+.Ar ipfilter_program ,
+.Ar ipfilter_rules
+and
+.Ar ipfilter_flags
+are concatenated to form a command,
+as long as the file specified in
+.Ar ipfilter_rules
+is readable.
+.Ar ipnat_program ,
+.Ar ipnat_rules
+and
+.Ar ipnat_flags
+are handled in a similar way.
+.Ar ipmon_flags
+only come into effect with this option enabled, too.
+See
+.Pa /etc/rc.network
+for details.
+.Pp
+Typical usage will require putting
+.Bd -literal
+ipfilter_enable="YES"
+ipfilter_flags=""
+ipnat_enable="YES"
+ipmon_flags="-D /var/log/ipmon.log"
+
+.Ed
+into
+.Pa /etc/rc.conf
+and editing
+.Pa /etc/ipf.rules
+and
+.Pa /etc/ipnat.rules
+appropriately.
+Turning off
+.Ar firewall_enable
+when using ipf is recommended.
+Having
+.Bd -literal
+options  IPFILTER
+options  IPFILTER_LOG
+options  IPFILTER_DEFAULT_BLOCK
+
+.Ed
+in the kernel configuration file is a good idea, too.
+.\" ----- ipfilter_program setting ------------------------------
+.It Ar ipfilter_program
+(str) Set to
+.Ar /sbin/ipf -Fa -f
+by default.
+This variable contains a command line
+up to (but not including) the filter rule definition
+(expected to live in a separate file).
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipfilter_rules setting --------------------------------
+.It Ar ipfilter_rules
+(str) Set to
+.Ar /etc/ipf.rules
+by default.
+This variable contains the name of the filter rule definition file.
+The file is expected to be readable for the filter command to execute.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipfilter_flags setting --------------------------------
+.It Ar ipfilter_flags
+(str) Set to
+.Ar -E
+by default.
+This variable contains flags appended to the filter command
+after the rule definition filename.
+The default setting will initialize an on demand loaded ipf module.
+When compiling ipfilter directly into your kernel (as is recommended)
+the variable should be empty to avoid a warning about initializing
+the code more than once.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipnat_enable setting ----------------------------------
+.It Ar ipnat_enable
+(bool) Set to
+.Ar NO
+by default.
+Set it to
+.Ar YES
+to enable
+.Xr ipnat 8
+network address translation
+(also referred to as masquerading sometimes).
+Setting this variable needs setting
+.Ar ipfilter_enable ,
+too.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipnat_program setting ---------------------------------
+.It Ar ipnat_program
+(str) Set to
+.Ar /sbin/ipnat -CF -f
+by default.
+This variable contains a command line
+up to (but not including) the translation rule definition
+(expected to live in a separate file).
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipnat_rules setting -----------------------------------
+.It Ar ipnat_rules
+(str) Set to
+.Ar /etc/ipnat.rules
+by default.
+This variable contains the name of the file
+holding the network address translation definition.
+This file is expected to be readable for the NAT command to execute.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipnat_flags setting -----------------------------------
+.It Ar ipnat_flags
+(str) Empty by default.
+This variable contains additional flags
+appended to the ipnat command line
+after the rule definition filename.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipmon_flags setting -----------------------------------
+.It Ar ipmon_flags
+(str) Set to
+.Ar -Ds
+by default.
+This variable contains flags passed to the
+.Xr ipmon 8
+program.
+Set this variable to
+.Pa NO
+to disable monitoring the packet filter.
+Any other value (as well as empty settings)
+will enable monitoring, when
+.Ar ipfilter_enable
+is set.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- end of added ipf hook ---------------------------------
 .It Ar tcp_extensions
 (bool) Set to
 .Ar NO
===================================================================


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Thu Jul 27 04:46:53 PDT 2000 
Responsible-Changed-Why:  
Over to Mr. IPFilter. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20202 

From: Doug Barton <DougB@gorean.org>
To: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: conf/20202: ipfilter hooks in rc.network
Date: Fri, 28 Jul 2000 17:49:10 -0700

 Gerhard Sittig wrote:
 
 > >Synopsis:       ipfilter hooks in rc.network
 
 	I'm in favor of this change. I would suggest one fix to your patch
 though...
 
 > +                       case "${ipmon_flags}" in
 > +                       [Nn][Oo])
 > +                               ;;
 > +                       *)
 > +                               echo -n ' ipmon'
 > +                               ipmon ${ipmon_flags}
 > +                               ;;
 > +                       esac
 
 
 That should be:
 
 [Nn][Oo] | '')
 
 since the user could empty out that variable field in rc.conf.
 
 Doug
 

From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: Doug Barton <DougB@gorean.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: conf/20202: ipfilter hooks in rc.network
Date: Sat, 29 Jul 2000 09:41:47 +0200

 On Fri, Jul 28, 2000 at 17:49 -0700, Doug Barton wrote:
 > Gerhard Sittig wrote:
 > 
 > > >Synopsis:       ipfilter hooks in rc.network
 > 
 > 	I'm in favor of this change. I would suggest one fix to your patch
 > though...
 > 
 > > +                       case "${ipmon_flags}" in
 > > +                       [Nn][Oo])
 > > +                               ;;
 > > +                       *)
 > > +                               echo -n ' ipmon'
 > > +                               ipmon ${ipmon_flags}
 > > +                               ;;
 > > +                       esac
 > 
 > 
 > That should be:
 > 
 > [Nn][Oo] | '')
 > 
 > since the user could empty out that variable field in rc.conf.
 
 Then don't forget to document this behaviour in the rc.conf
 comment and the manpage. :)  I tried to make clear that empty
 settings are valid for command invocation and that saying NO is
 the way to shut it down.  And administrators should be able to
 read the accompanying doc, especially when it's a comment right
 beside the switch. :>
 
 For consistency:  What do neighbour switches behave like for
 programs which don't "need" a parameter (like named, sshd, etc)?
 (This question is merely for the record and for consideration if
 rc style should change.)
 
 And there's something else to keep in mind:  The SYNOPSIS section
 of "man ipmon" shows no parameters as a valid invocation.
 Reading the DESCRIPTION leads to the conclusion that usually -s
 or a filename is to be specified.  And -D typically is used at
 boot time.  But will it always be that way?  Could these settings
 come from config files in future versions?  I don't want to
 conclude from the observation that invocation with no flags is
 not suitable at present that it will always be that way.
 
 
 To cut it short:  Darren Reed (more as the ipf author and
 maintainer than as the assigned responsible individual for this
 PR) could judge best whether empty flags are a suitable way of
 saying "I don't want to run ipmon" - as is now - or whether there
 could be confusion about "should I start ipmon without flags or
 should I leave it at all" in later releases.
 
 If there's a chance for confusion it turns out that ipmon needs a
 triple of enable / program / flags settings, too.  The *_program
 variables are actually meant for different pathnames only, BTW.
 But they could very well be abused to plug in different programs
 (renamed or "version named" executables, completely different
 programs with similar invocation synopsis, etc).
 
 
 virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
 Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
 -- 
      If you don't understand or are scared by any of the above
              ask your parents or an adult to help you.
 

From: Doug Barton <DougB@gorean.org>
To: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: conf/20202: ipfilter hooks in rc.network
Date: Sat, 29 Jul 2000 13:02:43 -0700

 Gerhard Sittig wrote:
 > 
 > On Fri, Jul 28, 2000 at 17:49 -0700, Doug Barton wrote:
 
 > > That should be:
 > >
 > > [Nn][Oo] | '')
 > >
 > > since the user could empty out that variable field in rc.conf.
 > 
 > Then don't forget to document this behaviour in the rc.conf
 > comment and the manpage. :)
 
 	Actually, it's your proposal, you're responsible for bringing it into line
 with current style and practice. I'm just pointing out a deficiency. 
 
 > If there's a chance for confusion it turns out that ipmon needs a
 > triple of enable / program / flags settings, too.  
 
 	That is correct. I actually missed the fact that it didn't have one in my
 previous examination of your patch, my apologies. It was determined a while
 back, even before I started fiddling with the rc* files that all services
 run from rc and friends should have _enable, _program, and (where
 appropriate) _flags. Relying on the user to properly read and interpret
 your exceptional case for ipmon is too much to expect. 
 
 Doug
 

From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: Doug Barton <DougB@gorean.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: conf/20202: ipfilter hooks in rc.network
Date: Sun, 30 Jul 2000 09:18:15 +0200

 On Sat, Jul 29, 2000 at 13:02 -0700, Doug Barton wrote:
 > Gerhard Sittig wrote:
 > > 
 > > On Fri, Jul 28, 2000 at 17:49 -0700, Doug Barton wrote:
 > 
 > [ ... allowing empty ipmon_flags setting patch ... ]
 > 
 > Actually, it's your proposal, you're responsible for bringing
 > it into line with current style and practice. I'm just pointing
 > out a deficiency. 
 
 Sorry, didn't know about this.  I took it that I gave some
 feedback and provided an initial version of how it could be
 achieved.  I thought anyone could follow and contribute to this
 PR as there are chances the initiator is not very well in doing
 this. :)  After all I'm still new to FreeBSD.  But it's getting
 better with your help.
 
 See the enhanced and cleaned up version attached (in form of a
 patch to be applied after the first is in place).  Sorry for
 causing the second lap, but I'd like to use this as a chance to
 learn how to do better next time. :>
 
 > > If there's a chance for confusion it turns out that ipmon
 > > needs a triple of enable / program / flags settings, too.  
 
 That's what it has now.  And I hope the manpage stuff is somewhat
 clearer now about dependencies and when it comes to using these
 hooks for some other programs than the ipf(8), ipnat(8), ipmon(8)
 suite.
 
 And I'm absolutely unsure of how much of an overkill it is to
 deliver default _program settings in /etc/defaults/rc.conf and
 having fallbacks in /etc/rc.network, too.  But it seems to fail
 on the safe side.
 
 ===================================================================
 RCS file: /usr/src/etc/rc.network,v
 retrieving revision 1.2
 diff -u -r1.2 /usr/src/etc/rc.network
 --- /usr/src/etc/rc.network	2000/07/26 20:46:28	1.2
 +++ /usr/src/etc/rc.network	2000/07/30 05:57:19
 @@ -28,12 +28,10 @@
  		if [ -r "${ipfilter_rules}" ]; then
  			echo -n ' ipfilter';
  			${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
 -			case "${ipmon_flags}" in
 -			[Nn][Oo])
 -				;;
 -			*)
 +			case "${ipmon_enable}" in
 +			[Yy][Ee][Ss])
  				echo -n ' ipmon'
 -				ipmon ${ipmon_flags}
 +				${ipmon_program:-ipmon} ${ipmon_flags}
  				;;
  			esac
  			case "${ipnat_enable}" in
 ===================================================================
 RCS file: /usr/src/etc/defaults/rc.conf,v
 retrieving revision 1.2
 diff -u -r1.2 /usr/src/etc/defaults/rc.conf
 --- /usr/src/etc/defaults/rc.conf	2000/07/26 20:46:48	1.2
 +++ /usr/src/etc/defaults/rc.conf	2000/07/30 06:51:21
 @@ -64,8 +64,9 @@
  ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
  ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
  ipnat_flags=""			# additional flags for ipnat
 -ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog",
 -				# can be "NO" as well to deactivate ipmon
 +ipmon_enable="NO"		# Set to YES for ipmon; needs ipfilter, too!
 +ipmon_program="/sbin/ipmon"	# where the ipfilter monitor program lives
 +ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog"
  tcp_extensions="NO"		# Set to YES to turn on RFC1323 extensions.
  log_in_vain="NO"		# YES to log connects to ports w/o listeners.
  tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
 ===================================================================
 RCS file: /usr/src/share/man/man5/rc.conf.5,v
 retrieving revision 1.2
 diff -u -r1.2 /usr/src/share/man/man5/rc.conf.5
 --- /usr/src/share/man/man5/rc.conf.5	2000/07/26 20:45:22	1.2
 +++ /usr/src/share/man/man5/rc.conf.5	2000/07/30 06:45:35
 @@ -228,13 +228,30 @@
  as long as the file specified in
  .Ar ipfilter_rules
  is readable.
 +When
 +.Ar ipfilter_enable
 +and
 +.Ar ipnat_enable
 +are set to
 +.Ar YES
 +and the file specified in
 +.Ar ipnat_rules
 +is readable,
  .Ar ipnat_program ,
  .Ar ipnat_rules
  and
  .Ar ipnat_flags
 -are handled in a similar way.
 +make up a command line to start a network address translation program.
 +When
 +.Ar ipfilter_enable
 +and
 +.Ar ipmon_enable
 +are set to
 +.Ar YES ,
 +.Ar ipmon_program
 +and
  .Ar ipmon_flags
 -only come into effect with this option enabled, too.
 +form another command line for monitoring the above actions.
  See
  .Pa /etc/rc.network
  for details.
 @@ -244,7 +261,7 @@
  ipfilter_enable="YES"
  ipfilter_flags=""
  ipnat_enable="YES"
 -ipmon_flags="-D /var/log/ipmon.log"
 +ipmon_enable="YES"
  
  .Ed
  into
 @@ -295,7 +312,7 @@
  after the rule definition filename.
  The default setting will initialize an on demand loaded ipf module.
  When compiling ipfilter directly into your kernel (as is recommended)
 -the variable should be empty to avoid a warning about initializing
 +the variable should be empty to not initialize
  the code more than once.
  See
  .Ar ipfilter_enable
 @@ -309,8 +326,7 @@
  .Ar YES
  to enable
  .Xr ipnat 8
 -network address translation
 -(also referred to as masquerading sometimes).
 +network address translation.
  Setting this variable needs setting
  .Ar ipfilter_enable ,
  too.
 @@ -348,6 +364,37 @@
  See
  .Ar ipfilter_enable
  for a detailled discussion.
 +.\" ----- ipmon_enable setting ----------------------------------
 +.It Ar ipmon_enable
 +(bool) Set to
 +.Ar NO
 +by default.
 +Set it to
 +.Ar YES
 +to enable
 +.Xr ipmon 8
 +monitoring (logging
 +.Xr ipf 8
 +and
 +.Xr ipnat 8
 +events).
 +Setting this variable needs setting
 +.Ar ipfilter_enable ,
 +too.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipmon_program setting ---------------------------------
 +.It Ar ipmon_program
 +(str) Set to
 +.Ar /sbin/ipmon
 +by default.
 +This variable contains the
 +.Xr ipmon 8
 +executable filename.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
  .\" ----- ipmon_flags setting -----------------------------------
  .It Ar ipmon_flags
  (str) Set to
 @@ -356,13 +403,6 @@
  This variable contains flags passed to the
  .Xr ipmon 8
  program.
 -Set this variable to
 -.Pa NO
 -to disable monitoring the packet filter.
 -Any other value (as well as empty settings)
 -will enable monitoring, when
 -.Ar ipfilter_enable
 -is set.
  See
  .Ar ipfilter_enable
  for a detailled discussion.
 ===================================================================
 
 
 virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
 Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
 -- 
      If you don't understand or are scared by any of the above
              ask your parents or an adult to help you.
 

From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:  
Subject: Re: conf/20202: ipfilter hooks in rc.network
Date: Mon, 2 Oct 2000 22:49:03 +0200

 Since I felt the PR somewhat hard to read in the form which
 summed up, here's a summary of the change for easier review.
 This one combines the two above patches and has a new hint in the
 manpage drawing attention towards newsyslog.conf for the case
 where ipmon handles the logfile directly instead of through
 syslogd.
 
 This patch was drawn against -CURRENT as of late September.  The
 former (-STABLE) diffs applied with some seven lines of fuzz, so
 MFC'ing shouldn't be any problem -- the branches don't differ too
 much in this respect.
 
 Index: src/etc/rc.network
 ===================================================================
 RCS file: /home/fcvs/src/etc/rc.network,v
 retrieving revision 1.85
 diff -u -r1.85 rc.network
 --- src/etc/rc.network	2000/09/28 05:43:44	1.85
 +++ src/etc/rc.network	2000/09/30 07:03:28
 @@ -32,6 +32,37 @@
  		echo -n ' hostname'
  	fi
  
 +	# Establish ipfilter ruleset as early as possible (best in
 +	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
 +	#
 +	case "${ipfilter_enable}" in
 +	[Yy][Ee][Ss])
 +		if [ -r "${ipfilter_rules}" ]; then
 +			echo -n ' ipfilter';
 +			${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
 +			case "${ipmon_enable}" in
 +			[Yy][Ee][Ss])
 +				echo -n ' ipmon'
 +				${ipmon_program:-ipmon} ${ipmon_flags}
 +				;;
 +			esac
 +			case "${ipnat_enable}" in
 +			[Yy][Ee][Ss])
 +				if [ -r "${ipnat_rules}" ]; then
 +					echo -n ' ipnat';
 +					${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
 +				else
 +					echo -n ' NO IPNAT RULES'
 +				fi
 +				;;
 +			esac
 +		else
 +			ipfilter_enable="NO"
 +			echo -n ' NO IPF RULES'
 +		fi
 +		;;
 +	esac
 +
  	# Set the domainname if we're using NIS
  	#
  	case ${nisdomainname} in
 Index: src/etc/defaults/rc.conf
 ===================================================================
 RCS file: /home/fcvs/src/etc/defaults/rc.conf,v
 retrieving revision 1.78
 diff -u -r1.78 rc.conf
 --- src/etc/defaults/rc.conf	2000/09/01 01:08:52	1.78
 +++ src/etc/defaults/rc.conf	2000/09/30 07:06:13
 @@ -55,6 +55,22 @@
  natd_enable="NO"                # Enable natd (if firewall_enable == YES).
  natd_interface="fxp0"           # Public interface or IPaddress to use.
  natd_flags=""                   # Additional flags for natd.
 +ipfilter_enable="NO"		# Set to YES to enable ipfilter functionality
 +ipfilter_program="/sbin/ipf -Fa -f"
 +				# program and how to specify the rules file,
 +				# see /etc/rc.network (pass1) for details
 +ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
 +				# /usr/src/contrib/ipfilter/rules for examples
 +ipfilter_flags="-E"		# should be *empty* when ipf is _not_ a module
 +				# (i.e. compiled into the kernel) to
 +				# avoid a warning about "already initialized"
 +ipnat_enable="NO"		# Set to YES for ipnat; needs ipfilter, too!
 +ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
 +ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
 +ipnat_flags=""			# additional flags for ipnat
 +ipmon_enable="NO"		# Set to YES for ipmon; needs ipfilter, too!
 +ipmon_program="/sbin/ipmon"	# where the ipfilter monitor program lives
 +ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog"
  tcp_extensions="NO"		# Set to YES to turn on RFC1323 extensions.
  log_in_vain="NO"		# YES to log connects to ports w/o listeners.
  tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
 Index: src/share/man/man5/rc.conf.5
 ===================================================================
 RCS file: /home/fcvs/src/share/man/man5/rc.conf.5,v
 retrieving revision 1.80
 diff -u -r1.80 rc.conf.5
 --- src/share/man/man5/rc.conf.5	2000/08/18 09:37:48	1.80
 +++ src/share/man/man5/rc.conf.5	2000/09/30 07:48:11
 @@ -156,6 +156,8 @@
  .Ar YES ,
  and the kernel was not built with IPFIREWALL, the ipfw
  kernel module will be loaded.
 +See also
 +.Ar ipfilter_enable .
  .It Ar firewall_script
  (str) If you want to run a firewall script other than
  .Pa /etc/rc.firewall ,
 @@ -213,6 +215,218 @@
  flag is automatically added with the above
  .Ar natd_interface
  as an argument.
 +.\" ----- ipfilter_enable seting --------------------------------
 +.It Ar ipfilter_enable
 +(bool) Set to
 +.Ar NO
 +by default.
 +Setting this to
 +.Ar YES
 +enables
 +.Xr ipf 8
 +packet filtering.
 +Strictly speaking almost any filter could be established
 +"abusing" this setting and the fact that
 +.Ar ipfilter_program ,
 +.Ar ipfilter_rules
 +and
 +.Ar ipfilter_flags
 +are concatenated to form a command,
 +as long as the file specified in
 +.Ar ipfilter_rules
 +is readable.
 +When
 +.Ar ipfilter_enable
 +and
 +.Ar ipnat_enable
 +are set to
 +.Ar YES
 +and the file specified in
 +.Ar ipnat_rules
 +is readable,
 +.Ar ipnat_program ,
 +.Ar ipnat_rules
 +and
 +.Ar ipnat_flags
 +make up a command line to start a network address translation program.
 +When
 +.Ar ipfilter_enable
 +and
 +.Ar ipmon_enable
 +are set to
 +.Ar YES ,
 +.Ar ipmon_program
 +and
 +.Ar ipmon_flags
 +form another command line for monitoring the above actions.
 +See
 +.Pa /etc/rc.network
 +for details.
 +.Pp
 +Typical usage will require putting
 +.Bd -literal
 +ipfilter_enable="YES"
 +ipfilter_flags=""
 +ipnat_enable="YES"
 +ipmon_enable="YES"
 +
 +.Ed
 +into
 +.Pa /etc/rc.conf
 +and editing
 +.Pa /etc/ipf.rules
 +and
 +.Pa /etc/ipnat.rules
 +appropriately.
 +Turning off
 +.Ar firewall_enable
 +when using ipf is recommended.
 +Having
 +.Bd -literal
 +options  IPFILTER
 +options  IPFILTER_LOG
 +options  IPFILTER_DEFAULT_BLOCK
 +
 +.Ed
 +in the kernel configuration file is a good idea, too.
 +.\" ----- ipfilter_program setting ------------------------------
 +.It Ar ipfilter_program
 +(str) Set to
 +.Ar /sbin/ipf -Fa -f
 +by default.
 +This variable contains a command line
 +up to (but not including) the filter rule definition
 +(expected to live in a separate file).
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipfilter_rules setting --------------------------------
 +.It Ar ipfilter_rules
 +(str) Set to
 +.Ar /etc/ipf.rules
 +by default.
 +This variable contains the name of the filter rule definition file.
 +The file is expected to be readable for the filter command to execute.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipfilter_flags setting --------------------------------
 +.It Ar ipfilter_flags
 +(str) Set to
 +.Ar -E
 +by default.
 +This variable contains flags appended to the filter command
 +after the rule definition filename.
 +The default setting will initialize an on demand loaded ipf module.
 +When compiling ipfilter directly into your kernel (as is recommended)
 +the variable should be empty to not initialize
 +the code more than once.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipnat_enable setting ----------------------------------
 +.It Ar ipnat_enable
 +(bool) Set to
 +.Ar NO
 +by default.
 +Set it to
 +.Ar YES
 +to enable
 +.Xr ipnat 8
 +network address translation.
 +Setting this variable needs setting
 +.Ar ipfilter_enable ,
 +too.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipnat_program setting ---------------------------------
 +.It Ar ipnat_program
 +(str) Set to
 +.Ar /sbin/ipnat -CF -f
 +by default.
 +This variable contains a command line
 +up to (but not including) the translation rule definition
 +(expected to live in a separate file).
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipnat_rules setting -----------------------------------
 +.It Ar ipnat_rules
 +(str) Set to
 +.Ar /etc/ipnat.rules
 +by default.
 +This variable contains the name of the file
 +holding the network address translation definition.
 +This file is expected to be readable for the NAT command to execute.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipnat_flags setting -----------------------------------
 +.It Ar ipnat_flags
 +(str) Empty by default.
 +This variable contains additional flags
 +appended to the ipnat command line
 +after the rule definition filename.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipmon_enable setting ----------------------------------
 +.It Ar ipmon_enable
 +(bool) Set to
 +.Ar NO
 +by default.
 +Set it to
 +.Ar YES
 +to enable
 +.Xr ipmon 8
 +monitoring (logging
 +.Xr ipf 8
 +and
 +.Xr ipnat 8
 +events).
 +Setting this variable needs setting
 +.Ar ipfilter_enable ,
 +too.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipmon_program setting ---------------------------------
 +.It Ar ipmon_program
 +(str) Set to
 +.Ar /sbin/ipmon
 +by default.
 +This variable contains the
 +.Xr ipmon 8
 +executable filename.
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- ipmon_flags setting -----------------------------------
 +.It Ar ipmon_flags
 +(str) Set to
 +.Ar -Ds
 +by default.
 +This variable contains flags passed to the
 +.Xr ipmon 8
 +program.
 +Another typical example would be
 +.Ar -D /var/log/ipflog
 +to have
 +.Xr ipmon 8
 +log directly to a file bypassing
 +.Xr syslogd 8 .
 +Make sure to adjust
 +.Pa /etc/newsyslog.conf
 +in such case like this:
 +.Bd -literal
 +/var/log/ipflog  640  10  100  *  Z  /var/run/ipmon.pid
 +
 +.Ed
 +See
 +.Ar ipfilter_enable
 +for a detailled discussion.
 +.\" ----- end of added ipf hook ---------------------------------
  .It Ar tcp_extensions
  (bool) Set to
  .Ar NO
 
 
 virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
 Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
 -- 
      If you don't understand or are scared by any of the above
              ask your parents or an adult to help you.
 
State-Changed-From-To: open->closed 
State-Changed-By: darrenr 
State-Changed-When: Thu Nov 23 14:23:07 PST 2000 
State-Changed-Why:  
This has been MFC'd by jkh for 4.2 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20202 
>Unformatted:
 
 ... not really sure about this, I "only" follow -stable :)
 
