Attachment 31215 Details for Bug 52121 – pf_port.shar

pf_port.shar

pf_port.shar (text/plain), 15.34 KB, created by Max Laier on 2003-05-12 16:20:08 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Max Laier

Created: 2003-05-12 16:20:08 UTC

Size: 15.34 KB

patch

obsolete

># This is a shell archive.  Save it in a file, remove anything before
># this line, and then unpack it by entering "sh file".  Note, it may
># create directories; files and directories will be owned by you and
># have default permissions.
>#
># This archive contains:
>#
>#	pf
>#	pf/files
>#	pf/files/pf.conf.default
>#	pf/files/pf.sh.sample
>#	pf/Makefile
>#	pf/distinfo
>#	pf/pkg-descr
>#	pf/pkg-install
>#	pf/pkg-message
>#	pf/pkg-plist
>#
>echo c - pf
>mkdir -p pf > /dev/null 2>&1
>echo c - pf/files
>mkdir -p pf/files > /dev/null 2>&1
>echo x - pf/files/pf.conf.default
>sed 's/^X//' >pf/files/pf.conf.default << 'END-of-pf/files/pf.conf.default'
>X#	$OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
>X#
>X# See pf.conf(5) and /usr/share/pf for syntax and examples.
>X# Required order: options, normalization, queueing, translation, filtering.
>X# Macros and tables may be defined and used anywhere.
>X# Note that translation rules are first match while filter rules are last match.
>X
>X# Macros: define common values, so they can be referenced and changed easily.
>X#ext_if="ext0"	# replace with actual external interface name i.e., dc0
>X#int_if="int0"	# replace with actual internal interface name i.e., dc1
>X#internal_net="10.1.1.1/8"
>X#external_addr="192.168.1.1"
>X
>X# Tables: similar to macros, but more flexible for many addresses.
>X#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
>X
>X# Options: tune the behavior of pf, default values are given.
>X#set timeout { interval 30, frag 10 }
>X#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>X#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>X#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>X#set timeout { icmp.first 20, icmp.error 10 }
>X#set timeout { other.first 60, other.single 30, other.multiple 60 }
>X#set limit { states 10000, frags 5000 }
>X#set loginterface none
>X#set optimization normal
>X#set block-policy drop
>X#set require-order yes
>X
>X# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
>X#scrub in all
>X
>X# Queueing: rule-based bandwidth control.
>X#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
>X#queue dflt bandwidth 5% cbq(default)
>X#queue developers bandwidth 80%
>X#queue marketing  bandwidth 15%
>X
>X# Translation: specify how addresses are to be mapped or redirected.
>X# nat: packets going out through $ext_if with source address $internal_net will
>X# get translated as coming from the address of $ext_if, a state is created for
>X# such packets, and incoming packets will be redirected to the internal address.
>X#nat on $ext_if from $internal_net to any -> ($ext_if)
>X
>X# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
>X# be redirected to 10.1.1.1:5678. A state is created for such packets, and
>X# outgoing packets will be translated as coming from the external address.
>X#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
>X
>X# rdr outgoing FTP requests to the ftp-proxy
>X#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>X
>X# spamd-setup puts addresses to be redirected into table <spamd>.
>X#table <spamd> persist
>X#no rdr on { lo0, lo1 } from any to any
>X#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>X
>X# Filtering: the implicit first two rules are
>X#pass in all
>X#pass out all
>X
>X# block all incoming packets but allow ssh, pass all outgoing tcp and udp
>X# connections and keep state, logging blocked packets.
>X#block in log all
>X#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
>X#pass  out on $ext_if proto { tcp, udp } all keep state
>X
>X# pass incoming packets destined to the addresses given in table <foo>.
>X#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
>X
>X# pass incoming ports for ftp-proxy
>X#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
>X
>X# assign packets to a queue.
>X#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
>X#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
>END-of-pf/files/pf.conf.default
>echo x - pf/files/pf.sh.sample
>sed 's/^X//' >pf/files/pf.sh.sample << 'END-of-pf/files/pf.sh.sample'
>X#!/bin/sh
>X#
>X# $FreeBSD$
>X
>Xif ! PREFIX=$(expr $0 : "$/.*$/etc/rc\.d/$(basename $0)\$"); then
>X    echo "$0: Cannot determine the PREFIX" >&2
>X    echo "Please use the complete pathname." >&2
>X    exit 1
>Xfi
>X
>Xif [ -z "${source_rc_confs_defined}" ]; then
>X	if [ -r /etc/defaults/rc.conf ]; then
>X		. /etc/defaults/rc.conf
>X		source_rc_confs
>X	elif [ -r /etc/rc.conf ]; then
>X		. /etc/rc.conf
>X	fi
>Xfi
>X
>Xcase "$1" in
>Xstart)
>X	case "${pf_enable}" in
>X	    [Yy][Ee][Ss])
>X	    echo -n ' pf'
>X	    kldload ${PREFIX}/modules/pflog.ko
>X	    kldload ${PREFIX}/modules/pfsync.ko
>X	    if [ -f ${PREFIX}/modules/pfaltq.ko ]; then
>X		kldload ${PREFIX}/modules/pfaltq.ko
>X	    fi
>X	    ifconfig pflog0 up
>X	    ifconfig pfsync0 up
>X	    case "${pf_logd}" in
>X	    [Yy][Ee][Ss])
>X		if [ -x ${PREFIX}/sbin/pflogd ]; then
>X			echo -n ' pflogd'
>X			${PREFIX}/sbin/pflogd
>X		fi
>X	    	;;
>X	    esac
>X	    kldload ${PREFIX}/modules/pf.ko
>X	    if [ -f ${pf_conf:-${PREFIX}/etc/pf.conf} ]; then
>X		if [ -x ${PREFIX}/sbin/pfctl ]; then
>X			${PREFIX}/sbin/pfctl -e \
>X				-f ${pf_conf:-${PREFIX}/etc/pf.conf} \
>X				${pfctl_flags}
>X		fi
>X	    fi
>X	    ;;
>X	esac
>X	;;
>Xstop)
>X	if [ -x ${PREFIX}/sbin/pfctl ]; then
>X		${PREFIX}/sbin/pfctl -d
>X	fi
>X	killall pflogd
>X	kldunload pf
>X	if [ -f ${PREFIX}/modules/pfaltq.ko ]; then
>X		kldunload pfaltq
>X	fi
>X	kldunload pflog
>X	kldunload pfsync
>X	;;
>X*)
>X	echo "Usage: `basename $0` {start|stop}" >&2
>X	;;
>Xesac
>X
>Xexit 0
>END-of-pf/files/pf.sh.sample
>echo x - pf/Makefile
>sed 's/^X//' >pf/Makefile << 'END-of-pf/Makefile'
>X# New ports collection makefile for:	pf_freebsd
>X# Date created:		08 May 2003
>X# Whom:			Max Laier <max@love2party.net>
>X#
>X# $FreeBSD$
>X#
>X
>XPORTNAME=	pf_freebsd
>XPORTVERSION=	1.0
>XCATEGORIES=	security ipv6
>XMASTER_SITES=	http://pf4freebsd.love2party.net/
>X.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
>XPKGNAMESUFFIX=	-altq
>X.endif
>XDISTNAME=	${PORTNAME}_${PORTVERSION}
>X
>XMAINTAINER=	max@love2party.net
>XCOMMENT=	OpenBSD pf as a kldmodule
>X
>X.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
>XIS_INTERACTIVE= yes
>X.endif
>X
>XSTARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample
>XSAMPLE_CONFIG=  ${PREFIX}/etc/pf.conf.default
>X
>XMAN1=		pftcpdump.1
>XMAN4=		pf.4
>XMAN4+=		pflog.4
>XMAN4+=		pfsync.4
>XMAN5=		pf.conf.5
>XMAN8+=		ftp-proxy.8
>XMAN8+=		pfctl.8
>XMAN8+=		pflogd.8
>XMAN8+=		pftop.8
>X
>XMANCOMPRESSED=	maybe
>X
>XKMODDIR?=	${PREFIX}/modules
>XMAKE_ARGS=	KMODDIR="${KMODDIR}" MANDIR="${PREFIX}/man/man"
>X
>X.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
>XSYS_ALTQ?=	/usr/src/sys.altq
>XMAKE_ARGS+=	WITH_ALTQ="yes" SYS_ALTQ="${SYS_ALTQ}"
>XPLIST_SUB+=	WITH_ALTQ=""
>X.else
>XPLIST_SUB+=	WITH_ALTQ="@comment "
>X.endif
>X
>X.include <bsd.port.pre.mk>
>X
>X.if ${OSVERSION} < 500000
>XBROKEN=	"Sorry only for 5.0 and above"
>X.endif
>X
>XSRC_BASE?=	/usr/src
>X.if !exists(${SRC_BASE}/sys/Makefile) && \
>X    (defined(WITH_ALTQ) && !exists(${SYS_ALTQ}/Makefile)
>XBROKEN=	"Kernel source files required"
>X.endif
>X
>X.if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes")
>Xpre-fetch:
>X	@${ECHO_CMD} "======================================================="
>X	@${ECHO_CMD} "* If you have ALTQ support from:                      *"
>X	@${ECHO_CMD} "*   http://www.rofug.ro/projects/freebsd-altq/        *"
>X	@${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it  *"
>X	@${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src  *"
>X	@${ECHO_CMD} "*                                                     *"
>X	@${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=/usr/src/sys.altq *"
>X	@${ECHO_CMD} "*                                                     *"
>X	@${ECHO_CMD} "======================================================="
>X	@sleep 2
>X.endif
>X
>Xpre-install:
>X	${MKDIR} ${KMODDIR}
>X	${MKDIR} ${PREFIX}/include/pf
>X	${MKDIR} ${PREFIX}/include/pf/net
>X.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
>X	@${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
>X.endif
>X
>Xpost-install:
>X	${ECHO} "Installing include files ..."
>X	${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h 			\
>X	${PREFIX}/include/pf/net
>X	${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h 		\
>X	${PREFIX}/include/pf/net
>X	${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h 		\
>X	${PREFIX}/include/pf/net
>X	@if [ -f ${WRKSRC}/man/pf.4.gz ]; then				\
>X		${ECHO} "Installing pftcpdump(1) man page.";		\
>X		gzip -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 >		\
>X			 ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ;	\
>X		${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz	\
>X		${PREFIX}/man/man1/pftcpdump.1.gz ;			\
>X	else								\
>X		${ECHO} "Installing pftcpdump(1) man page.";		\
>X		${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1	\
>X		${PREFIX}/man/man1/pftcpdump.1 ;			\
>X	fi
>X	@if [ ! -f ${STARTUP_SCRIPT} ]; then				\
>X		${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ;	\
>X		${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample		\
>X		${STARTUP_SCRIPT} ;					\
>X	fi
>X	@if [ ! -f ${SAMPLE_CONFIG} ]; then				\
>X		${ECHO} "Installing ${SAMPLE_CONFIG} config file." ;	\
>X		${INSTALL_DATA} ${FILESDIR}/pf.conf.default		\
>X		${SAMPLE_CONFIG};					\
>X	fi
>X	${SED} -e 's!%%PREFIX%%!${PREFIX}!' pkg-message
>X
>X.include <bsd.port.post.mk>
>END-of-pf/Makefile
>echo x - pf/distinfo
>sed 's/^X//' >pf/distinfo << 'END-of-pf/distinfo'
>XMD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e
>END-of-pf/distinfo
>echo x - pf/pkg-descr
>sed 's/^X//' >pf/pkg-descr << 'END-of-pf/pkg-descr'
>XThis is a port of OpenBSD's pf (packet filter) to FreeBSD as a loadable
>Xkernel module ported by Pyun YongHyeon. Information about pf can be found 
>Xat: http://www.benzendrine.cx/pf.html the website of Daniel Hartmeier the
>Xoriginal author of pf.
>XYou have to have:
>X=========================================================================
>Xoptions		PFIL_HOOKS
>Xoptions		RANDOM_IP_ID	# Recommend, but may work without
>X=========================================================================
>Xin your kernel in oder to use pf.
>X
>XWWW: http://pf4freebsd.love2party.net/
>X
>X-Max <reports@pf4freebsd.love2party.net>
>END-of-pf/pkg-descr
>echo x - pf/pkg-install
>sed 's/^X//' >pf/pkg-install << 'END-of-pf/pkg-install'
>X#!/bin/sh
>X# an installation script for pf_freebsd copied from Wnn6
>X
>Xcheck_pw()
>X{
>X    if which -s pw; then
>X	:
>X    else
>X	cat <<EOF
>X
>XThis system looks like a pre-2.2 version of FreeBSD.  We see that it
>Xis missing the "pw" utility.  We need this utility.  Please get and
>Xinstall it, and try again.  You can get the source from:
>X
>X  ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz
>X
>XEOF
>X	exit 1
>X    fi
>X}
>X
>Xask() {
>X    local question default answer
>X
>X    question=$1
>X    default=$2
>X    if [ -z "${PACKAGE_BUILDING}" ]; then
>X	read -p "${question} (y/n) [${default}]? " answer
>X    fi
>X    if [ x${answer} = x ]; then
>X	answer=${default}
>X    fi
>X    echo ${answer}
>X}
>X
>Xyesno() {
>X    local dflt question answer
>X
>X    question=$1
>X    dflt=$2
>X    while :; do
>X	answer=$(ask "${question}" "${dflt}")
>X	case "${answer}" in
>X	[Yy]*)		return 0;;
>X	[Nn]*)		return 1;;
>X	esac
>X	echo "Please answer yes or no."
>X    done
>X}
>X
>Xcheck_service() {
>X    local name number type comment
>X    
>X    name=$1
>X    number=$2
>X    type=$3
>X    comment=$4
>X    
>X    FILE="/etc/services"
>X    # check
>X    OK=no
>X    HAS_SERVICE=no
>X    COUNT=1
>X    for i in `grep $name $FILE `; do
>X	if [ $COUNT = 1 ] && [ X"$i" = X"$name" ]; then
>X	    HAS_SERVICE=yes
>X	elif [ $COUNT = 2 ] && [ $HAS_SERVICE = yes ] && \
>X		[ X"$i" = X"$number/$type" ]; then
>X	    OK=yes
>X	    break
>X	fi
>X	COUNT=`expr ${COUNT} + 1`
>X    done
>X    # add an entry for SERVICE to /etc/services
>X    if [ $OK = no ]; then
>X	echo "This system has no entry for $name in ${FILE}"
>X	if yesno "Would you like to add it automatically?" y; then
>X	    mv ${FILE} ${FILE}.bak
>X	    (grep -v $name ${FILE}.bak ; \
>X		echo "$name	$number/$type	# $comment") \
>X		>> ${FILE}
>X	    rm ${FILE}.bak
>X	else
>X	    echo "Please add '$name $number/$type' into ${FILE}, and try again."
>X	    return 1
>X	fi
>X    fi
>X    return 0
>X}
>X
>Xcheck_group() {
>X    local name id
>X
>X    name=$1
>X    id=$2
>X    #check
>X    # We need a command 'pw(8)'
>X    check_pw
>X    if pw groupshow $name -q ; then
>X	return 0
>X    fi
>X    if pw groupadd -g $id -n $name -N -q ; then 
>X    	echo ""
>X    	echo "You need a group '$name' whose ID number is $id"
>X    	if yesno "Would you like to create it automatically?" y; then
>X	    pw groupadd -g $id -n $name
>X	    return 0
>X	fi
>X    fi
>X    echo ""
>X    echo "I was not able to add group 'proxy:*:71:' as pw reported:"
>X    pw groupadd -g $id -n $name -N
>X    echo "Please correct this and try again!"
>X    echo ""
>X    return 1
>X}
>X
>Xcheck_user() {
>X    local name id group
>X
>X    name=$1
>X    id=$2
>X    group=$3
>X    # check
>X    id_id=`id -u $id 2> /dev/null`
>X    id_name=`id -u $name 2> /dev/null`
>X    if [ X"$id_name" = X$id ];then
>X	return 0
>X    elif [ X"$id_id" != X ]; then
>Xcat <<EOF
>X
>X+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>XThis system already has an account whose name is not '$name' and ID
>Xnumber is $id.
>X
>X   '`id $id`'
>X
>XFor ftp-proxy in this port or package, ID number of '$name' has to be $id.
>XPlease try again after you delete the account.
>X+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>XEOF
>X	exit 1
>X    elif [ X"$id_name" != X ]; then
>X	cat <<EOF
>X
>XThere is a user '$name' with ID '$id_name'. I'll try to use this account.
>X
>XEOF
>X	return 0
>X    fi
>X
>X    # add an account '$name' to this system
>X    echo ""
>X    echo "You need an account '$name' whose ID number is $id"
>X    if yesno "Would you like to create it automatically?" y; then
>X	# We need a command 'pw(8)'
>X	check_pw
>X	pw useradd $name -u $id -g $group -h - -d /nonexistent \
>X		-s /nonexistent -c $name || exit
>X    else
>X	echo "Please create it, and try again."
>X	return 1
>X    fi
>X    return 0
>X}
>X
>Xcase $2 in
>XPRE-INSTALL)
>X
>X    if ! check_service ftp-proxy 8021 tcp "# ftp-proxy service port"; then
>X	exit 1
>X    fi
>X    if [ "`grep ftp-proxy /etc/inetd.conf`" ]; then
>X 	echo "Found ftp-proxy entry in inetd.conf ..."
>X    else
>X	echo "Adding sample entry for ftp-proxy to /etc/inetd.conf"
>X	echo "#ftp-proxy stream tcp nowait root ${PKG_PREFIX}/libexec/ftp-proxy ftp-proxy" >> /etc/inetd.conf
>X    fi
>X    if ! check_group proxy 71 ; then 
>X	exit 1
>X    fi
>X    groupid=`pw groupshow proxy | awk \
>X		'{ split ($1,var,":"); print var[3] }' `
>X    if ! check_user proxy 71 $groupid; then
>X	exit 1
>X    fi
>X    ;;
>X
>Xesac
>END-of-pf/pkg-install
>echo x - pf/pkg-message
>sed 's/^X//' >pf/pkg-message << 'END-of-pf/pkg-message'
>X===========================================================================
>XPlease set the folloing variables in rc.conf according to your needs:
>X
>X	pf_enable 	= "Yes"
>X	pf_logd	  	= "Yes"
>X	pf_conf		= "%%PREFIX%%/etc/pf.conf"
>X
>XThey are used within %%PREFIX%%/etc/rc.d/pf.sh to bring pf up!
>X===========================================================================
>END-of-pf/pkg-message
>echo x - pf/pkg-plist
>sed 's/^X//' >pf/pkg-plist << 'END-of-pf/pkg-plist'
>Xlibexec/ftp-proxy
>X
>Xmodules/linker.hints
>Xmodules/pf.ko
>Xmodules/pflog.ko
>Xmodules/pfsync.ko
>X%%WITH_ALTQ%%modules/pfaltq.ko
>X
>Xsbin/pfctl
>Xsbin/pflogd
>Xsbin/pftcpdump
>Xsbin/pftop
>X
>Xetc/rc.d/pf.sh.sample
>Xetc/pf.conf.default
>X
>Xinclude/pf/net/pfvar.h
>Xinclude/pf/net/if_pflog.h
>Xinclude/pf/net/if_pfsync.h
>X
>X@dirrm modules
>X@dirrm include/pf/net
>X@dirrm include/pf
>END-of-pf/pkg-plist
>exit

Actions: View

Attachments on bug 52121: 31215