Bug 20202
| Summary: | ipfilter hooks in rc.network | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Gerhard Sittig <Gerhard.Sittig> |
| Component: | conf | Assignee: | Darern Reed <darrenr> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.0-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Gerhard Sittig
2000-07-26 22:30:00 UTC
Responsible Changed From-To: freebsd-bugs->darrenr Over to Mr. IPFilter. Gerhard Sittig wrote: > >Synopsis: ipfilter hooks in rc.network I'm in favor of this change. I would suggest one fix to your patch though... > + case "${ipmon_flags}" in > + [Nn][Oo]) > + ;; > + *) > + echo -n ' ipmon' > + ipmon ${ipmon_flags} > + ;; > + esac That should be: [Nn][Oo] | '') since the user could empty out that variable field in rc.conf. Doug On Fri, Jul 28, 2000 at 17:49 -0700, Doug Barton wrote: > Gerhard Sittig wrote: > > > >Synopsis: ipfilter hooks in rc.network > > I'm in favor of this change. I would suggest one fix to your patch > though... > > > + case "${ipmon_flags}" in > > + [Nn][Oo]) > > + ;; > > + *) > > + echo -n ' ipmon' > > + ipmon ${ipmon_flags} > > + ;; > > + esac > > > That should be: > > [Nn][Oo] | '') > > since the user could empty out that variable field in rc.conf. Then don't forget to document this behaviour in the rc.conf comment and the manpage. :) I tried to make clear that empty settings are valid for command invocation and that saying NO is the way to shut it down. And administrators should be able to read the accompanying doc, especially when it's a comment right beside the switch. :> For consistency: What do neighbour switches behave like for programs which don't "need" a parameter (like named, sshd, etc)? (This question is merely for the record and for consideration if rc style should change.) And there's something else to keep in mind: The SYNOPSIS section of "man ipmon" shows no parameters as a valid invocation. Reading the DESCRIPTION leads to the conclusion that usually -s or a filename is to be specified. And -D typically is used at boot time. But will it always be that way? Could these settings come from config files in future versions? I don't want to conclude from the observation that invocation with no flags is not suitable at present that it will always be that way. To cut it short: Darren Reed (more as the ipf author and maintainer than as the assigned responsible individual for this PR) could judge best whether empty flags are a suitable way of saying "I don't want to run ipmon" - as is now - or whether there could be confusion about "should I start ipmon without flags or should I leave it at all" in later releases. If there's a chance for confusion it turns out that ipmon needs a triple of enable / program / flags settings, too. The *_program variables are actually meant for different pathnames only, BTW. But they could very well be abused to plug in different programs (renamed or "version named" executables, completely different programs with similar invocation synopsis, etc). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. Gerhard Sittig wrote: > > On Fri, Jul 28, 2000 at 17:49 -0700, Doug Barton wrote: > > That should be: > > > > [Nn][Oo] | '') > > > > since the user could empty out that variable field in rc.conf. > > Then don't forget to document this behaviour in the rc.conf > comment and the manpage. :) Actually, it's your proposal, you're responsible for bringing it into line with current style and practice. I'm just pointing out a deficiency. > If there's a chance for confusion it turns out that ipmon needs a > triple of enable / program / flags settings, too. That is correct. I actually missed the fact that it didn't have one in my previous examination of your patch, my apologies. It was determined a while back, even before I started fiddling with the rc* files that all services run from rc and friends should have _enable, _program, and (where appropriate) _flags. Relying on the user to properly read and interpret your exceptional case for ipmon is too much to expect. Doug On Sat, Jul 29, 2000 at 13:02 -0700, Doug Barton wrote: > Gerhard Sittig wrote: > > > > On Fri, Jul 28, 2000 at 17:49 -0700, Doug Barton wrote: > > [ ... allowing empty ipmon_flags setting patch ... ] > > Actually, it's your proposal, you're responsible for bringing > it into line with current style and practice. I'm just pointing > out a deficiency. Sorry, didn't know about this. I took it that I gave some feedback and provided an initial version of how it could be achieved. I thought anyone could follow and contribute to this PR as there are chances the initiator is not very well in doing this. :) After all I'm still new to FreeBSD. But it's getting better with your help. See the enhanced and cleaned up version attached (in form of a patch to be applied after the first is in place). Sorry for causing the second lap, but I'd like to use this as a chance to learn how to do better next time. :> > > If there's a chance for confusion it turns out that ipmon > > needs a triple of enable / program / flags settings, too. That's what it has now. And I hope the manpage stuff is somewhat clearer now about dependencies and when it comes to using these hooks for some other programs than the ipf(8), ipnat(8), ipmon(8) suite. And I'm absolutely unsure of how much of an overkill it is to deliver default _program settings in /etc/defaults/rc.conf and having fallbacks in /etc/rc.network, too. But it seems to fail on the safe side. =================================================================== RCS file: /usr/src/etc/rc.network,v retrieving revision 1.2 diff -u -r1.2 /usr/src/etc/rc.network --- /usr/src/etc/rc.network 2000/07/26 20:46:28 1.2 +++ /usr/src/etc/rc.network 2000/07/30 05:57:19 @@ -28,12 +28,10 @@ if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_flags}" in - [Nn][Oo]) - ;; - *) + case "${ipmon_enable}" in + [Yy][Ee][Ss]) echo -n ' ipmon' - ipmon ${ipmon_flags} + ${ipmon_program:-ipmon} ${ipmon_flags} ;; esac case "${ipnat_enable}" in =================================================================== RCS file: /usr/src/etc/defaults/rc.conf,v retrieving revision 1.2 diff -u -r1.2 /usr/src/etc/defaults/rc.conf --- /usr/src/etc/defaults/rc.conf 2000/07/26 20:46:48 1.2 +++ /usr/src/etc/defaults/rc.conf 2000/07/30 06:51:21 @@ -64,8 +64,9 @@ ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ipnat_flags="" # additional flags for ipnat -ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog", - # can be "NO" as well to deactivate ipmon +ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter, too! +ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives +ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions. log_in_vain="NO" # YES to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). =================================================================== RCS file: /usr/src/share/man/man5/rc.conf.5,v retrieving revision 1.2 diff -u -r1.2 /usr/src/share/man/man5/rc.conf.5 --- /usr/src/share/man/man5/rc.conf.5 2000/07/26 20:45:22 1.2 +++ /usr/src/share/man/man5/rc.conf.5 2000/07/30 06:45:35 @@ -228,13 +228,30 @@ as long as the file specified in .Ar ipfilter_rules is readable. +When +.Ar ipfilter_enable +and +.Ar ipnat_enable +are set to +.Ar YES +and the file specified in +.Ar ipnat_rules +is readable, .Ar ipnat_program , .Ar ipnat_rules and .Ar ipnat_flags -are handled in a similar way. +make up a command line to start a network address translation program. +When +.Ar ipfilter_enable +and +.Ar ipmon_enable +are set to +.Ar YES , +.Ar ipmon_program +and .Ar ipmon_flags -only come into effect with this option enabled, too. +form another command line for monitoring the above actions. See .Pa /etc/rc.network for details. @@ -244,7 +261,7 @@ ipfilter_enable="YES" ipfilter_flags="" ipnat_enable="YES" -ipmon_flags="-D /var/log/ipmon.log" +ipmon_enable="YES" .Ed into @@ -295,7 +312,7 @@ after the rule definition filename. The default setting will initialize an on demand loaded ipf module. When compiling ipfilter directly into your kernel (as is recommended) -the variable should be empty to avoid a warning about initializing +the variable should be empty to not initialize the code more than once. See .Ar ipfilter_enable @@ -309,8 +326,7 @@ .Ar YES to enable .Xr ipnat 8 -network address translation -(also referred to as masquerading sometimes). +network address translation. Setting this variable needs setting .Ar ipfilter_enable , too. @@ -348,6 +364,37 @@ See .Ar ipfilter_enable for a detailled discussion. +.\" ----- ipmon_enable setting ---------------------------------- +.It Ar ipmon_enable +(bool) Set to +.Ar NO +by default. +Set it to +.Ar YES +to enable +.Xr ipmon 8 +monitoring (logging +.Xr ipf 8 +and +.Xr ipnat 8 +events). +Setting this variable needs setting +.Ar ipfilter_enable , +too. +See +.Ar ipfilter_enable +for a detailled discussion. +.\" ----- ipmon_program setting --------------------------------- +.It Ar ipmon_program +(str) Set to +.Ar /sbin/ipmon +by default. +This variable contains the +.Xr ipmon 8 +executable filename. +See +.Ar ipfilter_enable +for a detailled discussion. .\" ----- ipmon_flags setting ----------------------------------- .It Ar ipmon_flags (str) Set to @@ -356,13 +403,6 @@ This variable contains flags passed to the .Xr ipmon 8 program. -Set this variable to -.Pa NO -to disable monitoring the packet filter. -Any other value (as well as empty settings) -will enable monitoring, when -.Ar ipfilter_enable -is set. See .Ar ipfilter_enable for a detailled discussion. =================================================================== virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. Since I felt the PR somewhat hard to read in the form which
summed up, here's a summary of the change for easier review.
This one combines the two above patches and has a new hint in the
manpage drawing attention towards newsyslog.conf for the case
where ipmon handles the logfile directly instead of through
syslogd.
This patch was drawn against -CURRENT as of late September. The
former (-STABLE) diffs applied with some seven lines of fuzz, so
MFC'ing shouldn't be any problem -- the branches don't differ too
much in this respect.
Index: src/etc/rc.network
===================================================================
RCS file: /home/fcvs/src/etc/rc.network,v
retrieving revision 1.85
diff -u -r1.85 rc.network
--- src/etc/rc.network 2000/09/28 05:43:44 1.85
+++ src/etc/rc.network 2000/09/30 07:03:28
@@ -32,6 +32,37 @@
echo -n ' hostname'
fi
+ # Establish ipfilter ruleset as early as possible (best in
+ # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+ #
+ case "${ipfilter_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-ipmon} ${ipmon_flags}
+ ;;
+ esac
+ case "${ipnat_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "${ipnat_rules}" ]; then
+ echo -n ' ipnat';
+ ${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+ else
+ echo -n ' NO IPNAT RULES'
+ fi
+ ;;
+ esac
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+ ;;
+ esac
+
# Set the domainname if we're using NIS
#
case ${nisdomainname} in
Index: src/etc/defaults/rc.conf
===================================================================
RCS file: /home/fcvs/src/etc/defaults/rc.conf,v
retrieving revision 1.78
diff -u -r1.78 rc.conf
--- src/etc/defaults/rc.conf 2000/09/01 01:08:52 1.78
+++ src/etc/defaults/rc.conf 2000/09/30 07:06:13
@@ -55,6 +55,22 @@
natd_enable="NO" # Enable natd (if firewall_enable == YES).
natd_interface="fxp0" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
+ipfilter_enable="NO" # Set to YES to enable ipfilter functionality
+ipfilter_program="/sbin/ipf -Fa -f"
+ # program and how to specify the rules file,
+ # see /etc/rc.network (pass1) for details
+ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
+ # /usr/src/contrib/ipfilter/rules for examples
+ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module
+ # (i.e. compiled into the kernel) to
+ # avoid a warning about "already initialized"
+ipnat_enable="NO" # Set to YES for ipnat; needs ipfilter, too!
+ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
+ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
+ipnat_flags="" # additional flags for ipnat
+ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter, too!
+ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
+ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
tcp_extensions="NO" # Set to YES to turn on RFC1323 extensions.
log_in_vain="NO" # YES to log connects to ports w/o listeners.
tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).
Index: src/share/man/man5/rc.conf.5
===================================================================
RCS file: /home/fcvs/src/share/man/man5/rc.conf.5,v
retrieving revision 1.80
diff -u -r1.80 rc.conf.5
--- src/share/man/man5/rc.conf.5 2000/08/18 09:37:48 1.80
+++ src/share/man/man5/rc.conf.5 2000/09/30 07:48:11
@@ -156,6 +156,8 @@
.Ar YES ,
and the kernel was not built with IPFIREWALL, the ipfw
kernel module will be loaded.
+See also
+.Ar ipfilter_enable .
.It Ar firewall_script
(str) If you want to run a firewall script other than
.Pa /etc/rc.firewall ,
@@ -213,6 +215,218 @@
flag is automatically added with the above
.Ar natd_interface
as an argument.
+.\" ----- ipfilter_enable seting --------------------------------
+.It Ar ipfilter_enable
+(bool) Set to
+.Ar NO
+by default.
+Setting this to
+.Ar YES
+enables
+.Xr ipf 8
+packet filtering.
+Strictly speaking almost any filter could be established
+"abusing" this setting and the fact that
+.Ar ipfilter_program ,
+.Ar ipfilter_rules
+and
+.Ar ipfilter_flags
+are concatenated to form a command,
+as long as the file specified in
+.Ar ipfilter_rules
+is readable.
+When
+.Ar ipfilter_enable
+and
+.Ar ipnat_enable
+are set to
+.Ar YES
+and the file specified in
+.Ar ipnat_rules
+is readable,
+.Ar ipnat_program ,
+.Ar ipnat_rules
+and
+.Ar ipnat_flags
+make up a command line to start a network address translation program.
+When
+.Ar ipfilter_enable
+and
+.Ar ipmon_enable
+are set to
+.Ar YES ,
+.Ar ipmon_program
+and
+.Ar ipmon_flags
+form another command line for monitoring the above actions.
+See
+.Pa /etc/rc.network
+for details.
+.Pp
+Typical usage will require putting
+.Bd -literal
+ipfilter_enable="YES"
+ipfilter_flags=""
+ipnat_enable="YES"
+ipmon_enable="YES"
+
+.Ed
+into
+.Pa /etc/rc.conf
+and editing
+.Pa /etc/ipf.rules
+and
+.Pa /etc/ipnat.rules
+appropriately.
+Turning off
+.Ar firewall_enable
+when using ipf is recommended.
+Having
+.Bd -literal
+options IPFILTER
+options IPFILTER_LOG
+options IPFILTER_DEFAULT_BLOCK
+
+.Ed
+in the kernel configuration file is a good idea, too.
+.\" ----- ipfilter_program setting ------------------------------
+.It Ar ipfilter_program
+(str) Set to
+.Ar /sbin/ipf -Fa -f
+by default.
+This variable contains a command line
+up to (but not including) the filter rule definition
+(expected to live in a separate file).
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipfilter_rules setting --------------------------------
+.It Ar ipfilter_rules
+(str) Set to
+.Ar /etc/ipf.rules
+by default.
+This variable contains the name of the filter rule definition file.
+The file is expected to be readable for the filter command to execute.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipfilter_flags setting --------------------------------
+.It Ar ipfilter_flags
+(str) Set to
+.Ar -E
+by default.
+This variable contains flags appended to the filter command
+after the rule definition filename.
+The default setting will initialize an on demand loaded ipf module.
+When compiling ipfilter directly into your kernel (as is recommended)
+the variable should be empty to not initialize
+the code more than once.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipnat_enable setting ----------------------------------
+.It Ar ipnat_enable
+(bool) Set to
+.Ar NO
+by default.
+Set it to
+.Ar YES
+to enable
+.Xr ipnat 8
+network address translation.
+Setting this variable needs setting
+.Ar ipfilter_enable ,
+too.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipnat_program setting ---------------------------------
+.It Ar ipnat_program
+(str) Set to
+.Ar /sbin/ipnat -CF -f
+by default.
+This variable contains a command line
+up to (but not including) the translation rule definition
+(expected to live in a separate file).
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipnat_rules setting -----------------------------------
+.It Ar ipnat_rules
+(str) Set to
+.Ar /etc/ipnat.rules
+by default.
+This variable contains the name of the file
+holding the network address translation definition.
+This file is expected to be readable for the NAT command to execute.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipnat_flags setting -----------------------------------
+.It Ar ipnat_flags
+(str) Empty by default.
+This variable contains additional flags
+appended to the ipnat command line
+after the rule definition filename.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipmon_enable setting ----------------------------------
+.It Ar ipmon_enable
+(bool) Set to
+.Ar NO
+by default.
+Set it to
+.Ar YES
+to enable
+.Xr ipmon 8
+monitoring (logging
+.Xr ipf 8
+and
+.Xr ipnat 8
+events).
+Setting this variable needs setting
+.Ar ipfilter_enable ,
+too.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipmon_program setting ---------------------------------
+.It Ar ipmon_program
+(str) Set to
+.Ar /sbin/ipmon
+by default.
+This variable contains the
+.Xr ipmon 8
+executable filename.
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- ipmon_flags setting -----------------------------------
+.It Ar ipmon_flags
+(str) Set to
+.Ar -Ds
+by default.
+This variable contains flags passed to the
+.Xr ipmon 8
+program.
+Another typical example would be
+.Ar -D /var/log/ipflog
+to have
+.Xr ipmon 8
+log directly to a file bypassing
+.Xr syslogd 8 .
+Make sure to adjust
+.Pa /etc/newsyslog.conf
+in such case like this:
+.Bd -literal
+/var/log/ipflog 640 10 100 * Z /var/run/ipmon.pid
+
+.Ed
+See
+.Ar ipfilter_enable
+for a detailled discussion.
+.\" ----- end of added ipf hook ---------------------------------
.It Ar tcp_extensions
(bool) Set to
.Ar NO
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
State Changed From-To: open->closed This has been MFC'd by jkh for 4.2 |
