diff options
-rw-r--r-- | security/Makefile | 1 | ||||
-rw-r--r-- | security/pf/Makefile | 110 | ||||
-rw-r--r-- | security/pf/distinfo | 1 | ||||
-rw-r--r-- | security/pf/files/pf.conf.default | 76 | ||||
-rw-r--r-- | security/pf/files/pf.sh.sample | 68 | ||||
-rw-r--r-- | security/pf/pkg-descr | 14 | ||||
-rw-r--r-- | security/pf/pkg-install | 189 | ||||
-rw-r--r-- | security/pf/pkg-message | 9 | ||||
-rw-r--r-- | security/pf/pkg-plist | 23 |
9 files changed, 491 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index e87b5dda784b..cb2ee076534b 100644 --- a/security/Makefile +++ b/security/Makefile @@ -248,6 +248,7 @@ SUBDIR += pear-Auth SUBDIR += pear-Auth_SASL SUBDIR += pear-Crypt_CBC + SUBDIR += pf SUBDIR += pgp SUBDIR += pgp5 SUBDIR += pgp6 diff --git a/security/pf/Makefile b/security/pf/Makefile new file mode 100644 index 000000000000..855a355bda4f --- /dev/null +++ b/security/pf/Makefile @@ -0,0 +1,110 @@ +# New ports collection makefile for: pf_freebsd +# Date created: 08 May 2003 +# Whom: Max Laier <max@love2party.net> +# +# $FreeBSD$ +# + +PORTNAME= pf_freebsd +PORTVERSION= 1.0 +CATEGORIES= security ipv6 +MASTER_SITES= http://pf4freebsd.love2party.net/ +.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") +PKGNAMESUFFIX= -altq +.endif +DISTNAME= ${PORTNAME}_${PORTVERSION} + +MAINTAINER= max@love2party.net +COMMENT= OpenBSD pf as a kldmodule + +.if !defined(BATCH) && !defined(PACKAGE_BUILDING) +IS_INTERACTIVE= yes +.endif + +STARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample +SAMPLE_CONFIG= ${PREFIX}/etc/pf.conf.default + +MAN1= pftcpdump.1 +MAN4= pf.4 pflog.4 pfsync.4 +MAN5= pf.conf.5 +MAN8= ftp-proxy.8 pfctl.8 pflogd.8 pftop.8 + +MANCOMPRESSED= maybe + +KMODDIR?= ${PREFIX}/modules +MAKE_ARGS= KMODDIR="${KMODDIR}" MANDIR="${PREFIX}/man/man" + +SRC_BASE?= /usr/src +.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") +SYS_ALTQ?= ${SRC_BASE}/sys.altq +MAKE_ARGS+= WITH_ALTQ="yes" SYS_ALTQ="${SYS_ALTQ}" +PLIST_SUB+= WITH_ALTQ="" +.else +PLIST_SUB+= WITH_ALTQ="@comment " +.endif + +.include <bsd.port.pre.mk> + +.if ${OSVERSION} < 500000 +BROKEN= "Only for 5.0 and above" +.endif + +.if !exists(${SRC_BASE}/sys/Makefile) && \ + (defined(WITH_ALTQ) && !exists(${SYS_ALTQ}/Makefile) +BROKEN= "Kernel source files required" +.endif + +.if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes") +pre-fetch: + @${ECHO_CMD} "=======================================================" + @${ECHO_CMD} "* If you have ALTQ support from: *" + @${ECHO_CMD} "* http://www.rofug.ro/projects/freebsd-altq/ *" + @${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it *" + @${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src *" + @${ECHO_CMD} "* *" + @${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=${SRC_BASE}/sys.altq *" + @${ECHO_CMD} "* *" + @${ECHO_CMD} "=======================================================" + @sleep 2 +.endif + +pre-install: + ${MKDIR} ${KMODDIR} + ${MKDIR} ${PREFIX}/include/pf + ${MKDIR} ${PREFIX}/include/pf/net +.if !defined(BATCH) && !defined(PACKAGE_BUILDING) + @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL +.endif + +post-install: + ${ECHO} "Installing include files ..." + ${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h \ + ${PREFIX}/include/pf/net + ${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h \ + ${PREFIX}/include/pf/net + ${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h \ + ${PREFIX}/include/pf/net + @if [ -f ${WRKSRC}/man/pf.4.gz ]; then \ + ${ECHO} "Installing pftcpdump(1) man page."; \ + ${GZIP_CMD} -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 > \ + ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ; \ + ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz \ + ${PREFIX}/man/man1/pftcpdump.1.gz ; \ + else \ + ${ECHO} "Installing pftcpdump(1) man page."; \ + ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1 \ + ${PREFIX}/man/man1/pftcpdump.1 ; \ + fi + @if [ ! -f ${STARTUP_SCRIPT} ]; then \ + ${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ; \ + ${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample \ + ${STARTUP_SCRIPT} ; \ + fi + @if [ ! -f ${SAMPLE_CONFIG} ]; then \ + ${ECHO} "Installing ${SAMPLE_CONFIG} config file." ; \ + ${INSTALL_DATA} ${FILESDIR}/pf.conf.default \ + ${SAMPLE_CONFIG}; \ + fi + ${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PKGMESSAGE} + +.include <bsd.port.post.mk> diff --git a/security/pf/distinfo b/security/pf/distinfo new file mode 100644 index 000000000000..38a8f2633367 --- /dev/null +++ b/security/pf/distinfo @@ -0,0 +1 @@ +MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e diff --git a/security/pf/files/pf.conf.default b/security/pf/files/pf.conf.default new file mode 100644 index 000000000000..58923c97852c --- /dev/null +++ b/security/pf/files/pf.conf.default @@ -0,0 +1,76 @@ +# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ +# +# See pf.conf(5) and /usr/share/pf for syntax and examples. +# Required order: options, normalization, queueing, translation, filtering. +# Macros and tables may be defined and used anywhere. +# Note that translation rules are first match while filter rules are last match. + +# Macros: define common values, so they can be referenced and changed easily. +#ext_if="ext0" # replace with actual external interface name i.e., dc0 +#int_if="int0" # replace with actual internal interface name i.e., dc1 +#internal_net="10.1.1.1/8" +#external_addr="192.168.1.1" + +# Tables: similar to macros, but more flexible for many addresses. +#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } + +# Options: tune the behavior of pf, default values are given. +#set timeout { interval 30, frag 10 } +#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } +#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } +#set timeout { udp.first 60, udp.single 30, udp.multiple 60 } +#set timeout { icmp.first 20, icmp.error 10 } +#set timeout { other.first 60, other.single 30, other.multiple 60 } +#set limit { states 10000, frags 5000 } +#set loginterface none +#set optimization normal +#set block-policy drop +#set require-order yes + +# Normalization: reassemble fragments and resolve or reduce traffic ambiguities. +#scrub in all + +# Queueing: rule-based bandwidth control. +#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } +#queue dflt bandwidth 5% cbq(default) +#queue developers bandwidth 80% +#queue marketing bandwidth 15% + +# Translation: specify how addresses are to be mapped or redirected. +# nat: packets going out through $ext_if with source address $internal_net will +# get translated as coming from the address of $ext_if, a state is created for +# such packets, and incoming packets will be redirected to the internal address. +#nat on $ext_if from $internal_net to any -> ($ext_if) + +# rdr: packets coming in on $ext_if with destination $external_addr:1234 will +# be redirected to 10.1.1.1:5678. A state is created for such packets, and +# outgoing packets will be translated as coming from the external address. +#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 + +# rdr outgoing FTP requests to the ftp-proxy +#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 + +# spamd-setup puts addresses to be redirected into table <spamd>. +#table <spamd> persist +#no rdr on { lo0, lo1 } from any to any +#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 + +# Filtering: the implicit first two rules are +#pass in all +#pass out all + +# block all incoming packets but allow ssh, pass all outgoing tcp and udp +# connections and keep state, logging blocked packets. +#block in log all +#pass in on $ext_if proto tcp from any to $ext_if port 22 keep state +#pass out on $ext_if proto { tcp, udp } all keep state + +# pass incoming packets destined to the addresses given in table <foo>. +#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state + +# pass incoming ports for ftp-proxy +#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state + +# assign packets to a queue. +#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers +#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing diff --git a/security/pf/files/pf.sh.sample b/security/pf/files/pf.sh.sample new file mode 100644 index 000000000000..0223f92df05f --- /dev/null +++ b/security/pf/files/pf.sh.sample @@ -0,0 +1,68 @@ +#!/bin/sh +# +# $FreeBSD$ + +if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/$(basename $0)\$"); then + echo "$0: Cannot determine the PREFIX" >&2 + echo "Please use the complete pathname." >&2 + exit 1 +fi + +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi + +case "$1" in +start) + case "${pf_enable}" in + [Yy][Ee][Ss]) + echo -n ' pf' + kldload ${PREFIX}/modules/pflog.ko + kldload ${PREFIX}/modules/pfsync.ko + if [ -f ${PREFIX}/modules/pfaltq.ko ]; then + kldload ${PREFIX}/modules/pfaltq.ko + fi + ifconfig pflog0 up + ifconfig pfsync0 up + case "${pf_logd}" in + [Yy][Ee][Ss]) + if [ -x ${PREFIX}/sbin/pflogd ]; then + echo -n ' pflogd' + ${PREFIX}/sbin/pflogd + fi + ;; + esac + kldload ${PREFIX}/modules/pf.ko + if [ -f ${pf_conf:-${PREFIX}/etc/pf.conf} ]; then + if [ -x ${PREFIX}/sbin/pfctl ]; then + ${PREFIX}/sbin/pfctl -e \ + -f ${pf_conf:-${PREFIX}/etc/pf.conf} \ + ${pfctl_flags} + fi + fi + ;; + esac + ;; +stop) + if [ -x ${PREFIX}/sbin/pfctl ]; then + ${PREFIX}/sbin/pfctl -d + fi + killall pflogd + kldunload pf + if [ -f ${PREFIX}/modules/pfaltq.ko ]; then + kldunload pfaltq + fi + kldunload pflog + kldunload pfsync + ;; +*) + echo "Usage: `basename $0` {start|stop}" >&2 + ;; +esac + +exit 0 diff --git a/security/pf/pkg-descr b/security/pf/pkg-descr new file mode 100644 index 000000000000..6dbab3f48493 --- /dev/null +++ b/security/pf/pkg-descr @@ -0,0 +1,14 @@ +This is a port of OpenBSD's pf (packet filter) to FreeBSD as a loadable +kernel module ported by Pyun YongHyeon. Information about pf can be found +at: http://www.benzendrine.cx/pf.html the website of Daniel Hartmeier the +original author of pf. +You have to have: +========================================================================= +options PFIL_HOOKS +options RANDOM_IP_ID # Recommend, but may work without +========================================================================= +in your kernel in oder to use pf. + +WWW: http://pf4freebsd.love2party.net/ + +-Max <reports@pf4freebsd.love2party.net> diff --git a/security/pf/pkg-install b/security/pf/pkg-install new file mode 100644 index 000000000000..54c2701fa49b --- /dev/null +++ b/security/pf/pkg-install @@ -0,0 +1,189 @@ +#!/bin/sh +# an installation script for pf_freebsd copied from Wnn6 + +check_pw() +{ + if which -s pw; then + : + else + cat <<EOF + +This system looks like a pre-2.2 version of FreeBSD. We see that it +is missing the "pw" utility. We need this utility. Please get and +install it, and try again. You can get the source from: + + ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz + +EOF + exit 1 + fi +} + +ask() { + local question default answer + + question=$1 + default=$2 + if [ -z "${PACKAGE_BUILDING}" ]; then + read -p "${question} (y/n) [${default}]? " answer + fi + if [ x${answer} = x ]; then + answer=${default} + fi + echo ${answer} +} + +yesno() { + local dflt question answer + + question=$1 + dflt=$2 + while :; do + answer=$(ask "${question}" "${dflt}") + case "${answer}" in + [Yy]*) return 0;; + [Nn]*) return 1;; + esac + echo "Please answer yes or no." + done +} + +check_service() { + local name number type comment + + name=$1 + number=$2 + type=$3 + comment=$4 + + FILE="/etc/services" + # check + OK=no + HAS_SERVICE=no + COUNT=1 + for i in `grep $name $FILE `; do + if [ $COUNT = 1 ] && [ X"$i" = X"$name" ]; then + HAS_SERVICE=yes + elif [ $COUNT = 2 ] && [ $HAS_SERVICE = yes ] && \ + [ X"$i" = X"$number/$type" ]; then + OK=yes + break + fi + COUNT=`expr ${COUNT} + 1` + done + # add an entry for SERVICE to /etc/services + if [ $OK = no ]; then + echo "This system has no entry for $name in ${FILE}" + if yesno "Would you like to add it automatically?" y; then + mv ${FILE} ${FILE}.bak + (grep -v $name ${FILE}.bak ; \ + echo "$name $number/$type # $comment") \ + >> ${FILE} + rm ${FILE}.bak + else + echo "Please add '$name $number/$type' into ${FILE}, and try again." + return 1 + fi + fi + return 0 +} + +check_group() { + local name id + + name=$1 + id=$2 + #check + # We need a command 'pw(8)' + check_pw + if pw groupshow $name -q ; then + return 0 + fi + if pw groupadd -g $id -n $name -N -q ; then + echo "" + echo "You need a group '$name' whose ID number is $id" + if yesno "Would you like to create it automatically?" y; then + pw groupadd -g $id -n $name + return 0 + fi + fi + echo "" + echo "I was not able to add group 'proxy:*:71:' as pw reported:" + pw groupadd -g $id -n $name -N + echo "Please correct this and try again!" + echo "" + return 1 +} + +check_user() { + local name id group + + name=$1 + id=$2 + group=$3 + # check + id_id=`id -u $id 2> /dev/null` + id_name=`id -u $name 2> /dev/null` + if [ X"$id_name" = X$id ];then + return 0 + elif [ X"$id_id" != X ]; then +cat <<EOF + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +This system already has an account whose name is not '$name' and ID +number is $id. + + '`id $id`' + +For ftp-proxy in this port or package, ID number of '$name' has to be $id. +Please try again after you delete the account. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +EOF + exit 1 + elif [ X"$id_name" != X ]; then + cat <<EOF + +There is a user '$name' with ID '$id_name'. I'll try to use this account. + +EOF + return 0 + fi + + # add an account '$name' to this system + echo "" + echo "You need an account '$name' whose ID number is $id" + if yesno "Would you like to create it automatically?" y; then + # We need a command 'pw(8)' + check_pw + pw useradd $name -u $id -g $group -h - -d /nonexistent \ + -s /nonexistent -c $name || exit + else + echo "Please create it, and try again." + return 1 + fi + return 0 +} + +case $2 in +PRE-INSTALL) + + if ! check_service ftp-proxy 8021 tcp "# ftp-proxy service port"; then + exit 1 + fi + if [ "`grep ftp-proxy /etc/inetd.conf`" ]; then + echo "Found ftp-proxy entry in inetd.conf ..." + else + echo "Adding sample entry for ftp-proxy to /etc/inetd.conf" + echo "#ftp-proxy stream tcp nowait root ${PKG_PREFIX}/libexec/ftp-proxy ftp-proxy" >> /etc/inetd.conf + fi + if ! check_group proxy 71 ; then + exit 1 + fi + groupid=`pw groupshow proxy | awk \ + '{ split ($1,var,":"); print var[3] }' ` + if ! check_user proxy 71 $groupid; then + exit 1 + fi + ;; + +esac diff --git a/security/pf/pkg-message b/security/pf/pkg-message new file mode 100644 index 000000000000..6f6331b12d3d --- /dev/null +++ b/security/pf/pkg-message @@ -0,0 +1,9 @@ +=========================================================================== +Please set the folloing variables in rc.conf according to your needs: + + pf_enable = "Yes" + pf_logd = "Yes" + pf_conf = "%%PREFIX%%/etc/pf.conf" + +They are used within %%PREFIX%%/etc/rc.d/pf.sh to bring pf up! +=========================================================================== diff --git a/security/pf/pkg-plist b/security/pf/pkg-plist new file mode 100644 index 000000000000..db2d874cbb01 --- /dev/null +++ b/security/pf/pkg-plist @@ -0,0 +1,23 @@ +libexec/ftp-proxy + +modules/linker.hints +modules/pf.ko +modules/pflog.ko +modules/pfsync.ko +%%WITH_ALTQ%%modules/pfaltq.ko + +sbin/pfctl +sbin/pflogd +sbin/pftcpdump +sbin/pftop + +etc/rc.d/pf.sh.sample +etc/pf.conf.default + +include/pf/net/pfvar.h +include/pf/net/if_pflog.h +include/pf/net/if_pfsync.h + +@dirrm modules +@dirrm include/pf/net +@dirrm include/pf |