aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/Makefile1
-rw-r--r--security/pf/Makefile110
-rw-r--r--security/pf/distinfo1
-rw-r--r--security/pf/files/pf.conf.default76
-rw-r--r--security/pf/files/pf.sh.sample68
-rw-r--r--security/pf/pkg-descr14
-rw-r--r--security/pf/pkg-install189
-rw-r--r--security/pf/pkg-message9
-rw-r--r--security/pf/pkg-plist23
9 files changed, 491 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile
index e87b5dda784b..cb2ee076534b 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -248,6 +248,7 @@
SUBDIR += pear-Auth
SUBDIR += pear-Auth_SASL
SUBDIR += pear-Crypt_CBC
+ SUBDIR += pf
SUBDIR += pgp
SUBDIR += pgp5
SUBDIR += pgp6
diff --git a/security/pf/Makefile b/security/pf/Makefile
new file mode 100644
index 000000000000..855a355bda4f
--- /dev/null
+++ b/security/pf/Makefile
@@ -0,0 +1,110 @@
+# New ports collection makefile for: pf_freebsd
+# Date created: 08 May 2003
+# Whom: Max Laier <max@love2party.net>
+#
+# $FreeBSD$
+#
+
+PORTNAME= pf_freebsd
+PORTVERSION= 1.0
+CATEGORIES= security ipv6
+MASTER_SITES= http://pf4freebsd.love2party.net/
+.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+PKGNAMESUFFIX= -altq
+.endif
+DISTNAME= ${PORTNAME}_${PORTVERSION}
+
+MAINTAINER= max@love2party.net
+COMMENT= OpenBSD pf as a kldmodule
+
+.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
+IS_INTERACTIVE= yes
+.endif
+
+STARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample
+SAMPLE_CONFIG= ${PREFIX}/etc/pf.conf.default
+
+MAN1= pftcpdump.1
+MAN4= pf.4 pflog.4 pfsync.4
+MAN5= pf.conf.5
+MAN8= ftp-proxy.8 pfctl.8 pflogd.8 pftop.8
+
+MANCOMPRESSED= maybe
+
+KMODDIR?= ${PREFIX}/modules
+MAKE_ARGS= KMODDIR="${KMODDIR}" MANDIR="${PREFIX}/man/man"
+
+SRC_BASE?= /usr/src
+.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+SYS_ALTQ?= ${SRC_BASE}/sys.altq
+MAKE_ARGS+= WITH_ALTQ="yes" SYS_ALTQ="${SYS_ALTQ}"
+PLIST_SUB+= WITH_ALTQ=""
+.else
+PLIST_SUB+= WITH_ALTQ="@comment "
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if ${OSVERSION} < 500000
+BROKEN= "Only for 5.0 and above"
+.endif
+
+.if !exists(${SRC_BASE}/sys/Makefile) && \
+ (defined(WITH_ALTQ) && !exists(${SYS_ALTQ}/Makefile)
+BROKEN= "Kernel source files required"
+.endif
+
+.if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes")
+pre-fetch:
+ @${ECHO_CMD} "======================================================="
+ @${ECHO_CMD} "* If you have ALTQ support from: *"
+ @${ECHO_CMD} "* http://www.rofug.ro/projects/freebsd-altq/ *"
+ @${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it *"
+ @${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src *"
+ @${ECHO_CMD} "* *"
+ @${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=${SRC_BASE}/sys.altq *"
+ @${ECHO_CMD} "* *"
+ @${ECHO_CMD} "======================================================="
+ @sleep 2
+.endif
+
+pre-install:
+ ${MKDIR} ${KMODDIR}
+ ${MKDIR} ${PREFIX}/include/pf
+ ${MKDIR} ${PREFIX}/include/pf/net
+.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
+ @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
+.endif
+
+post-install:
+ ${ECHO} "Installing include files ..."
+ ${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h \
+ ${PREFIX}/include/pf/net
+ ${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h \
+ ${PREFIX}/include/pf/net
+ ${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h \
+ ${PREFIX}/include/pf/net
+ @if [ -f ${WRKSRC}/man/pf.4.gz ]; then \
+ ${ECHO} "Installing pftcpdump(1) man page."; \
+ ${GZIP_CMD} -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 > \
+ ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ; \
+ ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz \
+ ${PREFIX}/man/man1/pftcpdump.1.gz ; \
+ else \
+ ${ECHO} "Installing pftcpdump(1) man page."; \
+ ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1 \
+ ${PREFIX}/man/man1/pftcpdump.1 ; \
+ fi
+ @if [ ! -f ${STARTUP_SCRIPT} ]; then \
+ ${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ; \
+ ${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample \
+ ${STARTUP_SCRIPT} ; \
+ fi
+ @if [ ! -f ${SAMPLE_CONFIG} ]; then \
+ ${ECHO} "Installing ${SAMPLE_CONFIG} config file." ; \
+ ${INSTALL_DATA} ${FILESDIR}/pf.conf.default \
+ ${SAMPLE_CONFIG}; \
+ fi
+ ${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/pf/distinfo b/security/pf/distinfo
new file mode 100644
index 000000000000..38a8f2633367
--- /dev/null
+++ b/security/pf/distinfo
@@ -0,0 +1 @@
+MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e
diff --git a/security/pf/files/pf.conf.default b/security/pf/files/pf.conf.default
new file mode 100644
index 000000000000..58923c97852c
--- /dev/null
+++ b/security/pf/files/pf.conf.default
@@ -0,0 +1,76 @@
+# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
+#
+# See pf.conf(5) and /usr/share/pf for syntax and examples.
+# Required order: options, normalization, queueing, translation, filtering.
+# Macros and tables may be defined and used anywhere.
+# Note that translation rules are first match while filter rules are last match.
+
+# Macros: define common values, so they can be referenced and changed easily.
+#ext_if="ext0" # replace with actual external interface name i.e., dc0
+#int_if="int0" # replace with actual internal interface name i.e., dc1
+#internal_net="10.1.1.1/8"
+#external_addr="192.168.1.1"
+
+# Tables: similar to macros, but more flexible for many addresses.
+#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
+
+# Options: tune the behavior of pf, default values are given.
+#set timeout { interval 30, frag 10 }
+#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
+#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
+#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
+#set timeout { icmp.first 20, icmp.error 10 }
+#set timeout { other.first 60, other.single 30, other.multiple 60 }
+#set limit { states 10000, frags 5000 }
+#set loginterface none
+#set optimization normal
+#set block-policy drop
+#set require-order yes
+
+# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
+#scrub in all
+
+# Queueing: rule-based bandwidth control.
+#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
+#queue dflt bandwidth 5% cbq(default)
+#queue developers bandwidth 80%
+#queue marketing bandwidth 15%
+
+# Translation: specify how addresses are to be mapped or redirected.
+# nat: packets going out through $ext_if with source address $internal_net will
+# get translated as coming from the address of $ext_if, a state is created for
+# such packets, and incoming packets will be redirected to the internal address.
+#nat on $ext_if from $internal_net to any -> ($ext_if)
+
+# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
+# be redirected to 10.1.1.1:5678. A state is created for such packets, and
+# outgoing packets will be translated as coming from the external address.
+#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
+
+# rdr outgoing FTP requests to the ftp-proxy
+#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
+
+# spamd-setup puts addresses to be redirected into table <spamd>.
+#table <spamd> persist
+#no rdr on { lo0, lo1 } from any to any
+#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
+
+# Filtering: the implicit first two rules are
+#pass in all
+#pass out all
+
+# block all incoming packets but allow ssh, pass all outgoing tcp and udp
+# connections and keep state, logging blocked packets.
+#block in log all
+#pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
+#pass out on $ext_if proto { tcp, udp } all keep state
+
+# pass incoming packets destined to the addresses given in table <foo>.
+#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
+
+# pass incoming ports for ftp-proxy
+#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
+
+# assign packets to a queue.
+#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
+#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
diff --git a/security/pf/files/pf.sh.sample b/security/pf/files/pf.sh.sample
new file mode 100644
index 000000000000..0223f92df05f
--- /dev/null
+++ b/security/pf/files/pf.sh.sample
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# $FreeBSD$
+
+if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/$(basename $0)\$"); then
+ echo "$0: Cannot determine the PREFIX" >&2
+ echo "Please use the complete pathname." >&2
+ exit 1
+fi
+
+if [ -z "${source_rc_confs_defined}" ]; then
+ if [ -r /etc/defaults/rc.conf ]; then
+ . /etc/defaults/rc.conf
+ source_rc_confs
+ elif [ -r /etc/rc.conf ]; then
+ . /etc/rc.conf
+ fi
+fi
+
+case "$1" in
+start)
+ case "${pf_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' pf'
+ kldload ${PREFIX}/modules/pflog.ko
+ kldload ${PREFIX}/modules/pfsync.ko
+ if [ -f ${PREFIX}/modules/pfaltq.ko ]; then
+ kldload ${PREFIX}/modules/pfaltq.ko
+ fi
+ ifconfig pflog0 up
+ ifconfig pfsync0 up
+ case "${pf_logd}" in
+ [Yy][Ee][Ss])
+ if [ -x ${PREFIX}/sbin/pflogd ]; then
+ echo -n ' pflogd'
+ ${PREFIX}/sbin/pflogd
+ fi
+ ;;
+ esac
+ kldload ${PREFIX}/modules/pf.ko
+ if [ -f ${pf_conf:-${PREFIX}/etc/pf.conf} ]; then
+ if [ -x ${PREFIX}/sbin/pfctl ]; then
+ ${PREFIX}/sbin/pfctl -e \
+ -f ${pf_conf:-${PREFIX}/etc/pf.conf} \
+ ${pfctl_flags}
+ fi
+ fi
+ ;;
+ esac
+ ;;
+stop)
+ if [ -x ${PREFIX}/sbin/pfctl ]; then
+ ${PREFIX}/sbin/pfctl -d
+ fi
+ killall pflogd
+ kldunload pf
+ if [ -f ${PREFIX}/modules/pfaltq.ko ]; then
+ kldunload pfaltq
+ fi
+ kldunload pflog
+ kldunload pfsync
+ ;;
+*)
+ echo "Usage: `basename $0` {start|stop}" >&2
+ ;;
+esac
+
+exit 0
diff --git a/security/pf/pkg-descr b/security/pf/pkg-descr
new file mode 100644
index 000000000000..6dbab3f48493
--- /dev/null
+++ b/security/pf/pkg-descr
@@ -0,0 +1,14 @@
+This is a port of OpenBSD's pf (packet filter) to FreeBSD as a loadable
+kernel module ported by Pyun YongHyeon. Information about pf can be found
+at: http://www.benzendrine.cx/pf.html the website of Daniel Hartmeier the
+original author of pf.
+You have to have:
+=========================================================================
+options PFIL_HOOKS
+options RANDOM_IP_ID # Recommend, but may work without
+=========================================================================
+in your kernel in oder to use pf.
+
+WWW: http://pf4freebsd.love2party.net/
+
+-Max <reports@pf4freebsd.love2party.net>
diff --git a/security/pf/pkg-install b/security/pf/pkg-install
new file mode 100644
index 000000000000..54c2701fa49b
--- /dev/null
+++ b/security/pf/pkg-install
@@ -0,0 +1,189 @@
+#!/bin/sh
+# an installation script for pf_freebsd copied from Wnn6
+
+check_pw()
+{
+ if which -s pw; then
+ :
+ else
+ cat <<EOF
+
+This system looks like a pre-2.2 version of FreeBSD. We see that it
+is missing the "pw" utility. We need this utility. Please get and
+install it, and try again. You can get the source from:
+
+ ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz
+
+EOF
+ exit 1
+ fi
+}
+
+ask() {
+ local question default answer
+
+ question=$1
+ default=$2
+ if [ -z "${PACKAGE_BUILDING}" ]; then
+ read -p "${question} (y/n) [${default}]? " answer
+ fi
+ if [ x${answer} = x ]; then
+ answer=${default}
+ fi
+ echo ${answer}
+}
+
+yesno() {
+ local dflt question answer
+
+ question=$1
+ dflt=$2
+ while :; do
+ answer=$(ask "${question}" "${dflt}")
+ case "${answer}" in
+ [Yy]*) return 0;;
+ [Nn]*) return 1;;
+ esac
+ echo "Please answer yes or no."
+ done
+}
+
+check_service() {
+ local name number type comment
+
+ name=$1
+ number=$2
+ type=$3
+ comment=$4
+
+ FILE="/etc/services"
+ # check
+ OK=no
+ HAS_SERVICE=no
+ COUNT=1
+ for i in `grep $name $FILE `; do
+ if [ $COUNT = 1 ] && [ X"$i" = X"$name" ]; then
+ HAS_SERVICE=yes
+ elif [ $COUNT = 2 ] && [ $HAS_SERVICE = yes ] && \
+ [ X"$i" = X"$number/$type" ]; then
+ OK=yes
+ break
+ fi
+ COUNT=`expr ${COUNT} + 1`
+ done
+ # add an entry for SERVICE to /etc/services
+ if [ $OK = no ]; then
+ echo "This system has no entry for $name in ${FILE}"
+ if yesno "Would you like to add it automatically?" y; then
+ mv ${FILE} ${FILE}.bak
+ (grep -v $name ${FILE}.bak ; \
+ echo "$name $number/$type # $comment") \
+ >> ${FILE}
+ rm ${FILE}.bak
+ else
+ echo "Please add '$name $number/$type' into ${FILE}, and try again."
+ return 1
+ fi
+ fi
+ return 0
+}
+
+check_group() {
+ local name id
+
+ name=$1
+ id=$2
+ #check
+ # We need a command 'pw(8)'
+ check_pw
+ if pw groupshow $name -q ; then
+ return 0
+ fi
+ if pw groupadd -g $id -n $name -N -q ; then
+ echo ""
+ echo "You need a group '$name' whose ID number is $id"
+ if yesno "Would you like to create it automatically?" y; then
+ pw groupadd -g $id -n $name
+ return 0
+ fi
+ fi
+ echo ""
+ echo "I was not able to add group 'proxy:*:71:' as pw reported:"
+ pw groupadd -g $id -n $name -N
+ echo "Please correct this and try again!"
+ echo ""
+ return 1
+}
+
+check_user() {
+ local name id group
+
+ name=$1
+ id=$2
+ group=$3
+ # check
+ id_id=`id -u $id 2> /dev/null`
+ id_name=`id -u $name 2> /dev/null`
+ if [ X"$id_name" = X$id ];then
+ return 0
+ elif [ X"$id_id" != X ]; then
+cat <<EOF
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This system already has an account whose name is not '$name' and ID
+number is $id.
+
+ '`id $id`'
+
+For ftp-proxy in this port or package, ID number of '$name' has to be $id.
+Please try again after you delete the account.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+EOF
+ exit 1
+ elif [ X"$id_name" != X ]; then
+ cat <<EOF
+
+There is a user '$name' with ID '$id_name'. I'll try to use this account.
+
+EOF
+ return 0
+ fi
+
+ # add an account '$name' to this system
+ echo ""
+ echo "You need an account '$name' whose ID number is $id"
+ if yesno "Would you like to create it automatically?" y; then
+ # We need a command 'pw(8)'
+ check_pw
+ pw useradd $name -u $id -g $group -h - -d /nonexistent \
+ -s /nonexistent -c $name || exit
+ else
+ echo "Please create it, and try again."
+ return 1
+ fi
+ return 0
+}
+
+case $2 in
+PRE-INSTALL)
+
+ if ! check_service ftp-proxy 8021 tcp "# ftp-proxy service port"; then
+ exit 1
+ fi
+ if [ "`grep ftp-proxy /etc/inetd.conf`" ]; then
+ echo "Found ftp-proxy entry in inetd.conf ..."
+ else
+ echo "Adding sample entry for ftp-proxy to /etc/inetd.conf"
+ echo "#ftp-proxy stream tcp nowait root ${PKG_PREFIX}/libexec/ftp-proxy ftp-proxy" >> /etc/inetd.conf
+ fi
+ if ! check_group proxy 71 ; then
+ exit 1
+ fi
+ groupid=`pw groupshow proxy | awk \
+ '{ split ($1,var,":"); print var[3] }' `
+ if ! check_user proxy 71 $groupid; then
+ exit 1
+ fi
+ ;;
+
+esac
diff --git a/security/pf/pkg-message b/security/pf/pkg-message
new file mode 100644
index 000000000000..6f6331b12d3d
--- /dev/null
+++ b/security/pf/pkg-message
@@ -0,0 +1,9 @@
+===========================================================================
+Please set the folloing variables in rc.conf according to your needs:
+
+ pf_enable = "Yes"
+ pf_logd = "Yes"
+ pf_conf = "%%PREFIX%%/etc/pf.conf"
+
+They are used within %%PREFIX%%/etc/rc.d/pf.sh to bring pf up!
+===========================================================================
diff --git a/security/pf/pkg-plist b/security/pf/pkg-plist
new file mode 100644
index 000000000000..db2d874cbb01
--- /dev/null
+++ b/security/pf/pkg-plist
@@ -0,0 +1,23 @@
+libexec/ftp-proxy
+
+modules/linker.hints
+modules/pf.ko
+modules/pflog.ko
+modules/pfsync.ko
+%%WITH_ALTQ%%modules/pfaltq.ko
+
+sbin/pfctl
+sbin/pflogd
+sbin/pftcpdump
+sbin/pftop
+
+etc/rc.d/pf.sh.sample
+etc/pf.conf.default
+
+include/pf/net/pfvar.h
+include/pf/net/if_pflog.h
+include/pf/net/if_pfsync.h
+
+@dirrm modules
+@dirrm include/pf/net
+@dirrm include/pf