blob: 93a300f9c97f7074fa39424892e8f828839c3833 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
#!/bin/sh
#
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# WARNING!
#
# This script has not been tested. The author does not run this kind
# of firewall rules and is too lazy to build a firewall that does
# just for testing.
#
# If you use this script and either find it *does* work (surprise!)
# or have modifications that make it work, please send mail to
# tke FreeBSD port maintainer. (See port Makefile).
#
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# *********************************************************************
# This script is used with IPFilter if the ruleset (/etc/ipf.rules)
# does not contain explicit drop rules that mask a rule added at the end.
#
# The script will add it's rules at the end.
#
# Note that it does not use locking, so concurrent accesses may
# interfere with each other.
# *********************************************************************
#
# file "ipf_add.atend"
# IPFilter add script, called by "doormand".
# This add "pass in quick" rules to the firewall.
#
# Called with five arguments:
#
# $1 : name of the interface (e.g. ne0)
# $2 : source IP; i.e. dotted-decimal address of the 'knock' client
# $3 : source port; when this script is called for the first time
# for a connection (man 8 doormand), this argument will be set
# to a single "0" (0x30) character. This means that the source
# port is not yet known, and a broad rule allowing any source
# port is required.
# $4 : destination IP; that is, the IP address of the interface
# in argument 1.
# $5 : The port number of the requested service (e.g. 22 for ssh, etc.)
#
# This script expects the IPFilter ruleset to have two rules like this:
inblock="block in log quick on $1 from any to any"
outblock="block out log quick on $1 from any to any"
# The new rules will be inserted just before these blocking rules.
if [ $3 = 0 ]; then
inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2"
else
inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5"
outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3"
fi
#
# acquire lock (not implemented)
#
# Insert new rules.
ret=`(echo $inrule; echo $outrule) | /sbin/ipf -f - 2>&1`
#
# release lock (not implemented)
#
if [ -z "$ret" ]; then
echo 0
else
echo -1 3 $ret
fi
|
