Add pf 1.0, OpenBSD's pf (packetfilter) as in OpenBSD 3.3 as a loadable

kernel module. PR: 52121 Submitted by: Max Laier <max@love2party.net>
svn path=/head/; revision=82906
2003-06-13 01:09:29 +00:00 · 2003-06-13 01:09:29 +00:00 · 588291566f · 2021-03-31 03:12:20 +00:00
commit 588291566f
parent e8523fca5f
9 changed files with 491 additions and 0 deletions
--- a/security/Makefile
+++ b/security/Makefile
@ -248,6 +248,7 @@
    SUBDIR += pear-Auth
    SUBDIR += pear-Auth_SASL
    SUBDIR += pear-Crypt_CBC
+    SUBDIR += pf
    SUBDIR += pgp
    SUBDIR += pgp5
    SUBDIR += pgp6
--- a/security/pf/Makefile
+++ b/security/pf/Makefile
@ -0,0 +1,110 @@
+# New ports collection makefile for:	pf_freebsd
+# Date created:		08 May 2003
+# Whom:			Max Laier <max@love2party.net>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	pf_freebsd
+PORTVERSION=	1.0
+CATEGORIES=	security ipv6
+MASTER_SITES=	http://pf4freebsd.love2party.net/
+.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+PKGNAMESUFFIX=	-altq
+.endif
+DISTNAME=	${PORTNAME}_${PORTVERSION}
+
+MAINTAINER=	max@love2party.net
+COMMENT=	OpenBSD pf as a kldmodule
+
+.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
+IS_INTERACTIVE= yes
+.endif
+
+STARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample
+SAMPLE_CONFIG=  ${PREFIX}/etc/pf.conf.default
+
+MAN1=		pftcpdump.1
+MAN4=		pf.4 pflog.4 pfsync.4
+MAN5=		pf.conf.5
+MAN8=		ftp-proxy.8 pfctl.8 pflogd.8 pftop.8
+
+MANCOMPRESSED=	maybe
+
+KMODDIR?=	${PREFIX}/modules
+MAKE_ARGS=	KMODDIR="${KMODDIR}" MANDIR="${PREFIX}/man/man"
+
+SRC_BASE?=	/usr/src
+.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
+SYS_ALTQ?=	${SRC_BASE}/sys.altq
+MAKE_ARGS+=	WITH_ALTQ="yes" SYS_ALTQ="${SYS_ALTQ}"
+PLIST_SUB+=	WITH_ALTQ=""
+.else
+PLIST_SUB+=	WITH_ALTQ="@comment "
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if ${OSVERSION} < 500000
+BROKEN=	"Only for 5.0 and above"
+.endif
+
+.if !exists(${SRC_BASE}/sys/Makefile) && \
+    (defined(WITH_ALTQ) && !exists(${SYS_ALTQ}/Makefile)
+BROKEN=	"Kernel source files required"
+.endif
+
+.if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes")
+pre-fetch:
+	@${ECHO_CMD} "======================================================="
+	@${ECHO_CMD} "* If you have ALTQ support from:                      *"
+	@${ECHO_CMD} "*   http://www.rofug.ro/projects/freebsd-altq/        *"
+	@${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it  *"
+	@${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src  *"
+	@${ECHO_CMD} "*                                                     *"
+	@${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=${SRC_BASE}/sys.altq *"
+	@${ECHO_CMD} "*                                                     *"
+	@${ECHO_CMD} "======================================================="
+	@sleep 2
+.endif
+
+pre-install:
+	${MKDIR} ${KMODDIR}
+	${MKDIR} ${PREFIX}/include/pf
+	${MKDIR} ${PREFIX}/include/pf/net
+.if !defined(BATCH) && !defined(PACKAGE_BUILDING)
+	@${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
+.endif
+
+post-install:
+	${ECHO} "Installing include files ..."
+	${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h 			\
+	${PREFIX}/include/pf/net
+	${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h 		\
+	${PREFIX}/include/pf/net
+	${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h 		\
+	${PREFIX}/include/pf/net
+	@if [ -f ${WRKSRC}/man/pf.4.gz ]; then				\
+		${ECHO} "Installing pftcpdump(1) man page.";		\
+		${GZIP_CMD} -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 >	\
+			 ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ;	\
+		${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz	\
+		${PREFIX}/man/man1/pftcpdump.1.gz ;			\
+	else								\
+		${ECHO} "Installing pftcpdump(1) man page.";		\
+		${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1	\
+		${PREFIX}/man/man1/pftcpdump.1 ;			\
+	fi
+	@if [ ! -f ${STARTUP_SCRIPT} ]; then				\
+		${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ;	\
+		${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample		\
+		${STARTUP_SCRIPT} ;					\
+	fi
+	@if [ ! -f ${SAMPLE_CONFIG} ]; then				\
+		${ECHO} "Installing ${SAMPLE_CONFIG} config file." ;	\
+		${INSTALL_DATA} ${FILESDIR}/pf.conf.default		\
+		${SAMPLE_CONFIG};					\
+	fi
+	${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
--- a/security/pf/distinfo
+++ b/security/pf/distinfo
@ -0,0 +1 @@
+MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e
--- a/security/pf/files/pf.conf.default
+++ b/security/pf/files/pf.conf.default
@ -0,0 +1,76 @@
+#	$OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
+#
+# See pf.conf(5) and /usr/share/pf for syntax and examples.
+# Required order: options, normalization, queueing, translation, filtering.
+# Macros and tables may be defined and used anywhere.
+# Note that translation rules are first match while filter rules are last match.
+
+# Macros: define common values, so they can be referenced and changed easily.
+#ext_if="ext0"	# replace with actual external interface name i.e., dc0
+#int_if="int0"	# replace with actual internal interface name i.e., dc1
+#internal_net="10.1.1.1/8"
+#external_addr="192.168.1.1"
+
+# Tables: similar to macros, but more flexible for many addresses.
+#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
+
+# Options: tune the behavior of pf, default values are given.
+#set timeout { interval 30, frag 10 }
+#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
+#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
+#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
+#set timeout { icmp.first 20, icmp.error 10 }
+#set timeout { other.first 60, other.single 30, other.multiple 60 }
+#set limit { states 10000, frags 5000 }
+#set loginterface none
+#set optimization normal
+#set block-policy drop
+#set require-order yes
+
+# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
+#scrub in all
+
+# Queueing: rule-based bandwidth control.
+#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
+#queue dflt bandwidth 5% cbq(default)
+#queue developers bandwidth 80%
+#queue marketing  bandwidth 15%
+
+# Translation: specify how addresses are to be mapped or redirected.
+# nat: packets going out through $ext_if with source address $internal_net will
+# get translated as coming from the address of $ext_if, a state is created for
+# such packets, and incoming packets will be redirected to the internal address.
+#nat on $ext_if from $internal_net to any -> ($ext_if)
+
+# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
+# be redirected to 10.1.1.1:5678. A state is created for such packets, and
+# outgoing packets will be translated as coming from the external address.
+#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
+
+# rdr outgoing FTP requests to the ftp-proxy
+#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
+
+# spamd-setup puts addresses to be redirected into table <spamd>.
+#table <spamd> persist
+#no rdr on { lo0, lo1 } from any to any
+#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
+
+# Filtering: the implicit first two rules are
+#pass in all
+#pass out all
+
+# block all incoming packets but allow ssh, pass all outgoing tcp and udp
+# connections and keep state, logging blocked packets.
+#block in log all
+#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
+#pass  out on $ext_if proto { tcp, udp } all keep state
+
+# pass incoming packets destined to the addresses given in table <foo>.
+#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
+
+# pass incoming ports for ftp-proxy
+#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
+
+# assign packets to a queue.
+#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
+#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
--- a/security/pf/files/pf.sh.sample
+++ b/security/pf/files/pf.sh.sample
@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# $FreeBSD$
+
+if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/$(basename $0)\$"); then
+    echo "$0: Cannot determine the PREFIX" >&2
+    echo "Please use the complete pathname." >&2
+    exit 1
+fi
+
+if [ -z "${source_rc_confs_defined}" ]; then
+	if [ -r /etc/defaults/rc.conf ]; then
+		. /etc/defaults/rc.conf
+		source_rc_confs
+	elif [ -r /etc/rc.conf ]; then
+		. /etc/rc.conf
+	fi
+fi
+
+case "$1" in
+start)
+	case "${pf_enable}" in
+	    [Yy][Ee][Ss])
+	    echo -n ' pf'
+	    kldload ${PREFIX}/modules/pflog.ko
+	    kldload ${PREFIX}/modules/pfsync.ko
+	    if [ -f ${PREFIX}/modules/pfaltq.ko ]; then
+		kldload ${PREFIX}/modules/pfaltq.ko
+	    fi
+	    ifconfig pflog0 up
+	    ifconfig pfsync0 up
+	    case "${pf_logd}" in
+	    [Yy][Ee][Ss])
+		if [ -x ${PREFIX}/sbin/pflogd ]; then
+			echo -n ' pflogd'
+			${PREFIX}/sbin/pflogd
+		fi
+	    	;;
+	    esac
+	    kldload ${PREFIX}/modules/pf.ko
+	    if [ -f ${pf_conf:-${PREFIX}/etc/pf.conf} ]; then
+		if [ -x ${PREFIX}/sbin/pfctl ]; then
+			${PREFIX}/sbin/pfctl -e \
+				-f ${pf_conf:-${PREFIX}/etc/pf.conf} \
+				${pfctl_flags}
+		fi
+	    fi
+	    ;;
+	esac
+	;;
+stop)
+	if [ -x ${PREFIX}/sbin/pfctl ]; then
+		${PREFIX}/sbin/pfctl -d
+	fi
+	killall pflogd
+	kldunload pf
+	if [ -f ${PREFIX}/modules/pfaltq.ko ]; then
+		kldunload pfaltq
+	fi
+	kldunload pflog
+	kldunload pfsync
+	;;
+*)
+	echo "Usage: `basename $0` {start|stop}" >&2
+	;;
+esac
+
+exit 0
--- a/security/pf/pkg-descr
+++ b/security/pf/pkg-descr
@ -0,0 +1,14 @@
+This is a port of OpenBSD's pf (packet filter) to FreeBSD as a loadable
+kernel module ported by Pyun YongHyeon. Information about pf can be found 
+at: http://www.benzendrine.cx/pf.html the website of Daniel Hartmeier the
+original author of pf.
+You have to have:
+=========================================================================
+options		PFIL_HOOKS
+options		RANDOM_IP_ID	# Recommend, but may work without
+=========================================================================
+in your kernel in oder to use pf.
+
+WWW: http://pf4freebsd.love2party.net/
+
+-Max <reports@pf4freebsd.love2party.net>
--- a/security/pf/pkg-install
+++ b/security/pf/pkg-install
@ -0,0 +1,189 @@
+#!/bin/sh
+# an installation script for pf_freebsd copied from Wnn6
+
+check_pw()
+{
+    if which -s pw; then
+	:
+    else
+	cat <<EOF
+
+This system looks like a pre-2.2 version of FreeBSD.  We see that it
+is missing the "pw" utility.  We need this utility.  Please get and
+install it, and try again.  You can get the source from:
+
+  ftp://ftp.freebsd.org/pub/FreeBSD/FreeBSD-current/src/usr.sbin/pw.tar.gz
+
+EOF
+	exit 1
+    fi
+}
+
+ask() {
+    local question default answer
+
+    question=$1
+    default=$2
+    if [ -z "${PACKAGE_BUILDING}" ]; then
+	read -p "${question} (y/n) [${default}]? " answer
+    fi
+    if [ x${answer} = x ]; then
+	answer=${default}
+    fi
+    echo ${answer}
+}
+
+yesno() {
+    local dflt question answer
+
+    question=$1
+    dflt=$2
+    while :; do
+	answer=$(ask "${question}" "${dflt}")
+	case "${answer}" in
+	[Yy]*)		return 0;;
+	[Nn]*)		return 1;;
+	esac
+	echo "Please answer yes or no."
+    done
+}
+
+check_service() {
+    local name number type comment
+    
+    name=$1
+    number=$2
+    type=$3
+    comment=$4
+    
+    FILE="/etc/services"
+    # check
+    OK=no
+    HAS_SERVICE=no
+    COUNT=1
+    for i in `grep $name $FILE `; do
+	if [ $COUNT = 1 ] && [ X"$i" = X"$name" ]; then
+	    HAS_SERVICE=yes
+	elif [ $COUNT = 2 ] && [ $HAS_SERVICE = yes ] && \
+		[ X"$i" = X"$number/$type" ]; then
+	    OK=yes
+	    break
+	fi
+	COUNT=`expr ${COUNT} + 1`
+    done
+    # add an entry for SERVICE to /etc/services
+    if [ $OK = no ]; then
+	echo "This system has no entry for $name in ${FILE}"
+	if yesno "Would you like to add it automatically?" y; then
+	    mv ${FILE} ${FILE}.bak
+	    (grep -v $name ${FILE}.bak ; \
+		echo "$name	$number/$type	# $comment") \
+		>> ${FILE}
+	    rm ${FILE}.bak
+	else
+	    echo "Please add '$name $number/$type' into ${FILE}, and try again."
+	    return 1
+	fi
+    fi
+    return 0
+}
+
+check_group() {
+    local name id
+
+    name=$1
+    id=$2
+    #check
+    # We need a command 'pw(8)'
+    check_pw
+    if pw groupshow $name -q ; then
+	return 0
+    fi
+    if pw groupadd -g $id -n $name -N -q ; then 
+    	echo ""
+    	echo "You need a group '$name' whose ID number is $id"
+    	if yesno "Would you like to create it automatically?" y; then
+	    pw groupadd -g $id -n $name
+	    return 0
+	fi
+    fi
+    echo ""
+    echo "I was not able to add group 'proxy:*:71:' as pw reported:"
+    pw groupadd -g $id -n $name -N
+    echo "Please correct this and try again!"
+    echo ""
+    return 1
+}
+
+check_user() {
+    local name id group
+
+    name=$1
+    id=$2
+    group=$3
+    # check
+    id_id=`id -u $id 2> /dev/null`
+    id_name=`id -u $name 2> /dev/null`
+    if [ X"$id_name" = X$id ];then
+	return 0
+    elif [ X"$id_id" != X ]; then
+cat <<EOF
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This system already has an account whose name is not '$name' and ID
+number is $id.
+
+   '`id $id`'
+
+For ftp-proxy in this port or package, ID number of '$name' has to be $id.
+Please try again after you delete the account.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+EOF
+	exit 1
+    elif [ X"$id_name" != X ]; then
+	cat <<EOF
+
+There is a user '$name' with ID '$id_name'. I'll try to use this account.
+
+EOF
+	return 0
+    fi
+
+    # add an account '$name' to this system
+    echo ""
+    echo "You need an account '$name' whose ID number is $id"
+    if yesno "Would you like to create it automatically?" y; then
+	# We need a command 'pw(8)'
+	check_pw
+	pw useradd $name -u $id -g $group -h - -d /nonexistent \
+		-s /nonexistent -c $name || exit
+    else
+	echo "Please create it, and try again."
+	return 1
+    fi
+    return 0
+}
+
+case $2 in
+PRE-INSTALL)
+
+    if ! check_service ftp-proxy 8021 tcp "# ftp-proxy service port"; then
+	exit 1
+    fi
+    if [ "`grep ftp-proxy /etc/inetd.conf`" ]; then
+ 	echo "Found ftp-proxy entry in inetd.conf ..."
+    else
+	echo "Adding sample entry for ftp-proxy to /etc/inetd.conf"
+	echo "#ftp-proxy stream tcp nowait root ${PKG_PREFIX}/libexec/ftp-proxy ftp-proxy" >> /etc/inetd.conf
+    fi
+    if ! check_group proxy 71 ; then 
+	exit 1
+    fi
+    groupid=`pw groupshow proxy | awk \
+		'{ split ($1,var,":"); print var[3] }' `
+    if ! check_user proxy 71 $groupid; then
+	exit 1
+    fi
+    ;;
+
+esac
--- a/security/pf/pkg-message
+++ b/security/pf/pkg-message
@ -0,0 +1,9 @@
+===========================================================================
+Please set the folloing variables in rc.conf according to your needs:
+
+	pf_enable 	= "Yes"
+	pf_logd	  	= "Yes"
+	pf_conf		= "%%PREFIX%%/etc/pf.conf"
+
+They are used within %%PREFIX%%/etc/rc.d/pf.sh to bring pf up!
+===========================================================================
--- a/security/pf/pkg-plist
+++ b/security/pf/pkg-plist
@ -0,0 +1,23 @@
+libexec/ftp-proxy
+
+modules/linker.hints
+modules/pf.ko
+modules/pflog.ko
+modules/pfsync.ko
+%%WITH_ALTQ%%modules/pfaltq.ko
+
+sbin/pfctl
+sbin/pflogd
+sbin/pftcpdump
+sbin/pftop
+
+etc/rc.d/pf.sh.sample
+etc/pf.conf.default
+
+include/pf/net/pfvar.h
+include/pf/net/if_pflog.h
+include/pf/net/if_pfsync.h
+
+@dirrm modules
+@dirrm include/pf/net
+@dirrm include/pf
				`@ -0,0 +1 @@`
				`MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e`