head	1.11;
access;
symbols
	RELENG_8_3_0_RELEASE:1.10.2.2
	RELENG_8_3:1.10.2.2.0.6
	RELENG_8_3_BP:1.10.2.2
	RELENG_7_4_0_RELEASE:1.9.12.1
	RELENG_8_2_0_RELEASE:1.10.2.2
	RELENG_7_4:1.9.0.12
	RELENG_7_4_BP:1.9
	RELENG_8_2:1.10.2.2.0.4
	RELENG_8_2_BP:1.10.2.2
	RELENG_8_1_0_RELEASE:1.10.2.2
	RELENG_8_1:1.10.2.2.0.2
	RELENG_8_1_BP:1.10.2.2
	RELENG_7_3_0_RELEASE:1.9.10.1
	RELENG_7_3:1.9.0.10
	RELENG_7_3_BP:1.9
	RELENG_8_0_0_RELEASE:1.10.2.1.2.1
	RELENG_8_0:1.10.2.1.0.2
	RELENG_8_0_BP:1.10.2.1
	RELENG_8:1.10.0.2
	RELENG_8_BP:1.10
	RELENG_7_2_0_RELEASE:1.9.8.1
	RELENG_7_2:1.9.0.8
	RELENG_7_2_BP:1.9
	RELENG_7_1_0_RELEASE:1.9.6.1
	RELENG_6_4_0_RELEASE:1.6.2.1.4.1
	RELENG_7_1:1.9.0.6
	RELENG_7_1_BP:1.9
	RELENG_6_4:1.6.2.1.0.4
	RELENG_6_4_BP:1.6.2.1
	RELENG_7_0_0_RELEASE:1.9
	RELENG_6_3_0_RELEASE:1.6.2.1
	RELENG_7_0:1.9.0.4
	RELENG_7_0_BP:1.9
	RELENG_6_3:1.6.2.1.0.2
	RELENG_6_3_BP:1.6.2.1
	RELENG_7:1.9.0.2
	RELENG_7_BP:1.9
	RELENG_6_2_0_RELEASE:1.6
	RELENG_6_2:1.6.0.8
	RELENG_6_2_BP:1.6
	RELENG_5_5_0_RELEASE:1.5.2.1
	RELENG_5_5:1.5.2.1.0.6
	RELENG_5_5_BP:1.5.2.1
	RELENG_6_1_0_RELEASE:1.6
	RELENG_6_1:1.6.0.6
	RELENG_6_1_BP:1.6
	RELENG_6_0_0_RELEASE:1.6
	RELENG_6_0:1.6.0.4
	RELENG_6_0_BP:1.6
	RELENG_6:1.6.0.2
	RELENG_6_BP:1.6
	RELENG_5_4_0_RELEASE:1.5.2.1
	RELENG_5_4:1.5.2.1.0.4
	RELENG_5_4_BP:1.5.2.1
	RELENG_5_3_0_RELEASE:1.5.2.1
	RELENG_5_3:1.5.2.1.0.2
	RELENG_5_3_BP:1.5.2.1
	RELENG_5:1.5.0.2
	RELENG_5_BP:1.5
	RELENG_5_2_1_RELEASE:1.3
	RELENG_5_2_0_RELEASE:1.3
	RELENG_5_2:1.3.0.2
	RELENG_5_2_BP:1.3
	RELENG_5_1_0_RELEASE:1.2
	RELENG_5_1:1.2.0.4
	RELENG_5_1_BP:1.2
	RELENG_5_0_0_RELEASE:1.2
	RELENG_5_0:1.2.0.2
	RELENG_5_0_BP:1.2;
locks; strict;
comment	@# @;


1.11
date	2009.12.02.15.05.26;	author ume;	state dead;
branches;
next	1.10;

1.10
date	2009.06.01.05.35.03;	author dougb;	state Exp;
branches
	1.10.2.1;
next	1.9;

1.9
date	2007.04.02.15.38.53;	author mtm;	state Exp;
branches
	1.9.2.1
	1.9.6.1
	1.9.8.1
	1.9.10.1
	1.9.12.1;
next	1.8;

1.8
date	2006.12.31.10.37.18;	author yar;	state Exp;
branches;
next	1.7;

1.7
date	2006.05.12.19.17.34;	author mlaier;	state Exp;
branches;
next	1.6;

1.6
date	2004.10.07.13.55.26;	author mtm;	state Exp;
branches
	1.6.2.1;
next	1.5;

1.5
date	2004.03.08.12.25.05;	author pjd;	state Exp;
branches
	1.5.2.1;
next	1.4;

1.4
date	2004.02.19.06.53.24;	author mtm;	state Exp;
branches;
next	1.3;

1.3
date	2003.06.29.05.15.57;	author mtm;	state Exp;
branches;
next	1.2;

1.2
date	2002.10.12.10.31.31;	author schweikh;	state Exp;
branches;
next	1.1;

1.1
date	2002.06.13.22.14.36;	author gordon;	state Exp;
branches;
next	;

1.10.2.1
date	2009.08.03.08.13.06;	author kensmith;	state Exp;
branches
	1.10.2.1.2.1;
next	1.10.2.2;

1.10.2.2
date	2010.04.07.19.04.36;	author ume;	state dead;
branches;
next	;

1.10.2.1.2.1
date	2009.10.25.01.10.29;	author kensmith;	state Exp;
branches;
next	;

1.9.2.1
date	2012.02.14.10.17.30;	author dougb;	state Exp;
branches;
next	1.9.2.2;

1.9.2.2
date	2012.11.17.08.01.21;	author svnexp;	state Exp;
branches;
next	;

1.9.6.1
date	2008.11.25.02.59.29;	author kensmith;	state Exp;
branches;
next	;

1.9.8.1
date	2009.04.15.03.14.26;	author kensmith;	state Exp;
branches;
next	;

1.9.10.1
date	2010.02.10.00.26.20;	author kensmith;	state Exp;
branches;
next	;

1.9.12.1
date	2010.12.21.17.10.29;	author kensmith;	state Exp;
branches;
next	1.9.12.2;

1.9.12.2
date	2012.11.17.08.16.37;	author svnexp;	state Exp;
branches;
next	;

1.6.2.1
date	2007.05.15.09.18.25;	author mtm;	state Exp;
branches
	1.6.2.1.4.1;
next	1.6.2.2;

1.6.2.2
date	2012.11.17.07.39.07;	author svnexp;	state Exp;
branches;
next	;

1.6.2.1.4.1
date	2008.10.02.02.57.24;	author kensmith;	state Exp;
branches;
next	;

1.5.2.1
date	2004.10.10.09.50.53;	author mtm;	state Exp;
branches;
next	;


desc
@@


1.11
log
@SVN rev 200028 on 2009-12-02 15:05:26Z by ume

Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.

Reviewed by:	dougb, jhb
MFC after:	1 month
@
text
@#!/bin/sh
#
# $FreeBSD: src/etc/rc.d/ip6fw,v 1.10 2009/06/01 05:35:03 dougb Exp $
#

# PROVIDE: ip6fw
# REQUIRE: routing
# KEYWORD: nojail

. /etc/rc.subr

name="ip6fw"
rcvar=`set_rcvar ipv6_firewall`
start_cmd="ip6fw_start"
stop_cmd="${SYSCTL_W} net.inet6.ip6.fw.enable=0"
required_modules="ipfw"

ip6fw_start()
{
	# Specify default rules file if none provided
	if [ -z "${ipv6_firewall_script}" ]; then
		ipv6_firewall_script=/etc/rc.firewall6
	fi

	# Load rules
	#
	if [ -r "${ipv6_firewall_script}" ]; then
		/bin/sh "${ipv6_firewall_script}"
		echo 'IPv6 Firewall rules loaded.'
	elif [ "`ipfw show 65535`" = "65535 deny ip from any to any" ]; then
		warn 'IPv6 firewall rules have not been loaded. Default' \
		    ' to DENY all access.'
	fi

	# Enable firewall logging
	#
	if checkyesno ipv6_firewall_logging; then
		echo 'IPv6 Firewall logging=YES'
		sysctl net.inet.ip.fw.verbose=1 >/dev/null
	fi

	# Enable the firewall
	#
	${SYSCTL_W} net.inet6.ip6.fw.enable=1
}

load_rc_config $name
run_rc_command "$1"
@


1.10
log
@SVN rev 193198 on 2009-06-01 05:35:03Z by dougb

Make the pf and ipfw firewalls start before netif, just like ipfilter
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.
@
text
@d3 1
a3 1
# $FreeBSD$
@


1.10.2.1
log
@SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith

Copy head to stable/8 as part of 8.0 Release cycle.

Approved by:	re (Implicit)
@
text
@@


1.10.2.2
log
@SVN rev 206382 on 2010-04-07 19:04:36Z by ume

MFC r200028, r201193, r201752, r201930, r202460, r200672, r206375:
Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6 and
rc.d/ip6fw.
@
text
@d3 1
a3 1
# $FreeBSD: src/etc/rc.d/ip6fw,v 1.10.2.1 2009/08/03 08:13:06 kensmith Exp $
@


1.10.2.1.2.1
log
@SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith

Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure.

Approved by:	re (implicit)
@
text
@@


1.9
log
@Instead of directly sourcing the firewall script, run it in a separate shell.
If the firewall script is sourced directly from the script, then any
exit statements in it will also terminate the rc.d script prematurely.

PR: conf/78762
MFC-After: 2 weeks
@
text
@a7 1
# BEFORE: network_ipv6
@


1.9.2.1
log
@SVN rev 231656 on 2012-02-14 10:17:30Z by dougb

MFC r230099:

Change rcvar= assignments to the literal values set_rcvar
would have returned. This will slightly reduce boot time,
and help in diff reduction to HEAD.
@
text
@d14 1
a14 1
rcvar="ipv6_firewall_enable"
@


1.9.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: stable/7/etc/rc.d/ip6fw 231656 2012-02-14 10:17:30Z dougb $
@


1.9.12.1
log
@SVN rev 216618 on 2010-12-21 17:10:29Z by kensmith

Copy stable/7 to releng/7.4 in preparation for FreeBSD-7.4 release.

Approved by:	re (implicit)
@
text
@@


1.9.12.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/7.4/etc/rc.d/ip6fw 168272 2007-04-02 15:38:53Z mtm $
@


1.9.10.1
log
@SVN rev 203736 on 2010-02-10 00:26:20Z by kensmith

Copy stable/7 to releng/7.3 as part of the 7.3-RELEASE process.

Approved by:	re (implicit)
@
text
@@


1.9.8.1
log
@SVN rev 191087 on 2009-04-15 03:14:26Z by kensmith

Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE.

Approved by:	re (implicit)
@
text
@@


1.9.6.1
log
@SVN rev 185281 on 2008-11-25 02:59:29Z by kensmith

Create releng/7.1 in preparation for moving into RC phase of 7.1 release
cycle.

Approved by:	re (implicit)
@
text
@@


1.8
log
@Use $required_modules wherever suitable.  Use load_kld() in special
cases.  So we get rid of quite a few lines of duplicated code.
@
text
@d29 1
a29 1
		. "${ipv6_firewall_script}"
@


1.7
log
@Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.
@
text
@a15 1
start_precmd="ip6fw_prestart"
d17 1
a17 13

ip6fw_prestart()
{
	# Load IPv6 firewall module, if not already loaded
	if ! ${SYSCTL} net.inet6.ip6.fw.enable > /dev/null 2>&1; then
		kldload ipfw && {
			debug 'Kernel IPv6 firewall module loaded.'
			return 0
		}
		warn 'IPv6 firewall kernel module failed to load.'
		return 1
	fi
}
@


1.6
log
@Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
@
text
@d23 1
a23 1
		kldload ip6fw && {
d44 1
a44 1
	elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
d53 1
a53 1
		sysctl net.inet6.ip6.fw.verbose=1 >/dev/null
@


1.6.2.1
log
@MFC: revision 1.9 of rc.d/ip6fw and 1.15 of rc.d/ipfw

date: 2007/04/02 15:38:53;  author: mtm;  state: Exp;  lines: +1 -1
Instead of directly sourcing the firewall script, run it in a separate shell.
If the firewall script is sourced directly from the script, then any
exit statements in it will also terminate the rc.d script prematurely.

PR: conf/78762
@
text
@d42 1
a42 1
		/bin/sh "${ipv6_firewall_script}"
@


1.6.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: stable/6/etc/rc.d/ip6fw 169576 2007-05-15 09:18:25Z mtm $
@


1.6.2.1.4.1
log
@SVN rev 183531 on 2008-10-02 02:57:24Z by kensmith

Create releng/6.4 from stable/6 in preparation for 6.4-RC1.

Approved by:	re (implicit)
@
text
@@


1.5
log
@Mark scripts as not usable inside a jail by adding keyword 'nojail'.

Some suggestions from:	rwatson, Ruben de Groot <mail25@@bzerk.org>
@
text
@d9 1
a9 1
# KEYWORD: FreeBSD nojail
@


1.5.2.1
log
@RCS file: /home/ncvs/src/etc/rc,v
----------------------------
revision 1.335
date: 2004/10/08 14:23:49;  author: mtm;  state: Exp;  lines: +0 -1
Remove an unused variable.

Submitted by: Pawel Worach <pawel.worach@@telia.com>
----------------------------
revision 1.334
date: 2004/10/07 13:55:25;  author: mtm;  state: Exp;  lines: +1 -1
Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
=============================================================================
RCS file: /home/ncvs/src/etc/rc.d/nsswitch,v
----------------------------
revision 1.4
date: 2004/09/16 17:03:12;  author: keramida;  state: Exp;  lines: +1 -1
Fix requirement of `network' to `NETWORK' because the former isn't
provided by any rc.d script.

Approved by:	mtm
=============================================================================
RCS file: /home/ncvs/src/etc/rc.d/pflog,v
----------------------------
revision 1.3
date: 2004/09/16 17:04:20;  author: keramida;  state: Exp;  lines: +1 -1
We don't have any providers of `beforenetlkm' in FreeBSD.  Remove the
dependency to it from our rc.d scripts.

Approved by:	mtm
=============================================================================

Approved by: re/scottl
@
text
@d9 1
a9 1
# KEYWORD: nojail
@


1.4
log
@Don't forget to enable the ipv6 firewall once the rules are loaded.

PR:		misc/61501
Submitted by:	Roderick van Domburg <r.s.a.vandomburg@@student.utwente.nl>
@
text
@d9 1
a9 1
# KEYWORD: FreeBSD
@


1.3
log
@o Hookup rc.d/routing and rc.d/netoptions
o Ensure rc.d/network2 and rc.d/network3 are not automatically run
  during boot
o Modify script headers so rcorder(8) can put the two scripts in the
  correct sequence.
@
text
@d55 4
@


1.2
log
@Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespace at end of line.

Approved by:	silence from gordon
@
text
@d7 1
a7 1
# REQUIRE: network2
@


1.1
log
@Merge in all the changes that Mike Makonnen has been maintaining for a
while. This is only the script pieces, the glue for the build comes next.

Submitted by:	Mike Makonnen <makonnen@@pacbell.net>
Reviewed by:	silence on -current and -hackers
Prodded by:	rwatson
@
text
@d51 1
a51 1
	if checkyesno ipv6_firewall_logging ; then
@

