added IP filter to netstat/rc and put examples in /usr/share/ipf

3 files changed, 25 insertions, 0 deletions

diff --git a/etc/ipf.rules b/etc/ipf.rules
new file mode 100644
index 00000000000..24ed030709a
--- /dev/null
+++ b/etc/ipf.rules
@@ -0,0 +1,9 @@
+#
+# IP filtering rules.  See the ipf(5) man page for more
+# information on the format of this file, and /usr/share/ipf
+# for example configuration files.
+#
+# Pass all packets by default.
+#
+pass in from any to any
+pass out from any to any
diff --git a/etc/netstart b/etc/netstart
index f27081374ff..083167f053f 100644
--- a/etc/netstart
+++ b/etc/netstart
@@ -20,12 +20,15 @@ nfs_client=NO
 gated=NO
 kerberos_server=NO
 amd=NO
+ipfilter=NO
 
 # miscellaneous other flags
 # only used if the appropriate server is marked YES above
 gated_flags=
 amd_dir=/amd			# AMD's mount directory
 amd_master=/etc/amd/master	# AMD 'master' map
+ipfilter_rules=/etc/ipf.rules	# Rules for IP packet filtering
+ipmon_flags=-s			# To disable logging, use ipmon_flags=NO
 
 # /etc/myname contains my symbolic name
 #
@@ -35,6 +38,15 @@ if [ -f /etc/defaultdomain ]; then
 	domainname `cat /etc/defaultdomain`
 fi
 
+# Configure the IP filter before configuring network interfaces
+#
+if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then
+	echo 'configuring IP filter'
+	ipf -Fa -f ${ipfilter_rules} -E
+else
+	ipfilter=NO
+fi
+
 # configure all of the interfaces which we know about.
 # do this by reading /etc/hostname.* files, where * is the name
 # of a given interface.
diff --git a/etc/rc b/etc/rc
index 63a738585fa..ad7e7b51611 100644
--- a/etc/rc
+++ b/etc/rc
@@ -80,6 +80,10 @@ echo 'starting network'
 mount /usr >/dev/null 2>&1
 mount /var >/dev/null 2>&1
 
+if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then
+	ipmon ${ipmon_flags} &
+fi
+
 # clean up left-over files
 rm -f /etc/nologin
 rm -f /var/spool/lock/LCK.*