3 ### Firewall control perl script drived by opengatesrv.cgi ###
5 ($ipfwpath,$rulenumber,$clientaddr,$userid,$macaddr,$userproperty)=@ARGV;
6 close STDOUT; close STDERR; close STDIN;
8 system "$ipfwpath","-q","add","$rulenumber",
9 "allow","ip","from","$clientaddr","to","any";
11 system "$ipfwpath","-q","add","$rulenumber",
12 "allow","ip","from","any","to","$clientaddr";
17 ########### Above line is the end of interpreting#############
21 $ipfwpath = path to ipfw command
22 $rulenumber= ipfw rule number. one number for one client
23 $clientaddr= client machine's IP address
24 $userid = user's ID. Auth server ID is attached, if entered.
25 $macaddr = MAC address for the client machine
26 $userproperty = user property acquired from user database
27 (Need to edit comm-userdb.c to use this option).
31 *Be care to execute quickly and without delay.
32 This script runs in EXCLUSIVE mode.
34 *Be care to add least rule set.
35 The rules are added PER each client.
37 *Be care to eliminate bug and security hole.
38 At modification, debug it perfectly in stand along mode.
40 *If possible, the rule should be written in rc.firewall.
41 Following can be written in rc.firewall
42 Deny some protocol though authentication passed.
43 Allow to access some server without authentication.
45 *Following might be written in this script.
46 Deny guest users to access internal network.
47 Deny a client having specific MAC address.
48 Forward some service to proxy server after authentication.
49 (Last one might be written in rc.firewall as the rule of other
50 side interface which is not used by opengate)
54 If you are confused, return to the following default script.
55 =====================================================
59 ($ipfwpath,$rulenumber,$clientaddr,$userid,$macaddr)=@ARGV;
61 # close web server I/O
62 close STDOUT; close STDERR; close STDIN;
64 # allow all packets incomming to the client.
65 system "$ipfwpath","-q","add","$rulenumber",
66 "allow","ip","from","any","to","$clientaddr";
68 # allow all packets outgoing from the client.
69 system "$ipfwpath","-q","add","$rulenumber",
70 "allow","ip","from","$clientaddr","to","any";
74 ======================================================