usrfwstartup.c

firewall PNE 3.3 source code, running at more than vxworks6.x version.

/* usrFwStartup.c - Initialize and startup Firewall */

/* Copyright 2004-2005 Wind River Systems, Inc. */
#include "copyright_wrs.h"

/*
modification history
--------------------
01d,29mar05,svk  Replace usage of Tornado with Workbench
01c,13sep04,svk  Fix compilation warnings
01b,06apr04,zhu  fixed a comment error
01a,05apr04,zhu  written
*/

/*
DESCRIPTION

This file supplies sample code to configure and initialize the Firewall.

NOMANUAL
*/

#include "vxWorks.h"
#include "wrn/firewall/fwLib.h"
#include "wrn/firewall/syslogcLib.h"
#include <stdio.h>
#include "ifLib.h"
#include "ipProto.h"
#include "routeLib.h"

extern int fwNvIfRamParamsGet(char *, char *, int, int);
extern int fwNvIfRamParamsSet(char *, char *, int, int);
extern int fwNvIfRamParamsClose(char *);
extern int fwNvIfRamParamsInit(char *);
extern STATUS fwClockBaseInit(UINT32,UINT32,UINT32,UINT32,UINT32,UINT32);

/*******************************************************************************
*
* usrFwStartup - Initialize the firewall 
*
* RETURNS: N/A
*
* NOMANUAL
*/

void usrFwStartup()
    {
    FW_MAC_IF_ID macIf[2];

    /* 
     * This assumes:
     * (a) There are two interfaces lnPci0, lnPci1 on the target.
     * (b) lnPci0 is the public interface, it is already attached and
     *     its address is already set.
     * (c) lnPci1 is the local interface, and is not yet attached.
     *
     * Attach the private interface and set its private address to
     * 10.11.7.5. Also, add a route to a public gateway 192.0.2.1
     * to reach other public networks.
     */
     
    ipAttach(1, "lnPci");
    ifMaskSet("lnPci1", 0xffffff00);
    ifAddrSet("lnPci1", "10.11.7.5");
    mRouteAdd("0.0.0.0", "192.0.2.1", 0xffffff00, 0, 0);

    /* 
     * If not already done, set the target clock. You can also use 
     * fwClockTimeSet() in fwUtilLib.c to set the clock with time retrieved 
     * from NTP time server.
     *
     * This assumes: Year 2004, April 5th, 11:40:30 AM
     */ 
    
    if(fwClockBaseInit(2004, 4, 5, 11, 40, 30) != OK)
        {
        printf("Firewall Clock init ERROR: fwClockBaseInit failed\n ");
        return;
        }

    /* 
     * Initialize the firewall. The initialization order is:
     *
     * 1. MAC Filter
     * 2. Logging Facility
     * 3. NV Storage Interface
     * 4. IP Filter
     * 5. (Optional) Sample Web Screens
     */

    /* 
     * 1. MAC Filter
     *
     * Initialize the Firewall MAC Filter
     *
     * This assumes:
     * (a) There are two interfaces lnPci0, lnPci1 on the target
     * (b) lnPci0 is the public interface
     * (c) lnPci1 is the private interface
     * (d) Install RX MAC Filter on the private interface
     * (e) Default Action is ACCEPT
     * (f) Logging is enabled
     *
     * NOTE: If you are initializing the MAC Filter manually, the
     * initialization order is your responsibility. For example, if
     * the Learning Bridge is included in the image along with the 
     * Firewall MAC Filter, the MAC Filter _must_ be initialized before 
     * the Learning Bridge.
     */

    strcpy (macIf[0].name, "lnPci");  /* private interface name */
    macIf[0].unit = 1;                /* private interface unit number */
    macIf[1].name[0] = 0;             /* null terminate */
    macIf[1].unit = 0;                /* null terminate */

    if(fwMacFilterInstall(FW_MAC_FILTER_RX, macIf, FW_ACCEPT, 
                          NULL, NULL) != OK)
        {
        printf("Firewall Mac RX Filter init ERROR: fwMacFilterInstall"
               " failed!\n");
        return;
        }
    fwMacLogInstall(fwLog);

    /* 
     * 2. Logging Facility
     *
     * Initialize the logging Facility
     *
     * This assumes: Logs are sent to the console.
     *
     * NOTE: To send logs to Syslog Server at address 10.11.7.50, 
     * first install the Syslog client:
     * fwLogSyslogcInstall((FUNCPTR)syslogcLibInit,(FUNCPTR)syslogcBinDataSend,
     *                     (FUNCPTR)syslogcShutdown);
     * Then initialize the Logging Facility, for example:
     * if (fwLogLibInit(FW_LOG_TO_SYSLOG, "10.11.7.50", NULL, 0) != OK)
     *      {
     *      printf("Firewall Log init ERROR: fwLogLibInit failed!\n");
     *      return;
     *      }
     */

    if (fwLogLibInit(FW_LOG_TO_CONSOLE, NULL, NULL, 0) != OK)
        {
        printf("Firewall Log init ERROR: fwLogLibInit failed!\n");
        return;
        }

    /* 
     * 3. NV Storage Interface
     *
     * This assumes: RAM-based Non-Volatile (NV) Storage is used
     *
     * To enable the Non-Volatile storage Firewall interface, you must first
     * write a set of platform specific routines according to the 
     * specification in fwNvIfLib.c and then call fwNvFuncsInstall() to 
     * install to NV Storage interface.
     *
     * Initialize the user-specified Non-Volatile Storage interface
     */

    if (fwNvIfRamParamsInit(NULL) != OK)
        {
        printf("Firewall NV Storage init ERROR: Init function failed!\n");
        return;
        }

    /* Install the user-specified Non-Volatile Storage interface */
    
    fwNvFuncsInstall(fwNvIfRamParamsGet, fwNvIfRamParamsSet,
                     fwNvIfRamParamsClose);


    /* 
     * 4. IP Filter
     *
     * This assumes:
     * (a) NV Storage is used for IP Filter
     * (b) Logging is enabled
     * (c) IP Filter is installed at pre-input and output locations with
     *     default action reject
     */

    /* Initialize Non-Volatile Storage for IP Filter */

    if (fwNvRuleLibInit() != OK)
        {
        printf("Firewall IP Filter init ERROR: fwNvRuleLibInit failed!\n");
        return;
        }

    /* Install logging for IP Filter */

    fwRuleLogInstall(fwLog);
        
    /* Initialize the Stateful inspection module */
    
    fwStateInit(); 
    
    /*
     * Install the IP filter at one or more user-specified packet intercept
     * locations. The IP packet filtering starts working only after this
     * is done. 
     *
     * NOTE: Since the default action is set to reject below, all traffic 
     * will be dropped unless you add filter rules later to allow 
     * specific traffic.
     */
     
    if(fwRuleFilterInstall(FW_PREIN_LOC,FW_REJECT,NULL,NULL,NULL,0) != OK)
        {
        printf("Firewall IP Filter init ERROR: fwRuleFilterInstall "
               "at PREIN failed!\n");
        return;
        }

    if(fwRuleFilterInstall(FW_OUT_LOC,FW_REJECT,NULL,NULL,NULL,0) != OK)
        {
        printf("Firewall IP Filter init ERROR: fwRuleFilterInstall "
               "at OUT failed!\n");
        return;
        }

    /* 
     * 5. (Optional) Web Interface
     *
     * This assumes: Web Interface is used for firewall configuration.
     * 
     * Initialize Firewall Web Interface.
     *
     * NOTE: You must use Workbench Kernel Editor to build the 
     * Web interface. Please refer to Firewall User's Guide for 
     * more details.
     *
     * if (fwWebInit() != OK)
     *     {
     *     printf("Firewall Web init ERROR: fwWebInit failed!\n");
     *     return;
     *     }
     *
     * if (WMB_COMPONENT_Start() != OK)
     *     printf("Firewall Web init ERROR: WMB_COMPONENT_START failed!\n");
     */

    printf("Firewall initialization and startup complete!\n");
    }