summaryrefslogtreecommitdiffstats
path: root/sbin
diff options
context:
space:
mode:
authorru <ru@FreeBSD.org>2000-06-27 15:26:24 +0000
committerru <ru@FreeBSD.org>2000-06-27 15:26:24 +0000
commit15462ff9cb200b6a646de7f40ab7854f7ee54ff6 (patch)
treed80abc657709976b2203fd6ba26b367f565afbb4 /sbin
parent268f00dee922fa5e6dbb3902bc1d4722d43c6a9d (diff)
downloadFreeBSD-src-15462ff9cb200b6a646de7f40ab7854f7ee54ff6.zip
FreeBSD-src-15462ff9cb200b6a646de7f40ab7854f7ee54ff6.tar.gz
Added new option (-punch_fw) which allows to `punch holes'
in the ipfirewall(4) for incoming FTP/IRC DCC connections. Submitted by: Rene de Vries <rene@canyon.demon.nl> Rewritten by: ru
Diffstat (limited to 'sbin')
-rw-r--r--sbin/natd/natd.820
-rw-r--r--sbin/natd/natd.c29
2 files changed, 47 insertions, 2 deletions
diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8
index a0d56e5..60cf31c 100644
--- a/sbin/natd/natd.8
+++ b/sbin/natd/natd.8
@@ -29,6 +29,7 @@
.Op Fl config | f Ar configfile
.Op Fl log_denied
.Op Fl log_facility Ar facility_name
+.Op Fl punch_fw Ar firewall_range
.Sh DESCRIPTION
This program provides a Network Address Translation facility for use
with
@@ -412,6 +413,25 @@ Use
to put this information into the IP option field or
.Ar encode_tcp_stream
to inject the data into the beginning of the TCP stream.
+.It Fl punch_fw Xo
+.Ar basenumber Ns : Ns Ar count
+.Xc
+This option makes
+.Nm
+.Ql punch holes
+in an
+.Xr ipfirewall 4
+based firewall for FTP/IRC DCC connections.
+The holes punched are bound by from/to IP address and port; it
+will not be possible to use a hole for another connection.
+A hole is removed when the connection that uses it dies.
+.Pp
+Arguments
+.Ar basenumber
+and
+.Ar count
+set the firewall range allocated for punching firewall holes.
+The range will be cleared for all rules on startup.
.El
.Sh RUNNING NATD
The following steps are necessary before attempting to run
diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c
index 2f45af5..a4845d8 100644
--- a/sbin/natd/natd.c
+++ b/sbin/natd/natd.c
@@ -98,6 +98,7 @@ static int StrToProto (const char* str);
static int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange);
static void ParseArgs (int argc, char** argv);
static void FlushPacketBuffer (int fd);
+static void SetupPunchFW(const char *strValue);
/*
* Globals.
@@ -868,7 +869,8 @@ enum Option {
DynamicMode,
ProxyRule,
LogDenied,
- LogFacility
+ LogFacility,
+ PunchFW
};
enum Param {
@@ -1078,8 +1080,15 @@ static struct OptionInfo optionTable[] = {
"facility",
"name of syslog facility to use for logging",
"log_facility",
- NULL }
+ NULL },
+ { PunchFW,
+ 0,
+ String,
+ "basenumber:count",
+ "punch holes in the firewall for incoming FTP/IRC DCC connections",
+ "punch_fw",
+ NULL }
};
static void ParseOption (const char* option, const char* parms)
@@ -1259,6 +1268,10 @@ static void ParseOption (const char* option, const char* parms)
errx(1, "Unknown log facility name: %s", strValue);
break;
+
+ case PunchFW:
+ SetupPunchFW(strValue);
+ break;
}
}
@@ -1687,3 +1700,15 @@ int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, p
StrToAddr (str, addr);
return StrToPortRange (ptr, proto, portRange);
}
+
+static void
+SetupPunchFW(const char *strValue)
+{
+ unsigned int base, num;
+
+ if (sscanf(strValue, "%u:%u", &base, &num) != 2)
+ errx(1, "punch_fw: basenumber:count parameter required");
+
+ PacketAliasSetFWBase(base, num);
+ (void)PacketAliasSetMode(PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
+}
OpenPOWER on IntegriCloud