| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rc.conf(5) and the files' inline documentation.
- Add the "closed"-type, documented in both places, but which did not
exist in the code.
- When provided a ruleset, the system should not make any assumptions
about the sites's policy and should add no rules of its own.
- Make the "UNKNOWN" (documented in-line) actual work as advertised,
load no rules.
Prodded by: Igor M Podlesny <poige@morning.ru>
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
This feature has been removed since 4.1 times and it is only a source
of confusion.
Same needs to be done on -stable.
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
|
|
|
| |
rc.firewall6. Specifically, don't do anything
if [ -z ${source_rc_confs_defined} ]. Not doing this leads to a problem
with dependencies: chkdepend will set, e.g., portmap_enable to YES if
some service that needs portmap is enabled, but rc.network sources
rc.firewall, which used to source defaults/rc.conf unconditionally,
which would result in portmap_enable being set back to NO.
PR: 29631
Submitted by: OGAWA Takaya <t-ogawa@triaez.kaisei.org>
|
| | |
|
| |
|
|
| |
Submitted by: grimes
|
| |
|
|
|
| |
PR: 24652
Submitted by: jjreynold@home.com
|
| |
|
|
|
|
|
|
| |
pass udp from any 53 to ${oip}
allows an attacker to access ANY local port by simply binding his local
side to 53. The state keeping mechanism is the correct way to allow DNS
replies to go back to their source.
|
| |
|
|
| |
w/o giving any credit.
|
| |
|
|
|
|
|
| |
not when ${firewall_type} is set to a filename, as we know
nothing about user's script specifics.
Reported by: Bernhard Valenti <bernhard.valenti@gmx.net>
|
| |
|
|
| |
PR: conf/13769, conf/20197
|
| | |
|
| |
|
|
|
|
| |
rule 100's.
Submitted by: Jan Koum <jkb@yahoo-inc.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scripts may use to source safely overrides in ${rc_conf_files}
files.
This protects users who insist on the bad practice of copying
/etc/defaults/rc.conf to /etc/rc.conf from a recursive loop
that exhausts available file descriptors.
Several people have expressed interest in breaking this function
out into its own shell script. Anyone who wants to embark on
such an undertaking would do well to study the attributed PR.
PR: 17595
Reported by: adrian
Submitted by: Doug Barton <Doug@gorean.org>
|
| |
|
|
|
|
|
|
|
|
| |
purpose of the hook was to provide the ability for a shell program to
instantiate the firewall rules instead of forcing them to be
statically coded. This functionality was already present through the
use of ${firewall_script}, and I see no need to keep the
${firewall_type} hook around.
Reminded by: Dag-Erling Smorgrav <des@freebsd.org>
|
| |
|
|
|
|
|
| |
of forcing them to be an 'ipfw' rules file. This allows one to
determine interface addresses dynamically, etc. The rule is if the
file referenced by ${firewall_type} is executable, it is sourced, but
if it is just readable, it is used as input to 'ipfw' like before.
|
| |
|
|
|
|
|
| |
you to run a preprocessor, such as m4, so that you can use macros in your
rules file.
Approved by: jkh
|
| |
|
|
|
|
|
|
|
|
|
| |
draft-manning-dsua-01.txt.
Stop using public addresses as samples and use the recommended
192.0.2.0/24 netblock that has specifically been set aside for
documentation purposes.
Reviewed by: readers of freebsd-security did not respond to a request
for review
|
| | |
|
| |
|
|
|
|
| |
IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78.
Reminded by: "Ronald F. Guilmette" <rfg@monkeys.com>
|
| |
|
|
| |
enable ARP on filtering bridges.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
case instead of test where appropriate, since case allows case is a sh
builtin and (as a side-effect) allows case-insensitivity.
Changes discussed on freebsd-hackers.
Submitted by: Doug Barton <Doug@gorean.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* All variables are now embraced: ${foo}
* All comparisons against some value now take the form:
[ "${foo}" ? "value" ]
where ? is a comparison operator
* All empty string tests now take the form:
[ -z "${foo}" ]
* All non-empty string tests now take the form:
[ -n "${foo}" ]
Submitted by: jkh
|
| |
|
|
| |
as necessary (for half-assed upgrades).
|
| |
|
|
|
|
|
|
|
|
| |
allowed external hosts to send packets to the 127.0.0.0/8 subnet on the
firewall host.
Renumber the lo0 rules to guarantee they appear first.
PR: 6406
Submitted by: Archie Cobbs <archie@whistle.com>
|
| |
|
|
|
| |
PR: 6339
Submitted by: cdillon@wolves.k12.mo.us
|
| |
|
|
|
|
| |
PR: 6278
Reviewed by: phk
Submitted by: Ruslan Ermilov <ru@ucb.crimea.ua>
|
| | |
|
| | |
|
| |
|
|
| |
Found by: "James E. Housley" <housley@pr-comm.com>
|
| |
|
|
| |
Cosmetic changes to the loading of firewall rules and lkm.
|
| |
|
|
|
|
|
|
|
| |
(if firewall = "somefilename").
Fix typo fixes and URLs which were accidently nuked out of this
file (submitted by: soil@quick.net via PR#3501).
Submitted by: "Danny J. Zerkel" <dzerkel@phofarm.com>
|
| |
|
|
|
|
| |
(gotta get myself -current again, this is a drag).
Also-fixes-problems-noted-by: Wolfgang Helbig & Joerg Wunsch
|
| |
|
|
|
| |
Added links to O'Reilly & Associates and Addison-Wesley's web sites
to accompany the book recommendations.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
rules from appearing when switching back and forth from single to
multi-user modes.
|
| |
|
|
|
|
|
| |
make a couple of rules more sensible.
Reviewed by: phk
Submitted by: jmb
|
| |
|
