| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
MFH: r284920
Remove 16 rules and replace by 2 by using a table.
I've been doing this ever since there were tables.
I could make more efficient by using "in recv" and "out xmit" instead of via
but I'll leave that.
|
| |
|
|
|
|
|
|
|
|
| |
Add support of "/{udp,tcp,proto}" suffix into $firewall_myservices, which
interpreted the listed items as port numbers of TCP services.
A service with no suffix still works and recognized as a TCP service for
backward compatibility. It should be updated with /tcp suffix.
Approved by: re (gjb)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Submitted by: "b. f." <bf1783__at__googlemail.com>
MFC after: 3 days
|
| |
|
|
|
| |
Submitted by: Garrett Cooper <yanefbsd__at__gmail.com>
MFC after: 3 days
|
| |
|
|
| |
it as well.
|
| |
|
|
|
|
|
| |
and any IPv4 address configured on an interface in the system.
Reviewed by: David Horn <dhorn2000__at__gmail.com>, luigi, qingli
MFC after: 2 weeks
|
| |
|
|
|
|
|
| |
link-local address unlike with DHCP, we need one more rule to allow
the DHCPv6.
Reported by: David Horn <dhorn2000__at__gmail.com>
|
| |
|
|
|
| |
ICMP6_TIME_EXCEEDED as well for workstation type
firewall. It makes traceroute6 work.
|
| |
|
|
|
|
| |
to the IPv4 rules.
Reported by: David Horn <dhorn2000__at__gmail.com>
|
| |
|
|
|
|
|
| |
and rc.d/ip6fw.
Reviewed by: dougb, jhb
MFC after: 1 month
|
| |
|
|
|
|
|
|
|
|
|
|
| |
"workstation" firewall types to be set from rc.conf so that rc.firewall
no longer needs local patching to be usable for those types. For now
I've set the variables in /etc/defaults/rc.conf to the previous defaults
in /etc/rc.firewall.
PR: bin/65258
Submitted by: Valentin Nechayev netch of netch.kiev.ua
Silence from: net
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
| |
and "mask" variables into a single "net" variable that contains a full
network address (including either a netmask or prefix length at the user's
choice). Update the example settings to match.
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
| |
firewall configurations.
PR: bin/65258
Silence on: net@
MFC after: 1 week
|
| |
|
|
| |
Spotted by: das
|
| |
|
|
|
| |
Approved by: rink
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
when configured to run in 'client' mode.
PR: conf/15010
Submitted by: Bill Trost, trost at cloud.rain.com
Reviewed by: bz
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
| |
- Allow IP in firewall_nat_interface, just like natd_interface
- Allow additional configuration parameters passed to ipfw via
firewall_nat_flags
- Document firewall_nat_* in defaults/rc.conf
Tested by: Albert B. Wang <abwang at gmail.com>
MFC after: 1 month
|
| |
|
|
|
|
|
| |
authors list, ISBN, URLs.
PR: conf/119590
MFC after: 1 week
|
| |
|
|
| |
Submitted by: ru
|
| |
|
|
|
|
|
| |
for the sundry other firewalls in the system.
MFC after: 3 days
Submitted by: Richard dot Clayton at cl dot cam dot ac dot uk
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the second (and last) part of my previous Summer of Code work, we get:
-ipfw's in kernel nat
-redirect_* and LSNAT support
General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.
To enable in kernel nat in rc.conf, two options were added:
o firewall_nat_enable: equivalent to natd_enable
o firewall_nat_interface: equivalent to natd_interface
Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.
NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).
Approved by: glebius (mentor)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Factor out the loopback setup
Use "me" instead of hardcoded $ip where possible.
Add "workstation" which protects just this machine with stateful
firewalling. Put the variables for this in rc.conf.
Submitted by: Flemming Jacobsen <fj@batmule.dk>
Reviewed by: cperciva
|
| |
|
|
|
|
|
|
| |
divert supports only IPv4.
Reported by: SAITOU Toshihide <toshi__at__ruby.ocn.ne.jp>
Discussed with: suz
MFC after: 1 day
|
| | |
|
| |
|
|
| |
PR: 44363
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rc.conf(5) and the files' inline documentation.
- Add the "closed"-type, documented in both places, but which did not
exist in the code.
- When provided a ruleset, the system should not make any assumptions
about the sites's policy and should add no rules of its own.
- Make the "UNKNOWN" (documented in-line) actual work as advertised,
load no rules.
Prodded by: Igor M Podlesny <poige@morning.ru>
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
This feature has been removed since 4.1 times and it is only a source
of confusion.
Same needs to be done on -stable.
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
|
|
|
| |
rc.firewall6. Specifically, don't do anything
if [ -z ${source_rc_confs_defined} ]. Not doing this leads to a problem
with dependencies: chkdepend will set, e.g., portmap_enable to YES if
some service that needs portmap is enabled, but rc.network sources
rc.firewall, which used to source defaults/rc.conf unconditionally,
which would result in portmap_enable being set back to NO.
PR: 29631
Submitted by: OGAWA Takaya <t-ogawa@triaez.kaisei.org>
|
| | |
|
| |
|
|
| |
Submitted by: grimes
|
| |
|
|
|
| |
PR: 24652
Submitted by: jjreynold@home.com
|
| |
|
|
|
|
|
|
| |
pass udp from any 53 to ${oip}
allows an attacker to access ANY local port by simply binding his local
side to 53. The state keeping mechanism is the correct way to allow DNS
replies to go back to their source.
|
| |
|
|
| |
w/o giving any credit.
|
| |
|
|
|
|
|
| |
not when ${firewall_type} is set to a filename, as we know
nothing about user's script specifics.
Reported by: Bernhard Valenti <bernhard.valenti@gmx.net>
|
| |
|
|
| |
PR: conf/13769, conf/20197
|
| | |
|
| |
|
|
|
|
| |
rule 100's.
Submitted by: Jan Koum <jkb@yahoo-inc.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scripts may use to source safely overrides in ${rc_conf_files}
files.
This protects users who insist on the bad practice of copying
/etc/defaults/rc.conf to /etc/rc.conf from a recursive loop
that exhausts available file descriptors.
Several people have expressed interest in breaking this function
out into its own shell script. Anyone who wants to embark on
such an undertaking would do well to study the attributed PR.
PR: 17595
Reported by: adrian
Submitted by: Doug Barton <Doug@gorean.org>
|
| |
|
|
|
|
|
|
|
|
| |
purpose of the hook was to provide the ability for a shell program to
instantiate the firewall rules instead of forcing them to be
statically coded. This functionality was already present through the
use of ${firewall_script}, and I see no need to keep the
${firewall_type} hook around.
Reminded by: Dag-Erling Smorgrav <des@freebsd.org>
|
| |
|
|
|
|
|
| |
of forcing them to be an 'ipfw' rules file. This allows one to
determine interface addresses dynamically, etc. The rule is if the
file referenced by ${firewall_type} is executable, it is sourced, but
if it is just readable, it is used as input to 'ipfw' like before.
|
| |
|
|
|
|
|
| |
you to run a preprocessor, such as m4, so that you can use macros in your
rules file.
Approved by: jkh
|
| |
|
|
|
|
|
|
|
|
|
| |
draft-manning-dsua-01.txt.
Stop using public addresses as samples and use the recommended
192.0.2.0/24 netblock that has specifically been set aside for
documentation purposes.
Reviewed by: readers of freebsd-security did not respond to a request
for review
|
| | |
|
| |
|
|
|
|
| |
IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78.
Reminded by: "Ronald F. Guilmette" <rfg@monkeys.com>
|
| |
|
|
| |
enable ARP on filtering bridges.
|
| | |
|
| | |
|
