| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Prompted by: PR docs/7785
|
|
|
|
| |
PR: bin/8471
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc. Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.
While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).
A typical call with preprocessor invocation looks like
ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules
Someone should probably add support for this feature to /etc/rc.firewall.
|
|
|
|
|
| |
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.
/sbin/ipfw must be recompiled!!!
Reviewed by: Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
|
|
|
|
| |
Bring man page up to date with -q flag behaviour.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
offset is non-zero:
- Do not match fragmented packets if the rule specifies a port or
TCP flags
- Match fragmented packets if the rule does not specify a port and
TCP flags
Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags. Both kernel and ipfw userland utility will reject rules
containing a combination of these options.
BEWARE: packets that were previously passed may now be rejected, and
vice versa.
Reviewed by: Archie Cobbs <archie@whistle.com>
|
|
|
|
| |
Use error codes from <sysexits.h>.
|
|
|
|
| |
This makes ipfw config files a LOT more readable.
|
| |
|
|
|
|
| |
rule 65535
|
| |
|
| |
|
|
|
|
|
|
| |
note.. this would be dangerous if your ipfw was blocking NIS access :)
Submitted by: archie@whistle.com (Archie Cobbs)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.
The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...
see the man page for a complete description.
|
|
|
|
|
| |
PR: 3600
Submitted by: Josh Gilliam <soil@quick.net>
|
| |
|
|
|
|
|
|
|
| |
synonym for '-a list'; stop SEGV when specifying 'via' with no interface;
change 2 instances of strcpy() to strncpy().
This is a candidate for 2.2
|
| |
|
| |
|
|
|
|
| |
2.2 Candidate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
firewalls are remote, and this command will kill the network connection
to them), prompt the user for confirmation of this command.
Also, add the '-f' flag which ignores the need for confirmation the
command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0)
assume '-f'.
If anyone is using ipfw flush in scripts it shouldn't affect them, but you
may want to change the script to use a 'ipfw -f flush'.
Reviewed by: alex
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
now completely consistent across all IP protocols and should be quite a
bit faster.
Use getprotoname() extensively, performed minor cleanups of admin utility.
The admin utility could use a good kick in the pants.
Basicly, these were the minimal changes I could make to the code
to get it up to tollerable shape. There will be some future commits
to clean up the basic architecture of the firewall code, and if
I'm feeling ambitious, I may pull in changes like NAT from Linux
and make the firewall hooks comletely generic so that a user can
either load the ipfw module or the ipfilter module (cf Darren Reed).
Discussed with: fenner & alex
|
|
|
|
|
|
| |
Submitted by: fenner (with modifications by me)
Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
|
|
|
|
|
|
| |
This stuff should not be too destructive if the IPDIVERT is not compiled in..
be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
|
| |
|
|
|
|
| |
Submitted by: nate
|
| |
|
| |
|
| |
|
|
|
|
| |
I hope it all compiles...
|
| |
|
| |
|
|
|
|
|
|
| |
Submitted by: Gary Palmer <gary@palmer.demon.co.uk>
Minor cleanup by me in the English.
|
|
|
|
|
| |
`syn' not `tcpsyn' (which matches `tcp' which blocks all tcp
packets)
|
|
|
|
| |
would go through it and fix it would be a really good idea.
|
|
|
|
|
| |
and others not..
Submitted by: torstenb@FreeBSD.ORG
|
|
|
|
| |
along with IP as "via" argument
|
| |
|
|
|
|
| |
To be continued..
|
| |
|
|
that the english in Ugen's two replacement pages is not too impenetrable! :-)
[Note: Poul - please pull these into the BETA branch along with the
other firewall changes]
Submitted by: ugen
|