| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.
/sbin/ipfw must be recompiled!!!
Reviewed by: Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
|
|
|
|
| |
Bring man page up to date with -q flag behaviour.
|
| |
|
|
|
|
|
| |
Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
Make -q work for zeroing a specific rule.
|
|
|
|
|
|
|
|
|
|
| |
not reinitialized to 1 after calling getopt. This results in parsing
errors on all but the first rule. An added patch also allows '#'
comments at the end of a line.
PR: 6379
Reviewed by: phk
Submitted by: Neal Fachan <kneel@ishiboo.com>
|
| |
|
| |
|
|
|
|
| |
Submitted by: bde
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
offset is non-zero:
- Do not match fragmented packets if the rule specifies a port or
TCP flags
- Match fragmented packets if the rule does not specify a port and
TCP flags
Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags. Both kernel and ipfw userland utility will reject rules
containing a combination of these options.
BEWARE: packets that were previously passed may now be rejected, and
vice versa.
Reviewed by: Archie Cobbs <archie@whistle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.
NOTE:
o The ipfw struct has changed requiring a recompile of both kernel
and userland ipfw utility.
o This probably should not be brought into 2.2.
PR: 3738
|
|
|
|
| |
Submitted by: bde
|
|
|
|
| |
Use error codes from <sysexits.h>.
|
|
|
|
|
|
|
| |
zero/delete operations fail.
PR: 4231
Reviewed by: Archie Cobbs <archie@whistle.com>
|
| |
|
|
|
|
| |
This makes ipfw config files a LOT more readable.
|
| |
|
|
|
|
| |
rule 65535
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
accommodate the expanded name, the ICMP types bitmap has been
reduced from 256 bits to 32.
A recompile of kernel and user level ipfw is required.
To be merged into 2.2 after a brief period in -current.
PR: bin/4209
Reviewed by: Archie Cobbs <archie@whistle.com>
|
| |
|
|
|
|
|
|
| |
note.. this would be dangerous if your ipfw was blocking NIS access :)
Submitted by: archie@whistle.com (Archie Cobbs)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.
The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...
see the man page for a complete description.
|
|
|
|
|
| |
PR: 3600
Submitted by: Josh Gilliam <soil@quick.net>
|
| |
|
|
|
|
| |
posix standard on the topic.
|
| |
|
| |
|
|
|
|
|
|
|
| |
synonym for '-a list'; stop SEGV when specifying 'via' with no interface;
change 2 instances of strcpy() to strncpy().
This is a candidate for 2.2
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
|
| |
|
|
|
|
|
|
| |
do it themselves. (Some of these programs actually depended on this
beyond compiling the definition of struct ifinfo!) Also fix up some
other #include messes while we're at it.
|
|
|
|
| |
2.2 Candidate.
|
|
|
|
|
| |
The rule is still added to the chain since the interface may get
created later on after loading an LKM.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
firewalls are remote, and this command will kill the network connection
to them), prompt the user for confirmation of this command.
Also, add the '-f' flag which ignores the need for confirmation the
command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0)
assume '-f'.
If anyone is using ipfw flush in scripts it shouldn't affect them, but you
may want to change the script to use a 'ipfw -f flush'.
Reviewed by: alex
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
now completely consistent across all IP protocols and should be quite a
bit faster.
Use getprotoname() extensively, performed minor cleanups of admin utility.
The admin utility could use a good kick in the pants.
Basicly, these were the minimal changes I could make to the code
to get it up to tollerable shape. There will be some future commits
to clean up the basic architecture of the firewall code, and if
I'm feeling ambitious, I may pull in changes like NAT from Linux
and make the firewall hooks comletely generic so that a user can
either load the ipfw module or the ipfilter module (cf Darren Reed).
Discussed with: fenner & alex
|
| |
|
|
|
|
|
|
| |
Submitted by: fenner (with modifications by me)
Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
|
|
|
|
|
|
| |
This stuff should not be too destructive if the IPDIVERT is not compiled in..
be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
|
| |
|
|
|
|
|
|
|
| |
Prevent ALL protocol from being used with port specifications.
Allow 'via' keyword at any point in the options list. Disallow
multiple 'via' specifications.
|
|
|
|
| |
Submitted by: nate
|
|
|
|
|
|
|
|
| |
of /0 to have the desired effect. Normalize IP addresses that
won't match a given mask (i.e. 1.2.3.4/24 becomes 1.2.3.0/24).
Submitted by R. Bezuidenhout <rbezuide@mikom.csir.co.za>
Code formatting and "frag" display fixes.
|
|
|
|
| |
Found by: Aage Robekk <aagero@aage.priv.no>
|