summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove one obsoleted entry from the BUGS section.ru1999-10-201-2/+0
|
* Make the "uid" and "gid" code better. Now it can detect invalid usergreen1999-09-031-4/+20
| | | | | | names/numbers. Reviewed by: chris
* $Id$ -> $FreeBSD$peter1999-08-282-2/+2
|
* To christen the brand new security category for syslog, we get IPFWgreen1999-08-211-5/+8
| | | | | | | | | | | | | | using syslog(3) (log(9)) for its various purposes! This long-awaited change also includes such nice things as: * macros expanding into _two_ comma-delimited arguments! * snprintf! * more snprintf! * linting and criticism by more people than you can shake a stick at! * a slightly more uniform message style than before! and last but not least * no less than 5 rewrites! Reviewed by: committers
* Whoops, forgot one line in previous patch.luigi1999-08-121-1/+2
|
* Userland and manual page changes for probabilistic rule match.luigi1999-08-112-4/+41
| | | | | | Because the kernel change was done in a backward-compatible way, you don't need to recompile ipfw if you don't want to use the new feature.
* Make ipfw's logging more dynamic. Now, log will use the default limitgreen1999-08-012-11/+97
| | | | | | | | | | | | | _or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
* This is the much-awaited cleaned up version of IPFW [ug]id support.green1999-06-192-2/+62
| | | | All relevant changes have been made (including ipfw.8).
* Document the usage of escape character in a service name.ru1999-06-151-2/+9
| | | | | PR: 7101 Reminded by: jhs
* Workaround the problem that the first (and only first) port nameru1999-06-111-9/+26
| | | | | | | | | | | can't have a dash character (it is treated as a ``range'' operator). One could now use such a name by escaping the ``-'' characters. For example: # ipfw add 1 count tcp from any to any "ms\-sql\-s" # ipfw add 2 count tcp from any ftp\\-data-ftp to any PR: 7101
* Fix the parsing of ip addresses on a command line.ru1999-06-041-7/+7
| | | | | | PR: 5047 Reviewed by: des Test case: ipfw add allow ip from 127.1 to any
* Spelling corrections for dummynet.ru1999-06-021-4/+5
| | | | Reviewed by: des,luigi
* Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,kris1999-05-292-25/+27
| | | | | | grammatical fixes. Submitted by: Philippe Charnier
* close pr 10889:luigi1999-05-241-13/+27
| | | | | | | | | | | | + add a missing call to dn_rule_delete() when flushing firewall rules, thus preventing possible panics due to dangling pointers (this was already done for single rule deletes). + improve "usage" output in ipfw(8) + add a few checks to ipfw pipe parameters and make it a bit more tolerant of common mistakes (such as specifying kbit instead of Kbit) PR: kern/10889 Submitted by: Ruslan Ermilov
* Add ICMP types to list of information about each packet.ghelmer1999-04-291-2/+33
|
* Explain when packets are tesed by the firewall rules and what attributesghelmer1999-04-281-23/+128
| | | | | | of packets can be tested. PR: docs/7437
* Convert LKM/modload to KLD/kldload. Add ref to kldload(8).ghelmer1999-04-081-2/+3
| | | | Submitted by: Nathan Ahlstrom <nrahlstr@winternet.com>
* Fix bug where 'ipfw list' would choke if there were a large number of rules.archie1999-01-221-79/+95
|
* Fix misleading wording in ipfw(8) man page.archie1999-01-211-3/+3
| | | | PR: docs/9603
* Remove coredump when running "ipfw pipe" without more arguments.luigi1998-12-271-1/+4
| | | | PR: 8937
* Mention affect of securelevel 3 and higher on attempts to change filter lists.ghelmer1998-12-161-0/+6
| | | | Prompted by: PR docs/7785
* ipfw changes for dummynet. manpages still missingluigi1998-12-141-2/+155
|
* Disallow ipfw "tee" rules until it is actually implemented.archie1998-12-072-5/+10
| | | | PR: bin/8471
* Preprocessor support for `ipfw [-q] ... file'.joerg1998-11-232-15/+145
| | | | | | | | | | | | | | | | | | | This allows for more flexible ipfw configuration files using `variables' to describe frequently used items in the file, like the local IP address(es), interface names etc. Both m4 and cpp are useful and supported; with m4 being a little more unusual to the common C programmer, things like automatic rule numbering can be achieved fairly easy. While i was at it, i've also untangled some of the ugly style inside main(), and fixed a bug or two (like not being able to use blank lines when running with -q). A typical call with preprocessor invocation looks like ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules Someone should probably add support for this feature to /etc/rc.firewall.
* The flags type was recently changed from u_short to u_int, breakingalex1998-09-281-10/+10
| | | | | | | | | icmptypes. PR: 8067 Submitted by: Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com> While I'm here, staticize functions.
* PR: 7475thepish1998-08-042-8/+14
| | | | | Added support for -q (suppress output) when firewall rules are taken from a file. Solves PR 7475
* Support for IPFW based transparent forwarding.julian1998-07-062-3/+56
| | | | | | | | | | | | | | Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
* Reminded by: Alex Nashdanny1998-05-191-3/+3
| | | | Bring man page up to date with -q flag behaviour.
* Typo fix.max1998-05-191-1/+1
|
* PR: 6641danny1998-05-151-2/+2
| | | | | Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> Make -q work for zeroing a specific rule.
* When ipfw reads its rules from an input file, the optind variable isphk1998-04-221-1/+5
| | | | | | | | | | not reinitialized to 1 after calling getopt. This results in parsing errors on all but the first rule. An added patch also allows '#' comments at the end of a line. PR: 6379 Reviewed by: phk Submitted by: Neal Fachan <kneel@ishiboo.com>
* (evil) hackers -> crackerscracauer1998-04-081-3/+3
|
* .Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.charnier1998-03-191-5/+7
|
* Get the arguments to show_usage right (like the MFC'ed code in -stable).alex1998-03-131-3/+3
| | | | Submitted by: bde
* Alter ipfw's behavior with respect to fragmented packets when the packetalex1998-02-122-2/+27
| | | | | | | | | | | | | | | | | | | offset is non-zero: - Do not match fragmented packets if the rule specifies a port or TCP flags - Match fragmented packets if the rule does not specify a port and TCP flags Since ipfw cannot examine port numbers or TCP flags for such packets, it is now illegal to specify the 'frag' option with either ports or tcpflags. Both kernel and ipfw userland utility will reject rules containing a combination of these options. BEWARE: packets that were previously passed may now be rejected, and vice versa. Reviewed by: Archie Cobbs <archie@whistle.com>
* Bump up packet and byte counters to 64-bit unsigned ints. As aalex1998-01-081-14/+32
| | | | | | | | | | | | | consequence, ipfw's list command now adjusts its output at runtime based on the largest packet/byte counter values. NOTE: o The ipfw struct has changed requiring a recompile of both kernel and userland ipfw utility. o This probably should not be brought into 2.2. PR: 3738
* Format mismatch in error message.alex1998-01-081-2/+2
| | | | Submitted by: bde
* Support listing/showing specific rules supplied on the command line.alex1998-01-072-29/+74
| | | | Use error codes from <sysexits.h>.
* Display a better error message and use a non-zero exit code whenalex1998-01-061-5/+16
| | | | | | | zero/delete operations fail. PR: 4231 Reviewed by: Archie Cobbs <archie@whistle.com>
* Put the return value of getopt into an int, not a char.alex1997-12-261-5/+4
|
* Allow ipfw to accept comments and blank lines.julian1997-12-052-1/+7
| | | | This makes ipfw config files a LOT more readable.
* Sort cross refereces in section SEE ALSO.wosch1997-09-291-3/+3
|
* Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect onpeter1997-09-101-2/+14
| | | | rule 65535
* Fix typo (65434 -> 65534)peter1997-09-101-1/+1
|
* Bring comment on '-a' flag in line with reality.danny1997-08-211-2/+1
|
* Support interface names up to 15 characters in length. In order toalex1997-08-081-4/+4
| | | | | | | | | | | | accommodate the expanded name, the ICMP types bitmap has been reduced from 256 bits to 32. A recompile of kernel and user level ipfw is required. To be merged into 2.2 after a brief period in -current. PR: bin/4209 Reviewed by: Archie Cobbs <archie@whistle.com>
* Allow service names as the divert/tee arg.brian1997-07-251-5/+19
|
* Allow ipfw to look up service names from /etc/services (or NIS if turned on)julian1997-06-232-15/+47
| | | | | | note.. this would be dangerous if your ipfw was blocking NIS access :) Submitted by: archie@whistle.com (Archie Cobbs)
* Remove __progname. Cosmetic in usage string.charnier1997-06-131-11/+6
|
* Submitted by: Whistle Communications (archie Cobbs)julian1997-06-023-250/+557
| | | | | | | | | | | | | | | these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same. The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ... see the man page for a complete description.
OpenPOWER on IntegriCloud