summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Mention affect of securelevel 3 and higher on attempts to change filter lists.ghelmer1998-12-161-0/+6
| | | | Prompted by: PR docs/7785
* ipfw changes for dummynet. manpages still missingluigi1998-12-141-2/+155
|
* Disallow ipfw "tee" rules until it is actually implemented.archie1998-12-072-5/+10
| | | | PR: bin/8471
* Preprocessor support for `ipfw [-q] ... file'.joerg1998-11-232-15/+145
| | | | | | | | | | | | | | | | | | | This allows for more flexible ipfw configuration files using `variables' to describe frequently used items in the file, like the local IP address(es), interface names etc. Both m4 and cpp are useful and supported; with m4 being a little more unusual to the common C programmer, things like automatic rule numbering can be achieved fairly easy. While i was at it, i've also untangled some of the ugly style inside main(), and fixed a bug or two (like not being able to use blank lines when running with -q). A typical call with preprocessor invocation looks like ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules Someone should probably add support for this feature to /etc/rc.firewall.
* The flags type was recently changed from u_short to u_int, breakingalex1998-09-281-10/+10
| | | | | | | | | icmptypes. PR: 8067 Submitted by: Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com> While I'm here, staticize functions.
* PR: 7475thepish1998-08-042-8/+14
| | | | | Added support for -q (suppress output) when firewall rules are taken from a file. Solves PR 7475
* Support for IPFW based transparent forwarding.julian1998-07-062-3/+56
| | | | | | | | | | | | | | Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
* Reminded by: Alex Nashdanny1998-05-191-3/+3
| | | | Bring man page up to date with -q flag behaviour.
* Typo fix.max1998-05-191-1/+1
|
* PR: 6641danny1998-05-151-2/+2
| | | | | Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> Make -q work for zeroing a specific rule.
* When ipfw reads its rules from an input file, the optind variable isphk1998-04-221-1/+5
| | | | | | | | | | not reinitialized to 1 after calling getopt. This results in parsing errors on all but the first rule. An added patch also allows '#' comments at the end of a line. PR: 6379 Reviewed by: phk Submitted by: Neal Fachan <kneel@ishiboo.com>
* (evil) hackers -> crackerscracauer1998-04-081-3/+3
|
* .Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.charnier1998-03-191-5/+7
|
* Get the arguments to show_usage right (like the MFC'ed code in -stable).alex1998-03-131-3/+3
| | | | Submitted by: bde
* Alter ipfw's behavior with respect to fragmented packets when the packetalex1998-02-122-2/+27
| | | | | | | | | | | | | | | | | | | offset is non-zero: - Do not match fragmented packets if the rule specifies a port or TCP flags - Match fragmented packets if the rule does not specify a port and TCP flags Since ipfw cannot examine port numbers or TCP flags for such packets, it is now illegal to specify the 'frag' option with either ports or tcpflags. Both kernel and ipfw userland utility will reject rules containing a combination of these options. BEWARE: packets that were previously passed may now be rejected, and vice versa. Reviewed by: Archie Cobbs <archie@whistle.com>
* Bump up packet and byte counters to 64-bit unsigned ints. As aalex1998-01-081-14/+32
| | | | | | | | | | | | | consequence, ipfw's list command now adjusts its output at runtime based on the largest packet/byte counter values. NOTE: o The ipfw struct has changed requiring a recompile of both kernel and userland ipfw utility. o This probably should not be brought into 2.2. PR: 3738
* Format mismatch in error message.alex1998-01-081-2/+2
| | | | Submitted by: bde
* Support listing/showing specific rules supplied on the command line.alex1998-01-072-29/+74
| | | | Use error codes from <sysexits.h>.
* Display a better error message and use a non-zero exit code whenalex1998-01-061-5/+16
| | | | | | | zero/delete operations fail. PR: 4231 Reviewed by: Archie Cobbs <archie@whistle.com>
* Put the return value of getopt into an int, not a char.alex1997-12-261-5/+4
|
* Allow ipfw to accept comments and blank lines.julian1997-12-052-1/+7
| | | | This makes ipfw config files a LOT more readable.
* Sort cross refereces in section SEE ALSO.wosch1997-09-291-3/+3
|
* Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect onpeter1997-09-101-2/+14
| | | | rule 65535
* Fix typo (65434 -> 65534)peter1997-09-101-1/+1
|
* Bring comment on '-a' flag in line with reality.danny1997-08-211-2/+1
|
* Support interface names up to 15 characters in length. In order toalex1997-08-081-4/+4
| | | | | | | | | | | | accommodate the expanded name, the ICMP types bitmap has been reduced from 256 bits to 32. A recompile of kernel and user level ipfw is required. To be merged into 2.2 after a brief period in -current. PR: bin/4209 Reviewed by: Archie Cobbs <archie@whistle.com>
* Allow service names as the divert/tee arg.brian1997-07-251-5/+19
|
* Allow ipfw to look up service names from /etc/services (or NIS if turned on)julian1997-06-232-15/+47
| | | | | | note.. this would be dangerous if your ipfw was blocking NIS access :) Submitted by: archie@whistle.com (Archie Cobbs)
* Remove __progname. Cosmetic in usage string.charnier1997-06-131-11/+6
|
* Submitted by: Whistle Communications (archie Cobbs)julian1997-06-023-250/+557
| | | | | | | | | | | | | | | these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same. The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ... see the man page for a complete description.
* Typo.max1997-05-151-1/+1
| | | | | PR: 3600 Submitted by: Josh Gilliam <soil@quick.net>
* Minor rewording of the examples section.alex1997-05-151-2/+3
|
* compare return value from getopt against -1 rather than EOF, per the finalimp1997-03-291-2/+2
| | | | posix standard on the topic.
* Force null termination after 2 errant strncpy()s.bde1997-03-051-1/+3
|
* Revert $FreeBSD$ to $Id$peter1997-02-221-1/+1
|
* Add '-q' quiet flag for flush/add/zero commands; add 'show' command asdanny1997-02-102-8/+50
| | | | | | | synonym for '-a list'; stop SEGV when specifying 'via' with no interface; change 2 instances of strcpy() to strncpy(). This is a candidate for 2.2
* Adjust spelling of `fw_flg' so this thing compiles again.jkh1997-01-171-2/+2
|
* implement "not" keyword for inverting the address logicadam1997-01-162-12/+23
|
* Make the long-awaited change from $Id$ to $FreeBSD$jkh1997-01-141-1/+1
| | | | | | | | This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
* Minor mdoc/style fixes.mpp1996-12-231-48/+39
|
* Fix up programs which expect <net/if.h> to include <sys/time.h> to insteadwollman1996-12-101-9/+13
| | | | | | do it themselves. (Some of these programs actually depended on this beyond compiling the definition of struct ifinfo!) Also fix up some other #include messes while we're at it.
* Fix a spelling error.jdp1996-11-051-1/+1
| | | | 2.2 Candidate.
* Issue a warning if the user specifies an invalid interface in a rule.alex1996-10-171-1/+25
| | | | | The rule is still added to the chain since the interface may get created later on after loading an LKM.
* Note that -N is only effective when ipfw is displaying chain entries.alex1996-09-151-1/+1
|
* Because 'ipfw flush' is such a dangerous command (given that mostnate1996-08-312-8/+42
| | | | | | | | | | | | | | firewalls are remote, and this command will kill the network connection to them), prompt the user for confirmation of this command. Also, add the '-f' flag which ignores the need for confirmation the command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0) assume '-f'. If anyone is using ipfw flush in scripts it shouldn't affect them, but you may want to change the script to use a 'ipfw -f flush'. Reviewed by: alex
* Use the .Fx macro where appropriate.mpp1996-08-231-1/+2
|
* Completely rewrite handling of protocol field for firewalls, things arepst1996-08-132-130/+72
| | | | | | | | | | | | | | | | | now completely consistent across all IP protocols and should be quite a bit faster. Use getprotoname() extensively, performed minor cleanups of admin utility. The admin utility could use a good kick in the pants. Basicly, these were the minimal changes I could make to the code to get it up to tollerable shape. There will be some future commits to clean up the basic architecture of the firewall code, and if I'm feeling ambitious, I may pull in changes like NAT from Linux and make the firewall hooks comletely generic so that a user can either load the ipfw module or the ipfilter module (cf Darren Reed). Discussed with: fenner & alex
* Fix tcp/udp port rangespst1996-08-131-3/+3
|
* Filter by IP protocol.alex1996-08-052-28/+72
| | | | | | Submitted by: fenner (with modifications by me) Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
* Adding changes to ipfw and the kernel to support ip packet diversion..julian1996-07-102-32/+80
| | | | | | This stuff should not be too destructive if the IPDIVERT is not compiled in.. be aware that this changes the size of the ip_fw struct so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
OpenPOWER on IntegriCloud