summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Add a flag to "ipfw show" which supresses the display of dynamicdwmalone2001-05-202-3/+10
| | | | | | | | | | rules. Also, don't show dynamic rules if you only asked to see a certain rule number. PR: 18550 Submitted by: Lyndon Nerenberg <lyndon@orthanc.ab.ca> Approved by: luigi MFC after: 2 weeks
* Update comment to match ipfw/ipfw.c,v 1.95.ru2001-04-131-3/+2
|
* Fixed some printf format errors (don't assume that ntohl() returns u_long).bde2001-04-051-2/+2
|
* - Backout botched attempt to introduce MANSECT feature.ru2001-03-261-0/+1
| | | | - MAN[1-9] -> MAN.
* Set the default manual section for sbin/ to 8.ru2001-03-201-1/+0
|
* mdoc(7) police: removed hard sentence break introduced in rev 1.82.ru2001-03-161-1/+2
|
* Explain that TCP fragments with an offset of 1 are reported as beingdd2001-03-161-1/+2
| | | | | | | | dropped by rule -1 if logging is enabled. PR: 25796 Submitted by: Crist J. Clark <cjclark@alum.mit.edu> Approved by: nik
* Document that the IPFW messages are logged via syslogd(8).ru2001-02-221-1/+11
|
* mdoc(7) police: normalize the construct.ru2001-02-151-5/+1
|
* Fix grammar nit in previous commit.sheldonh2001-02-141-1/+1
|
* Introduce a new feature in IPFW: Check of the source or destinationphk2001-02-132-40/+73
| | | | | | | | | | | | | | | | | | | address is configured on a interface. This is useful for routers with dynamic interfaces. It is now possible to say: 0100 allow tcp from any to any established 0200 skipto 1000 tcp from any to any 0300 allow ip from any to any 1000 allow tcp from 1.2.3.4 to me 22 1010 deny tcp from any to me 22 1020 allow tcp from any to any and not have to worry about the behaviour if dynamic interfaces configure new IP numbers later on. The check is semi expensive (traverses the interface address list) so it should be protected as in the above example if high performance is a requirement.
* o IPFW incorrectly handled filtering in the presence of previouslyrwatson2001-01-091-3/+2
| | | | | | | | | | | | | | | | | | | | reserved and now allocated TCP flags in incoming packets. This patch stops overloading those bits in the IP firewall rules, and moves colliding flags to a seperate field, ipflg. The IPFW userland management tool, ipfw(8), is updated to reflect this change. New TCP flags related to ECN are now included in tcp.h for reference, although we don't currently implement TCP+ECN. o To use this fix without completely rebuilding, it is sufficient to copy ip_fw.h and tcp.h into your appropriate include directory, then rebuild the ipfw kernel module, and ipfw tool, and install both. Note that a mismatch between module and userland tool will result in incorrect installation of firewall rules that may have unexpected effects. This is an MFC candidate, following shakedown. This bug does not appear to affect ipfilter. Reviewed by: security-officer, billf Reported by: Aragon Gouveia <aragon@phat.za.net>
* Prepare for mdoc(7)NG.ru2000-12-271-4/+1
|
* Prepare for mdoc(7)NG.ru2000-12-181-4/+4
|
* mdoc(7) police: do not split author names in the AUTHORS section.ru2000-11-221-1/+2
|
* mdoc(7) police: use the new features of the Nm macro.ru2000-11-201-11/+11
|
* more removal of trailing periods from SEE ALSO.ben2000-11-151-1/+1
|
* IPFW does not discard *any* IP fragments with OFF=1, only TCP ones.ru2000-10-301-3/+6
|
* Allow for IP_FW_ADD to be used in getsockopt(2) incarnation asru2000-10-121-3/+3
| | | | | | | well, in which case return the rule number back into userland. PR: bin/18351 Reviewed by: archie, luigi
* Reset globals for every new command read from preprocessed file.ru2000-10-111-12/+14
|
* Only interpret the last command line argument as a file toru2000-10-112-5/+7
| | | | | | be preprocessed if it is specified as an absolute pathname. PR: bin/16179
* Convert this Makefile to the usual style.ru2000-10-061-3/+3
|
* Document the latest firewall knobs.ru2000-10-062-32/+91
|
* Respect the protocol when looking the port up by service name.ru2000-10-041-15/+22
| | | | PR: 21742
* Do not force argument to ``ipid'' modifier be in hex, andru2000-10-031-9/+11
| | | | accept value of zero as valid for IP Identification field.
* Fixed the printing of TCP flags.ru2000-10-031-1/+1
|
* Add new fields for more granularity:billf2000-10-021-6/+169
| | | | | | | IP: version, tos, ttl, len, id TCP: seq#, ack#, window size Reviewed by: silence on freebsd-{net,ipfw}
* Document that net.inet.ip.fw.one_pass only affects dummynet(4).ru2000-09-291-3/+5
| | | | Noticed by: Peter Jeremy<peter.jeremy@alcatel.com.au>
* optreset is declared in unistd.h now.imp2000-08-161-1/+0
|
* Fix a paste-o in the tcpoptions check (not a security problem, just abillf2000-07-171-1/+1
| | | | | | error in the usage printf()) Reviewed by: rwatson
* Don't call sprintf() with no format string.kris2000-07-101-1/+1
|
* Reorder the "prob" section in the output of list/show so it can be copy/pastedbillf2000-06-181-5/+6
| | | | | | | into add without problems. The previous commit had the other half of this original patch which handled tcpflags/tcpflgs confusion in output/input.
* Fix behaviour of "ipfw pipe show" -- previous code gaveluigi2000-06-141-6/+6
| | | | | ambiguous data to the userland program (kernel operation was safe, anyways).
* Fixed style bugs of rev 1.66.ru2000-06-121-35/+81
|
* Add tcpoptions to ipfw. This works much in the same way as ipoptions do.dan2000-06-082-5/+88
| | | | | | | | | | It also squashes 99% of packet kiddie synflood orgies. For example, to rate syn packets without MSS, ipfw pipe 10 config 56Kbit/s queue 10Packets ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
* Document new dummynet functionality, namely WF2Q+ and REDluigi2000-06-081-11/+105
|
* userland side of WF2Q+ support in dummynet.luigi2000-06-081-102/+315
| | | | Manpage coming later...
* Remove extraneous Dv macro that slipped in, in rev 1.64.sheldonh2000-05-031-1/+0
|
* Remove unused include, and place sys includes at top, which enabledasmodai2000-05-011-3/+2
| | | | us to remove this include.
* Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make agreen2000-04-302-7/+15
| | | | rule that logs without a log limit, use "logamount 0" in addition to "log".
* A huge rewrite of the manual page (mostly -mdoc related).ru2000-02-281-546/+653
| | | | Reviewed by: luigi, sheldonh
* Use correct field for dst_port when displaying masks on dynamic pipes.luigi2000-02-131-1/+1
|
* Support and document new stateful ipfw features.luigi2000-02-102-15/+290
| | | | Approved-by: jordan
* Support per-flow queueing in dummynet.luigi2000-01-082-296/+531
| | | | | | | Implement masks on UDP/TCP ports. Large rewrite of the manpage. Work supported by Akamba Corp.
* Turn on 'ipfw tee'. Update man page. Please note (from the man page):archie1999-12-062-17/+10
| | | | | | | | Packets that match a tee rule should not be immediately accepted, but should continue going through the rule list. This may be fixed in a later version. I hope to fix this soon in a separate commit.
* Remove one obsoleted entry from the BUGS section.ru1999-10-201-2/+0
|
* Make the "uid" and "gid" code better. Now it can detect invalid usergreen1999-09-031-4/+20
| | | | | | names/numbers. Reviewed by: chris
* $Id$ -> $FreeBSD$peter1999-08-282-2/+2
|
* To christen the brand new security category for syslog, we get IPFWgreen1999-08-211-5/+8
| | | | | | | | | | | | | | using syslog(3) (log(9)) for its various purposes! This long-awaited change also includes such nice things as: * macros expanding into _two_ comma-delimited arguments! * snprintf! * more snprintf! * linting and criticism by more people than you can shake a stick at! * a slightly more uniform message style than before! and last but not least * no less than 5 rewrites! Reviewed by: committers
* Whoops, forgot one line in previous patch.luigi1999-08-121-1/+2
|
OpenPOWER on IntegriCloud