summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* Fix a paste-o in the tcpoptions check (not a security problem, just abillf2000-07-171-1/+1
| | | | | | error in the usage printf()) Reviewed by: rwatson
* Don't call sprintf() with no format string.kris2000-07-101-1/+1
|
* Reorder the "prob" section in the output of list/show so it can be copy/pastedbillf2000-06-181-5/+6
| | | | | | | into add without problems. The previous commit had the other half of this original patch which handled tcpflags/tcpflgs confusion in output/input.
* Fix behaviour of "ipfw pipe show" -- previous code gaveluigi2000-06-141-6/+6
| | | | | ambiguous data to the userland program (kernel operation was safe, anyways).
* Fixed style bugs of rev 1.66.ru2000-06-121-35/+81
|
* Add tcpoptions to ipfw. This works much in the same way as ipoptions do.dan2000-06-082-5/+88
| | | | | | | | | | It also squashes 99% of packet kiddie synflood orgies. For example, to rate syn packets without MSS, ipfw pipe 10 config 56Kbit/s queue 10Packets ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
* Document new dummynet functionality, namely WF2Q+ and REDluigi2000-06-081-11/+105
|
* userland side of WF2Q+ support in dummynet.luigi2000-06-081-102/+315
| | | | Manpage coming later...
* Remove extraneous Dv macro that slipped in, in rev 1.64.sheldonh2000-05-031-1/+0
|
* Remove unused include, and place sys includes at top, which enabledasmodai2000-05-011-3/+2
| | | | us to remove this include.
* Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make agreen2000-04-302-7/+15
| | | | rule that logs without a log limit, use "logamount 0" in addition to "log".
* A huge rewrite of the manual page (mostly -mdoc related).ru2000-02-281-546/+653
| | | | Reviewed by: luigi, sheldonh
* Use correct field for dst_port when displaying masks on dynamic pipes.luigi2000-02-131-1/+1
|
* Support and document new stateful ipfw features.luigi2000-02-102-15/+290
| | | | Approved-by: jordan
* Support per-flow queueing in dummynet.luigi2000-01-082-296/+531
| | | | | | | Implement masks on UDP/TCP ports. Large rewrite of the manpage. Work supported by Akamba Corp.
* Turn on 'ipfw tee'. Update man page. Please note (from the man page):archie1999-12-062-17/+10
| | | | | | | | Packets that match a tee rule should not be immediately accepted, but should continue going through the rule list. This may be fixed in a later version. I hope to fix this soon in a separate commit.
* Remove one obsoleted entry from the BUGS section.ru1999-10-201-2/+0
|
* Make the "uid" and "gid" code better. Now it can detect invalid usergreen1999-09-031-4/+20
| | | | | | names/numbers. Reviewed by: chris
* $Id$ -> $FreeBSD$peter1999-08-282-2/+2
|
* To christen the brand new security category for syslog, we get IPFWgreen1999-08-211-5/+8
| | | | | | | | | | | | | | using syslog(3) (log(9)) for its various purposes! This long-awaited change also includes such nice things as: * macros expanding into _two_ comma-delimited arguments! * snprintf! * more snprintf! * linting and criticism by more people than you can shake a stick at! * a slightly more uniform message style than before! and last but not least * no less than 5 rewrites! Reviewed by: committers
* Whoops, forgot one line in previous patch.luigi1999-08-121-1/+2
|
* Userland and manual page changes for probabilistic rule match.luigi1999-08-112-4/+41
| | | | | | Because the kernel change was done in a backward-compatible way, you don't need to recompile ipfw if you don't want to use the new feature.
* Make ipfw's logging more dynamic. Now, log will use the default limitgreen1999-08-012-11/+97
| | | | | | | | | | | | | _or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
* This is the much-awaited cleaned up version of IPFW [ug]id support.green1999-06-192-2/+62
| | | | All relevant changes have been made (including ipfw.8).
* Document the usage of escape character in a service name.ru1999-06-151-2/+9
| | | | | PR: 7101 Reminded by: jhs
* Workaround the problem that the first (and only first) port nameru1999-06-111-9/+26
| | | | | | | | | | | can't have a dash character (it is treated as a ``range'' operator). One could now use such a name by escaping the ``-'' characters. For example: # ipfw add 1 count tcp from any to any "ms\-sql\-s" # ipfw add 2 count tcp from any ftp\\-data-ftp to any PR: 7101
* Fix the parsing of ip addresses on a command line.ru1999-06-041-7/+7
| | | | | | PR: 5047 Reviewed by: des Test case: ipfw add allow ip from 127.1 to any
* Spelling corrections for dummynet.ru1999-06-021-4/+5
| | | | Reviewed by: des,luigi
* Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,kris1999-05-292-25/+27
| | | | | | grammatical fixes. Submitted by: Philippe Charnier
* close pr 10889:luigi1999-05-241-13/+27
| | | | | | | | | | | | + add a missing call to dn_rule_delete() when flushing firewall rules, thus preventing possible panics due to dangling pointers (this was already done for single rule deletes). + improve "usage" output in ipfw(8) + add a few checks to ipfw pipe parameters and make it a bit more tolerant of common mistakes (such as specifying kbit instead of Kbit) PR: kern/10889 Submitted by: Ruslan Ermilov
* Add ICMP types to list of information about each packet.ghelmer1999-04-291-2/+33
|
* Explain when packets are tesed by the firewall rules and what attributesghelmer1999-04-281-23/+128
| | | | | | of packets can be tested. PR: docs/7437
* Convert LKM/modload to KLD/kldload. Add ref to kldload(8).ghelmer1999-04-081-2/+3
| | | | Submitted by: Nathan Ahlstrom <nrahlstr@winternet.com>
* Fix bug where 'ipfw list' would choke if there were a large number of rules.archie1999-01-221-79/+95
|
* Fix misleading wording in ipfw(8) man page.archie1999-01-211-3/+3
| | | | PR: docs/9603
* Remove coredump when running "ipfw pipe" without more arguments.luigi1998-12-271-1/+4
| | | | PR: 8937
* Mention affect of securelevel 3 and higher on attempts to change filter lists.ghelmer1998-12-161-0/+6
| | | | Prompted by: PR docs/7785
* ipfw changes for dummynet. manpages still missingluigi1998-12-141-2/+155
|
* Disallow ipfw "tee" rules until it is actually implemented.archie1998-12-072-5/+10
| | | | PR: bin/8471
* Preprocessor support for `ipfw [-q] ... file'.joerg1998-11-232-15/+145
| | | | | | | | | | | | | | | | | | | This allows for more flexible ipfw configuration files using `variables' to describe frequently used items in the file, like the local IP address(es), interface names etc. Both m4 and cpp are useful and supported; with m4 being a little more unusual to the common C programmer, things like automatic rule numbering can be achieved fairly easy. While i was at it, i've also untangled some of the ugly style inside main(), and fixed a bug or two (like not being able to use blank lines when running with -q). A typical call with preprocessor invocation looks like ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules Someone should probably add support for this feature to /etc/rc.firewall.
* The flags type was recently changed from u_short to u_int, breakingalex1998-09-281-10/+10
| | | | | | | | | icmptypes. PR: 8067 Submitted by: Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com> While I'm here, staticize functions.
* PR: 7475thepish1998-08-042-8/+14
| | | | | Added support for -q (suppress output) when firewall rules are taken from a file. Solves PR 7475
* Support for IPFW based transparent forwarding.julian1998-07-062-3/+56
| | | | | | | | | | | | | | Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
* Reminded by: Alex Nashdanny1998-05-191-3/+3
| | | | Bring man page up to date with -q flag behaviour.
* Typo fix.max1998-05-191-1/+1
|
* PR: 6641danny1998-05-151-2/+2
| | | | | Submitted by: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> Make -q work for zeroing a specific rule.
* When ipfw reads its rules from an input file, the optind variable isphk1998-04-221-1/+5
| | | | | | | | | | not reinitialized to 1 after calling getopt. This results in parsing errors on all but the first rule. An added patch also allows '#' comments at the end of a line. PR: 6379 Reviewed by: phk Submitted by: Neal Fachan <kneel@ishiboo.com>
* (evil) hackers -> crackerscracauer1998-04-081-3/+3
|
* .Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.charnier1998-03-191-5/+7
|
* Get the arguments to show_usage right (like the MFC'ed code in -stable).alex1998-03-131-3/+3
| | | | Submitted by: bde
OpenPOWER on IntegriCloud