Commit Graph

92 Commits

Author SHA1 Message Date
Ruslan Ermilov
4ae29521b3 mdoc(7) police: fix markup. 2001-10-01 14:13:36 +00:00
Bill Fumerola
b53adbbf93 now that jlemon has added a hash table to lookup locally configured ip
addresses (and the macros that ipfw(4) use to lookup data for the 'me'
keyword have been converted) remove a comment about using 'me' being a
"computationally expensive" operation.

while I'm here, change two instances of "IP number" to "IP address"
2001-09-29 06:33:42 +00:00
Luigi Rizzo
830cc17841 Two main changes here:
+ implement "limit" rules, which permit to limit the number of sessions
   between certain host pairs (according to masks). These are a special
   type of stateful rules, which might be of interest in some cases.
   See the ipfw manpage for details.

 + merge the list pointers and ipfw rule descriptors in the kernel, so
   the code is smaller, faster and more readable. This patch basically
   consists in replacing "foo->rule->bar" with "rule->bar" all over
   the place.
   I have been willing to do this for ages!

MFC after: 1 week
2001-09-27 23:44:27 +00:00
Ruslan Ermilov
c4d9468ea0 mdoc(7) police:
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
2001-08-07 15:48:51 +00:00
Ruslan Ermilov
9fe48c6e8d mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 11:04:34 +00:00
Dima Dorfman
70d51341bf mdoc(7) police: remove extraneous .Pp before and/or after .Sh. 2001-07-09 09:54:33 +00:00
Chris Costello
fb478e5d0b Mention Alexandre Peixoto's share/examples/ipfw/change_rules.sh in the
checklist.

MFC after:	1 week
2001-06-06 20:56:56 +00:00
Dag-Erling Smørgrav
266b63f4d0 Invert the meaning of the -d option (i.e. default to *not* list dynamic rules,
but list them if -d was specified).

Avoid listing expired dynamic rules unless the (new) -e option was specified.

If specific rule numbers were listed on the command line, and the -d flag was
specified, only list dynamic rules that match the specified rule numbers.

Try to partly clean up the bleeding mess this file has become.  If there is
any justice in this world, the responsible parties (you know who you are!)
should expect to wake up one morning with a horse's head in their bed.  The
code still looks like spaghetti, but at least now it's *properly intented*
spaghetti (hmm?  did somebody say "tagliatelle"?).
2001-06-04 23:56:26 +00:00
David Malone
78e4a3143e Add a flag to "ipfw show" which supresses the display of dynamic
rules.  Also, don't show dynamic rules if you only asked to see a
certain rule number.

PR:		18550
Submitted by:	Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Approved by:	luigi
MFC after:	2 weeks
2001-05-20 10:01:39 +00:00
Ruslan Ermilov
7350bb3af1 mdoc(7) police: removed hard sentence break introduced in rev 1.82. 2001-03-16 07:39:46 +00:00
Dima Dorfman
32de505213 Explain that TCP fragments with an offset of 1 are reported as being
dropped by rule -1 if logging is enabled.

PR:		25796
Submitted by:	Crist J. Clark <cjclark@alum.mit.edu>
Approved by:	nik
2001-03-16 01:28:11 +00:00
Ruslan Ermilov
dc60ef4a4e Document that the IPFW messages are logged via syslogd(8). 2001-02-22 09:12:44 +00:00
Ruslan Ermilov
d4339464da mdoc(7) police: normalize the construct. 2001-02-15 08:36:20 +00:00
Sheldon Hearn
63ca8f4ad1 Fix grammar nit in previous commit. 2001-02-14 15:03:20 +00:00
Poul-Henning Kamp
bb07ec8c84 Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface.  This is useful for routers with
dynamic interfaces.  It is now possible to say:

        0100 allow       tcp from any to any established
        0200 skipto 1000 tcp from any to any
        0300 allow       ip from any to any
        1000 allow       tcp from 1.2.3.4 to me 22
        1010 deny        tcp from any to me 22
        1020 allow       tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
2001-02-13 14:12:37 +00:00
Ruslan Ermilov
d90d7015f9 Prepare for mdoc(7)NG. 2000-12-27 14:40:52 +00:00
Ruslan Ermilov
1252c1bb05 Prepare for mdoc(7)NG. 2000-12-18 15:16:24 +00:00
Ruslan Ermilov
f4d874a1db mdoc(7) police: do not split author names in the AUTHORS section. 2000-11-22 09:35:58 +00:00
Ruslan Ermilov
7c7fb079b9 mdoc(7) police: use the new features of the Nm macro. 2000-11-20 16:52:27 +00:00
Ben Smithurst
32e5e4cfc3 more removal of trailing periods from SEE ALSO. 2000-11-15 16:44:24 +00:00
Ruslan Ermilov
0ec2d7d37a IPFW does not discard *any* IP fragments with OFF=1, only TCP ones. 2000-10-30 09:44:20 +00:00
Ruslan Ermilov
de2e7393d6 Only interpret the last command line argument as a file to
be preprocessed if it is specified as an absolute pathname.

PR:		bin/16179
2000-10-11 12:17:06 +00:00
Ruslan Ermilov
79a74459fa Document the latest firewall knobs. 2000-10-06 11:17:06 +00:00
Ruslan Ermilov
3ea420e391 Document that net.inet.ip.fw.one_pass only affects dummynet(4).
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
2000-09-29 08:39:06 +00:00
Ruslan Ermilov
e439c30cf4 Fixed style bugs of rev 1.66. 2000-06-12 09:43:00 +00:00
Dan Moschuk
9714563d83 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
Luigi Rizzo
afb87ed2fd Document new dummynet functionality, namely WF2Q+ and RED 2000-06-08 13:38:57 +00:00
Sheldon Hearn
353fa3b66d Remove extraneous Dv macro that slipped in, in rev 1.64. 2000-05-03 08:59:44 +00:00
Brian Feldman
0f95689794 Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
rule that logs without a log limit, use "logamount 0" in addition to "log".
2000-04-30 06:44:11 +00:00
Ruslan Ermilov
ac13e0c5a0 A huge rewrite of the manual page (mostly -mdoc related).
Reviewed by:	luigi, sheldonh
2000-02-28 15:21:12 +00:00
Luigi Rizzo
d69f84c0b4 Support and document new stateful ipfw features.
Approved-by: jordan
2000-02-10 14:25:26 +00:00
Luigi Rizzo
8c020cb775 Support per-flow queueing in dummynet.
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
2000-01-08 11:19:19 +00:00
Archie Cobbs
56345b0f5c Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
Ruslan Ermilov
42c9b5b974 Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
Peter Wemm
7f3dea244c $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
Brian Feldman
32e7924603 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
Luigi Rizzo
f0706ad422 Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
Brian Feldman
0b6c1a832d Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
Brian Feldman
7a2aab80b0 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
Ruslan Ermilov
689b0bd1d4 Document the usage of escape character in a service name.
PR:		7101
Reminded by:	jhs
1999-06-15 12:56:38 +00:00
Kris Kennaway
39aa78dd44 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by:	Philippe Charnier
1999-05-29 08:12:38 +00:00
Guy Helmer
dc90479cca Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
Guy Helmer
b67579bd36 Explain when packets are tesed by the firewall rules and what attributes
of packets can be tested.

PR:		docs/7437
1999-04-28 02:49:29 +00:00
Guy Helmer
e5a49961b1 Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
1999-04-08 13:56:25 +00:00
Archie Cobbs
6f206f2ef2 Fix misleading wording in ipfw(8) man page.
PR: docs/9603
1999-01-21 19:51:04 +00:00
Guy Helmer
b46dfa405c Mention affect of securelevel 3 and higher on attempts to change filter lists.
Prompted by:	PR docs/7785
1998-12-16 17:10:03 +00:00
Archie Cobbs
b31a38612b Disallow ipfw "tee" rules until it is actually implemented.
PR:		bin/8471
1998-12-07 05:54:37 +00:00
Joerg Wunsch
aa045fa499 Preprocessor support for `ipfw [-q] ... file'.
This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc.  Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.

While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).

A typical call with preprocessor invocation looks like

	ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules

Someone should probably add support for this feature to /etc/rc.firewall.
1998-11-23 10:54:28 +00:00
Peter Hawkins
62cf03cd85 PR: 7475
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
1998-08-04 14:41:37 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00