d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
54,823 Commits 72 Branches 135 Tags 3.2 GiB
f6f4518945
Commit Graph

150 Commits

Author SHA1 Message Date
ru
cff3f1a066 mdoc(7) police: do not split author names in the AUTHORS section. 2000-11-22 09:35:58 +00:00
ru
d16dd614f6 mdoc(7) police: use the new features of the Nm macro. 2000-11-20 16:52:27 +00:00
ben
6f0ff396c7 more removal of trailing periods from SEE ALSO. 2000-11-15 16:44:24 +00:00
ru
56ce34359a IPFW does not discard *any* IP fragments with OFF=1, only TCP ones. 2000-10-30 09:44:20 +00:00
ru
30b9c95367 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as 
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
 2000-10-12 07:59:14 +00:00
ru
cba8ae08e9 Reset globals for every new command read from preprocessed file. 2000-10-11 13:02:30 +00:00
ru
b317c2f56d Only interpret the last command line argument as a file to 
be preprocessed if it is specified as an absolute pathname.

PR:		bin/16179
 2000-10-11 12:17:06 +00:00
ru
7c4ab2a39e Convert this Makefile to the usual style. 2000-10-06 11:18:11 +00:00
ru
7b1e21a6e3 Document the latest firewall knobs. 2000-10-06 11:17:06 +00:00
ru
d77157fb97 Respect the protocol when looking the port up by service name. 
PR:		21742
 2000-10-04 07:59:19 +00:00
ru
c93c68fe3d Do not force argument to ``ipid'' modifier be in hex, and 
accept value of zero as valid for IP Identification field.
 2000-10-03 11:23:29 +00:00
ru
581af1f25e Fixed the printing of TCP flags. 2000-10-03 10:37:03 +00:00
billf
162c4d1557 Add new fields for more granularity: 
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:	silence on freebsd-{net,ipfw}
 2000-10-02 03:03:31 +00:00
ru
7eeec91c8a Document that net.inet.ip.fw.one_pass only affects dummynet(4). 
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
 2000-09-29 08:39:06 +00:00
imp
837971c9cc optreset is declared in unistd.h now. 2000-08-16 07:36:30 +00:00
billf
1d2684a2b2 Fix a paste-o in the tcpoptions check (not a security problem, just a 
error in the usage printf())

Reviewed by:	rwatson
 2000-07-17 03:02:15 +00:00
kris
5a52ba491f Don't call sprintf() with no format string. 2000-07-10 08:22:21 +00:00
billf
f07e3609bd Reorder the "prob" section in the output of list/show so it can be copy/pasted 
into add without problems.

The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
 2000-06-18 02:48:19 +00:00
luigi
876cb671c7 Fix behaviour of "ipfw pipe show" -- previous code gave 
ambiguous data to the userland program (kernel operation was
safe, anyways).
 2000-06-14 10:07:22 +00:00
ru
c2771d647c Fixed style bugs of rev 1.66. 2000-06-12 09:43:00 +00:00
dan
9214e704a3 Add tcpoptions to ipfw. This works much in the same way as ipoptions do. 
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
 2000-06-08 15:34:51 +00:00
luigi
c5a16b5d15 Document new dummynet functionality, namely WF2Q+ and RED 2000-06-08 13:38:57 +00:00
luigi
c87748ec4d userland side of WF2Q+ support in dummynet. 
Manpage coming later...
 2000-06-08 10:08:39 +00:00
sheldonh
bdb879c8bd Remove extraneous Dv macro that slipped in, in rev 1.64. 2000-05-03 08:59:44 +00:00
asmodai
03f25e3199 Remove unused include, and place sys includes at top, which enabled 
us to remove this include.
 2000-05-01 20:19:44 +00:00
green
333691705a Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a 
rule that logs without a log limit, use "logamount 0" in addition to "log".
 2000-04-30 06:44:11 +00:00
ru
c76ffe74c8 A huge rewrite of the manual page (mostly -mdoc related). 
Reviewed by:	luigi, sheldonh
 2000-02-28 15:21:12 +00:00
luigi
5368d196c9 Use correct field for dst_port when displaying masks on dynamic pipes. 2000-02-13 11:46:59 +00:00
luigi
e5eb52bb88 Support and document new stateful ipfw features. 
Approved-by: jordan
 2000-02-10 14:25:26 +00:00
luigi
7563c670d4 Support per-flow queueing in dummynet. 
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
 2000-01-08 11:19:19 +00:00
archie
cc38ce3f6b Turn on 'ipfw tee'. Update man page. Please note (from the man page): 
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
 1999-12-06 01:00:24 +00:00
ru
a617839b9e Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
green
0aeca835d6 Make the "uid" and "gid" code better. Now it can detect invalid user 
names/numbers.

Reviewed by:	chris
 1999-09-03 18:18:46 +00:00
peter
e226894fa0 $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
green
db6e13afc0 To christen the brand new security category for syslog, we get IPFW 
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
 1999-08-21 18:35:55 +00:00
luigi
33d1351a3c Whoops, forgot one line in previous patch. 1999-08-12 05:32:11 +00:00
luigi
a9a909928e Userland and manual page changes for probabilistic rule match. 
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
 1999-08-11 15:36:13 +00:00
green
16ab0f1098 Make ipfw's logging more dynamic. Now, log will use the default limit 
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
 1999-08-01 16:57:24 +00:00
green
1c368c5661 This is the much-awaited cleaned up version of IPFW [ug]id support. 
All relevant changes have been made (including ipfw.8).
 1999-06-19 18:43:33 +00:00
ru
496bd3e01e Document the usage of escape character in a service name. 
PR:		7101
Reminded by:	jhs
 1999-06-15 12:56:38 +00:00
ru
dc1db7a779 Workaround the problem that the first (and only first) port name 
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:

# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any

PR:		7101
 1999-06-11 09:43:53 +00:00
ru
7561368394 Fix the parsing of ip addresses on a command line. 
PR:		5047
Reviewed by:	des
Test case:	ipfw add allow ip from 127.1 to any
 1999-06-04 11:20:59 +00:00
ru
5c0f1ca739 Spelling corrections for dummynet. 
Reviewed by:	des,luigi
 1999-06-02 05:59:48 +00:00
kris
21af421150 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes, 
grammatical fixes.

Submitted by:	Philippe Charnier
 1999-05-29 08:12:38 +00:00
luigi
0c2708be72 close pr 10889: 
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
 1999-05-24 10:01:22 +00:00
ghelmer
ff88827d7b Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
ghelmer
1224816ff3 Explain when packets are tesed by the firewall rules and what attributes 
of packets can be tested.

PR:		docs/7437
 1999-04-28 02:49:29 +00:00
ghelmer
bd08ba54f1 Convert LKM/modload to KLD/kldload. Add ref to kldload(8). 
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
 1999-04-08 13:56:25 +00:00
archie
528086704d Fix bug where 'ipfw list' would choke if there were a large number of rules. 1999-01-22 01:46:32 +00:00
archie
272c99287a Fix misleading wording in ipfw(8) man page. 
PR: docs/9603
 1999-01-21 19:51:04 +00:00