Commit Graph

65 Commits

Author SHA1 Message Date
Sheldon Hearn
353fa3b66d Remove extraneous Dv macro that slipped in, in rev 1.64. 2000-05-03 08:59:44 +00:00
Brian Feldman
0f95689794 Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
rule that logs without a log limit, use "logamount 0" in addition to "log".
2000-04-30 06:44:11 +00:00
Ruslan Ermilov
ac13e0c5a0 A huge rewrite of the manual page (mostly -mdoc related).
Reviewed by:	luigi, sheldonh
2000-02-28 15:21:12 +00:00
Luigi Rizzo
d69f84c0b4 Support and document new stateful ipfw features.
Approved-by: jordan
2000-02-10 14:25:26 +00:00
Luigi Rizzo
8c020cb775 Support per-flow queueing in dummynet.
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
2000-01-08 11:19:19 +00:00
Archie Cobbs
56345b0f5c Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
Ruslan Ermilov
42c9b5b974 Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
Peter Wemm
7f3dea244c $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
Brian Feldman
32e7924603 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
Luigi Rizzo
f0706ad422 Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
Brian Feldman
0b6c1a832d Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
Brian Feldman
7a2aab80b0 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
Ruslan Ermilov
689b0bd1d4 Document the usage of escape character in a service name.
PR:		7101
Reminded by:	jhs
1999-06-15 12:56:38 +00:00
Kris Kennaway
39aa78dd44 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by:	Philippe Charnier
1999-05-29 08:12:38 +00:00
Guy Helmer
dc90479cca Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
Guy Helmer
b67579bd36 Explain when packets are tesed by the firewall rules and what attributes
of packets can be tested.

PR:		docs/7437
1999-04-28 02:49:29 +00:00
Guy Helmer
e5a49961b1 Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
1999-04-08 13:56:25 +00:00
Archie Cobbs
6f206f2ef2 Fix misleading wording in ipfw(8) man page.
PR: docs/9603
1999-01-21 19:51:04 +00:00
Guy Helmer
b46dfa405c Mention affect of securelevel 3 and higher on attempts to change filter lists.
Prompted by:	PR docs/7785
1998-12-16 17:10:03 +00:00
Archie Cobbs
b31a38612b Disallow ipfw "tee" rules until it is actually implemented.
PR:		bin/8471
1998-12-07 05:54:37 +00:00
Joerg Wunsch
aa045fa499 Preprocessor support for `ipfw [-q] ... file'.
This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc.  Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.

While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).

A typical call with preprocessor invocation looks like

	ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules

Someone should probably add support for this feature to /etc/rc.firewall.
1998-11-23 10:54:28 +00:00
Peter Hawkins
62cf03cd85 PR: 7475
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
1998-08-04 14:41:37 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Daniel O'Callaghan
dcf2c48fc9 Reminded by: Alex Nash
Bring man page up to date with -q flag behaviour.
1998-05-19 12:50:35 +00:00
Masafumi Max NAKANE
432a1104b6 Typo fix. 1998-05-19 03:10:14 +00:00
Martin Cracauer
d6b37778e9 (evil) hackers -> crackers 1998-04-08 12:00:48 +00:00
Philippe Charnier
68085a0ef1 .Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq. 1998-03-19 07:46:04 +00:00
Alexander Langer
ce78a1f6dd Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00
Alexander Langer
19b7e28d58 Support listing/showing specific rules supplied on the command line.
Use error codes from <sysexits.h>.
1998-01-07 02:23:04 +00:00
Julian Elischer
c7a0bf0440 Allow ipfw to accept comments and blank lines.
This makes ipfw config files a LOT more readable.
1997-12-05 02:43:26 +00:00
Wolfram Schneider
bf5cbf3551 Sort cross refereces in section SEE ALSO. 1997-09-29 19:11:55 +00:00
Peter Wemm
ff486369c7 Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect on
rule 65535
1997-09-10 04:02:37 +00:00
Peter Wemm
875a6115c1 Fix typo (65434 -> 65534) 1997-09-10 03:52:50 +00:00
Daniel O'Callaghan
39f5ba2def Bring comment on '-a' flag in line with reality. 1997-08-21 07:30:08 +00:00
Julian Elischer
135a88d805 Allow ipfw to look up service names from /etc/services (or NIS if turned on)
note.. this would be dangerous if your ipfw was blocking NIS access :)

Submitted by: archie@whistle.com (Archie Cobbs)
1997-06-23 22:32:13 +00:00
Julian Elischer
e4676ba603 Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
1997-06-02 05:02:37 +00:00
Masafumi Max NAKANE
20aaa0e700 Typo.
PR:		3600
Submitted by:	Josh Gilliam <soil@quick.net>
1997-05-15 09:00:39 +00:00
Alexander Langer
c6a01512c6 Minor rewording of the examples section. 1997-05-15 00:51:08 +00:00
Daniel O'Callaghan
f607e2c314 Add '-q' quiet flag for flush/add/zero commands; add 'show' command as
synonym for '-a list'; stop SEGV when specifying 'via' with no interface;
change 2 instances of strcpy() to strncpy().

This is a candidate for 2.2
1997-02-10 15:36:54 +00:00
Adam David
839cc09e53 implement "not" keyword for inverting the address logic 1997-01-16 21:04:29 +00:00
Mike Pritchard
bc41bb3f92 Minor mdoc/style fixes. 1996-12-23 02:03:15 +00:00
John Polstra
00f1098194 Fix a spelling error.
2.2 Candidate.
1996-11-05 22:27:33 +00:00
Alexander Langer
7de7ab65b6 Note that -N is only effective when ipfw is displaying chain entries. 1996-09-15 00:08:30 +00:00
Nate Williams
1285c95c4b Because 'ipfw flush' is such a dangerous command (given that most
firewalls are remote, and this command will kill the network connection
to them), prompt the user for confirmation of this command.

Also, add the '-f' flag which ignores the need for confirmation the
command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0)
assume '-f'.

If anyone is using ipfw flush in scripts it shouldn't affect them, but you
may want to change the script to use a 'ipfw -f flush'.

Reviewed by:	alex
1996-08-31 17:58:23 +00:00
Mike Pritchard
85cf659a76 Use the .Fx macro where appropriate. 1996-08-23 00:57:08 +00:00
Paul Traina
978eb210d1 Completely rewrite handling of protocol field for firewalls, things are
now completely consistent across all IP protocols and should be quite a
bit faster.

Use getprotoname() extensively, performed minor cleanups of admin utility.
The admin utility could use a good kick in the pants.

Basicly, these were the minimal changes I could make to the code
to get it up to tollerable shape.  There will be some future commits
to clean up the basic architecture of the firewall code, and if
I'm feeling ambitious, I may pull in changes like NAT from Linux
and make the firewall hooks comletely generic so that a user can
either load the ipfw module or the ipfilter module (cf Darren Reed).

Discussed with: fenner & alex
1996-08-13 19:43:24 +00:00
Alexander Langer
593f7481aa Filter by IP protocol.
Submitted by: fenner (with modifications by me)

Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
1996-08-05 02:38:51 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Alexander Langer
f8cc1596e7 Correct definition of 'established' keyword. 1996-07-02 00:29:22 +00:00
Alexander Langer
700061451a Fix port specification syntax.
Submitted by:	nate
1996-06-29 01:21:07 +00:00