Commit Graph

18 Commits

Author SHA1 Message Date
maxim
74720d8946 o Correct an info about "Firewalls and Internet Security" book: name,
authors list, ISBN, URLs.

PR:		conf/119590
MFC after:	1 week
2008-01-12 19:02:09 +00:00
mlaier
23ea781ace Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.
2006-05-12 19:17:34 +00:00
ume
a358b1f631 stop RFC 4193 address on the outside interface.
MFC after:	1 day
2005-10-05 07:00:42 +00:00
ume
aedc433cf3 Use RFC 3849 address for examples.
Pointed out by:	mistral@imasy.or.jp
MFC after:	1 week
2004-08-03 08:58:34 +00:00
ume
169bb92b15 drop packet which has ::1 as src or dst via other than lo0
like as rc.firewall does.

MFC after:	1 week
2004-05-24 07:27:26 +00:00
ru
c963c859f6 DNS should not necessarily be named(8), tweak the comment a bit. 2003-11-02 07:31:44 +00:00
trhodes
2791241073 Add a header: #!/bin/sh.
PR:	44363
2003-02-06 22:00:38 +00:00
cjc
f864694415 Bring rc.firewall{,6} more in line with the word and spirit of
rc.conf(5) and the files' inline documentation.

  - Add the "closed"-type, documented in both places, but which did not
    exist in the code.

  - When provided a ruleset, the system should not make any assumptions
    about the sites's policy and should add no rules of its own.

  - Make the "UNKNOWN" (documented in-line) actual work as advertised,
    load no rules.

Prodded by:	Igor M Podlesny <poige@morning.ru>
MFC after:	1 week
2002-02-21 13:14:19 +00:00
ume
c7a3f8f136 Delete a needless rule for DAD. An unspecified address is never used
as a destination address of IPv6 packets.

Submitted by:	cjc
MFC after:	1 week
2002-02-20 18:05:44 +00:00
ume
f0f29f2dc3 fix typo. icmptype of destination unreach is not 2 but 1.
Submitted by:	kuriyama
2001-08-21 15:05:09 +00:00
ume
b8992b1498 pass any NS/NA/toobig.
Requested by:	itojun
MFC after:	5 days
2001-07-24 13:37:06 +00:00
ume
c7f00dc287 - Allow link-local multicast traffic for client.
- Allow ICMPv6 destination unreach, packet too big and NS/NA.
- RIPng also uses link-local to link-local.

MFC after:	1 week
2001-07-21 19:59:35 +00:00
ume
7045160072 Correct typo. It should be site-local address prefix.
Submitted by:	kuriyama
MFC after:	3 days
2001-06-22 13:49:15 +00:00
kuriyama
44d1723f45 Fix typos in comment.
(s/IPFIREWALL_DEFAULT_TO_ACCEPT/IPV6FIREWALL_DEFAULT_TO_ACCEPT/)

MFC after:	1 week
2001-06-22 06:25:54 +00:00
gshapiro
9aaff3ecb1 With the recent change to ip6fw, it is safe to return to using ${fw6cmd}
which may include the -q flag.
2001-04-13 01:40:27 +00:00
gshapiro
3fd57baf14 ip6fw doesn't support -q if reading from a file so don't use ${fw6cmd} which
may have a -q if ${ipv6_firewall_quiet} is set.

Reviewed by:	kris
2001-02-28 06:51:17 +00:00
des
4f21d5f03f Fix references to Chapman & Zwicky and Cheswick & Bellowin.
PR:		24652
Submitted by:	jjreynold@home.com
2001-02-25 11:44:51 +00:00
ume
03e9a76a97 - ipv6_prefix_* and ipv6_ifconfig_* work for end node
- rtsol should be work for only one interface
- new variable ipv6_defaultrouter is added
- option name of rtadvd in comment are corrected
- ipv6_firewall_enable, ipv6_firewall_type, ipv6_firewall_script,
  ipv6_firewall_logging are added to introduce rc.firewall6.

IPv6 firewall rule is just starting point and should be brushed up.
This commit includes PR18621, PR21694, PR22051.

PR:		conf/18621, conf/21694, conf/22051
Reviewed by:	asmodai
2000-10-29 19:59:05 +00:00