ben
bd94b89a9a
more removal of trailing periods from SEE ALSO.
2000-11-15 16:44:24 +00:00
ru
6667b54a02
IPFW does not discard *any* IP fragments with OFF=1, only TCP ones.
2000-10-30 09:44:20 +00:00
ru
26ce601f70
Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as
...
well, in which case return the rule number back into userland.
PR: bin/18351
Reviewed by: archie, luigi
2000-10-12 07:59:14 +00:00
ru
721d9c664e
Reset globals for every new command read from preprocessed file.
2000-10-11 13:02:30 +00:00
ru
d7a5334858
Only interpret the last command line argument as a file to
...
be preprocessed if it is specified as an absolute pathname.
PR: bin/16179
2000-10-11 12:17:06 +00:00
ru
7a20b52ef4
Convert this Makefile to the usual style.
2000-10-06 11:18:11 +00:00
ru
dba872611a
Document the latest firewall knobs.
2000-10-06 11:17:06 +00:00
ru
fab87e4edb
Respect the protocol when looking the port up by service name.
...
PR: 21742
2000-10-04 07:59:19 +00:00
ru
4c234c7966
Do not force argument to ``ipid'' modifier be in hex, and
...
accept value of zero as valid for IP Identification field.
2000-10-03 11:23:29 +00:00
ru
948e4e6d8c
Fixed the printing of TCP flags.
2000-10-03 10:37:03 +00:00
billf
e80d3292ca
Add new fields for more granularity:
...
IP: version, tos, ttl, len, id
TCP: seq#, ack#, window size
Reviewed by: silence on freebsd-{net,ipfw}
2000-10-02 03:03:31 +00:00
ru
105baa72f0
Document that net.inet.ip.fw.one_pass only affects dummynet(4).
...
Noticed by: Peter Jeremy<peter.jeremy@alcatel.com.au>
2000-09-29 08:39:06 +00:00
imp
22208cf490
optreset is declared in unistd.h now.
2000-08-16 07:36:30 +00:00
billf
96eac2843a
Fix a paste-o in the tcpoptions check (not a security problem, just a
...
error in the usage printf())
Reviewed by: rwatson
2000-07-17 03:02:15 +00:00
kris
b6f7c1eb1a
Don't call sprintf() with no format string.
2000-07-10 08:22:21 +00:00
billf
a0d2bc60bb
Reorder the "prob" section in the output of list/show so it can be copy/pasted
...
into add without problems.
The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
2000-06-18 02:48:19 +00:00
luigi
021d03f5bf
Fix behaviour of "ipfw pipe show" -- previous code gave
...
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
ru
7050356974
Fixed style bugs of rev 1.66.
2000-06-12 09:43:00 +00:00
dan
c3897dad80
Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
...
It also squashes 99% of packet kiddie synflood orgies. For example, to
rate syn packets without MSS,
ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss
Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
luigi
31f827d91f
Document new dummynet functionality, namely WF2Q+ and RED
2000-06-08 13:38:57 +00:00
luigi
aefe1c98be
userland side of WF2Q+ support in dummynet.
...
Manpage coming later...
2000-06-08 10:08:39 +00:00
sheldonh
5087dcbf10
Remove extraneous Dv macro that slipped in, in rev 1.64.
2000-05-03 08:59:44 +00:00
asmodai
c442c7bb98
Remove unused include, and place sys includes at top, which enabled
...
us to remove this include.
2000-05-01 20:19:44 +00:00
green
345524b782
Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
...
rule that logs without a log limit, use "logamount 0" in addition to "log".
2000-04-30 06:44:11 +00:00
ru
543d5b0485
A huge rewrite of the manual page (mostly -mdoc related).
...
Reviewed by: luigi, sheldonh
2000-02-28 15:21:12 +00:00
luigi
83467efa87
Use correct field for dst_port when displaying masks on dynamic pipes.
2000-02-13 11:46:59 +00:00
luigi
f6954f1a86
Support and document new stateful ipfw features.
...
Approved-by: jordan
2000-02-10 14:25:26 +00:00
luigi
d83a053c96
Support per-flow queueing in dummynet.
...
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.
Work supported by Akamba Corp.
2000-01-08 11:19:19 +00:00
archie
a90457c20c
Turn on 'ipfw tee'. Update man page. Please note (from the man page):
...
Packets that match a tee rule should not be immediately accepted,
but should continue going through the rule list. This may be fixed
in a later version.
I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
ru
d73b3f074e
Remove one obsoleted entry from the BUGS section.
1999-10-20 12:59:35 +00:00
green
6ea78090c5
Make the "uid" and "gid" code better. Now it can detect invalid user
...
names/numbers.
Reviewed by: chris
1999-09-03 18:18:46 +00:00
peter
76f0c923fe
$Id$ -> $FreeBSD$
1999-08-28 00:22:10 +00:00
green
e3f950dd51
To christen the brand new security category for syslog, we get IPFW
...
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
* macros expanding into _two_ comma-delimited arguments!
* snprintf!
* more snprintf!
* linting and criticism by more people than you can shake a stick at!
* a slightly more uniform message style than before!
and last but not least
* no less than 5 rewrites!
Reviewed by: committers
1999-08-21 18:35:55 +00:00
luigi
a97a8415d6
Whoops, forgot one line in previous patch.
1999-08-12 05:32:11 +00:00
luigi
fca87bca8c
Userland and manual page changes for probabilistic rule match.
...
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
green
d848a791d1
Make ipfw's logging more dynamic. Now, log will use the default limit
...
_or_ you may specify "log logamount number" to set logging specifically
the rule.
In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
green
280f8f95b4
This is the much-awaited cleaned up version of IPFW [ug]id support.
...
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
ru
dc3c0e0e20
Document the usage of escape character in a service name.
...
PR: 7101
Reminded by: jhs
1999-06-15 12:56:38 +00:00
ru
3bb755ec02
Workaround the problem that the first (and only first) port name
...
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:
# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any
PR: 7101
1999-06-11 09:43:53 +00:00
ru
d77ca2fb02
Fix the parsing of ip addresses on a command line.
...
PR: 5047
Reviewed by: des
Test case: ipfw add allow ip from 127.1 to any
1999-06-04 11:20:59 +00:00
ru
b1cc23e0b1
Spelling corrections for dummynet.
...
Reviewed by: des,luigi
1999-06-02 05:59:48 +00:00
kris
bd85d67256
Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
...
grammatical fixes.
Submitted by: Philippe Charnier
1999-05-29 08:12:38 +00:00
luigi
20a6693414
close pr 10889:
...
+ add a missing call to dn_rule_delete() when flushing firewall
rules, thus preventing possible panics due to dangling pointers
(this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
tolerant of common mistakes (such as specifying kbit instead of Kbit)
PR: kern/10889
Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00
ghelmer
7af69b2bdc
Add ICMP types to list of information about each packet.
1999-04-29 19:14:17 +00:00
ghelmer
5509f489bb
Explain when packets are tesed by the firewall rules and what attributes
...
of packets can be tested.
PR: docs/7437
1999-04-28 02:49:29 +00:00
ghelmer
12f0f111e6
Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
...
Submitted by: Nathan Ahlstrom <nrahlstr@winternet.com>
1999-04-08 13:56:25 +00:00
archie
d2ea85ad41
Fix bug where 'ipfw list' would choke if there were a large number of rules.
1999-01-22 01:46:32 +00:00
archie
1af6c2ec4a
Fix misleading wording in ipfw(8) man page.
...
PR: docs/9603
1999-01-21 19:51:04 +00:00
luigi
ceacd398c6
Remove coredump when running "ipfw pipe" without more arguments.
...
PR: 8937
1998-12-27 11:23:05 +00:00
ghelmer
fe4bef1579
Mention affect of securelevel 3 and higher on attempts to change filter lists.
...
Prompted by: PR docs/7785
1998-12-16 17:10:03 +00:00