Commit Graph

148 Commits

Author SHA1 Message Date
ben
bd94b89a9a more removal of trailing periods from SEE ALSO. 2000-11-15 16:44:24 +00:00
ru
6667b54a02 IPFW does not discard *any* IP fragments with OFF=1, only TCP ones. 2000-10-30 09:44:20 +00:00
ru
26ce601f70 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
2000-10-12 07:59:14 +00:00
ru
721d9c664e Reset globals for every new command read from preprocessed file. 2000-10-11 13:02:30 +00:00
ru
d7a5334858 Only interpret the last command line argument as a file to
be preprocessed if it is specified as an absolute pathname.

PR:		bin/16179
2000-10-11 12:17:06 +00:00
ru
7a20b52ef4 Convert this Makefile to the usual style. 2000-10-06 11:18:11 +00:00
ru
dba872611a Document the latest firewall knobs. 2000-10-06 11:17:06 +00:00
ru
fab87e4edb Respect the protocol when looking the port up by service name.
PR:		21742
2000-10-04 07:59:19 +00:00
ru
4c234c7966 Do not force argument to ``ipid'' modifier be in hex, and
accept value of zero as valid for IP Identification field.
2000-10-03 11:23:29 +00:00
ru
948e4e6d8c Fixed the printing of TCP flags. 2000-10-03 10:37:03 +00:00
billf
e80d3292ca Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:	silence on freebsd-{net,ipfw}
2000-10-02 03:03:31 +00:00
ru
105baa72f0 Document that net.inet.ip.fw.one_pass only affects dummynet(4).
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
2000-09-29 08:39:06 +00:00
imp
22208cf490 optreset is declared in unistd.h now. 2000-08-16 07:36:30 +00:00
billf
96eac2843a Fix a paste-o in the tcpoptions check (not a security problem, just a
error in the usage printf())

Reviewed by:	rwatson
2000-07-17 03:02:15 +00:00
kris
b6f7c1eb1a Don't call sprintf() with no format string. 2000-07-10 08:22:21 +00:00
billf
a0d2bc60bb Reorder the "prob" section in the output of list/show so it can be copy/pasted
into add without problems.

The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
2000-06-18 02:48:19 +00:00
luigi
021d03f5bf Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
ru
7050356974 Fixed style bugs of rev 1.66. 2000-06-12 09:43:00 +00:00
dan
c3897dad80 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
luigi
31f827d91f Document new dummynet functionality, namely WF2Q+ and RED 2000-06-08 13:38:57 +00:00
luigi
aefe1c98be userland side of WF2Q+ support in dummynet.
Manpage coming later...
2000-06-08 10:08:39 +00:00
sheldonh
5087dcbf10 Remove extraneous Dv macro that slipped in, in rev 1.64. 2000-05-03 08:59:44 +00:00
asmodai
c442c7bb98 Remove unused include, and place sys includes at top, which enabled
us to remove this include.
2000-05-01 20:19:44 +00:00
green
345524b782 Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
rule that logs without a log limit, use "logamount 0" in addition to "log".
2000-04-30 06:44:11 +00:00
ru
543d5b0485 A huge rewrite of the manual page (mostly -mdoc related).
Reviewed by:	luigi, sheldonh
2000-02-28 15:21:12 +00:00
luigi
83467efa87 Use correct field for dst_port when displaying masks on dynamic pipes. 2000-02-13 11:46:59 +00:00
luigi
f6954f1a86 Support and document new stateful ipfw features.
Approved-by: jordan
2000-02-10 14:25:26 +00:00
luigi
d83a053c96 Support per-flow queueing in dummynet.
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
2000-01-08 11:19:19 +00:00
archie
a90457c20c Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
ru
d73b3f074e Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
green
6ea78090c5 Make the "uid" and "gid" code better. Now it can detect invalid user
names/numbers.

Reviewed by:	chris
1999-09-03 18:18:46 +00:00
peter
76f0c923fe $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
green
e3f950dd51 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
luigi
a97a8415d6 Whoops, forgot one line in previous patch. 1999-08-12 05:32:11 +00:00
luigi
fca87bca8c Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
green
d848a791d1 Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
green
280f8f95b4 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
ru
dc3c0e0e20 Document the usage of escape character in a service name.
PR:		7101
Reminded by:	jhs
1999-06-15 12:56:38 +00:00
ru
3bb755ec02 Workaround the problem that the first (and only first) port name
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:

# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any

PR:		7101
1999-06-11 09:43:53 +00:00
ru
d77ca2fb02 Fix the parsing of ip addresses on a command line.
PR:		5047
Reviewed by:	des
Test case:	ipfw add allow ip from 127.1 to any
1999-06-04 11:20:59 +00:00
ru
b1cc23e0b1 Spelling corrections for dummynet.
Reviewed by:	des,luigi
1999-06-02 05:59:48 +00:00
kris
bd85d67256 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by:	Philippe Charnier
1999-05-29 08:12:38 +00:00
luigi
20a6693414 close pr 10889:
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00
ghelmer
7af69b2bdc Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
ghelmer
5509f489bb Explain when packets are tesed by the firewall rules and what attributes
of packets can be tested.

PR:		docs/7437
1999-04-28 02:49:29 +00:00
ghelmer
12f0f111e6 Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
1999-04-08 13:56:25 +00:00
archie
d2ea85ad41 Fix bug where 'ipfw list' would choke if there were a large number of rules. 1999-01-22 01:46:32 +00:00
archie
1af6c2ec4a Fix misleading wording in ipfw(8) man page.
PR: docs/9603
1999-01-21 19:51:04 +00:00
luigi
ceacd398c6 Remove coredump when running "ipfw pipe" without more arguments.
PR: 8937
1998-12-27 11:23:05 +00:00
ghelmer
fe4bef1579 Mention affect of securelevel 3 and higher on attempts to change filter lists.
Prompted by:	PR docs/7785
1998-12-16 17:10:03 +00:00