Commit Graph

133 Commits

Author SHA1 Message Date
billf
a0d2bc60bb Reorder the "prob" section in the output of list/show so it can be copy/pasted
into add without problems.

The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
2000-06-18 02:48:19 +00:00
luigi
021d03f5bf Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
ru
7050356974 Fixed style bugs of rev 1.66. 2000-06-12 09:43:00 +00:00
dan
c3897dad80 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
luigi
31f827d91f Document new dummynet functionality, namely WF2Q+ and RED 2000-06-08 13:38:57 +00:00
luigi
aefe1c98be userland side of WF2Q+ support in dummynet.
Manpage coming later...
2000-06-08 10:08:39 +00:00
sheldonh
5087dcbf10 Remove extraneous Dv macro that slipped in, in rev 1.64. 2000-05-03 08:59:44 +00:00
asmodai
c442c7bb98 Remove unused include, and place sys includes at top, which enabled
us to remove this include.
2000-05-01 20:19:44 +00:00
green
345524b782 Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
rule that logs without a log limit, use "logamount 0" in addition to "log".
2000-04-30 06:44:11 +00:00
ru
543d5b0485 A huge rewrite of the manual page (mostly -mdoc related).
Reviewed by:	luigi, sheldonh
2000-02-28 15:21:12 +00:00
luigi
83467efa87 Use correct field for dst_port when displaying masks on dynamic pipes. 2000-02-13 11:46:59 +00:00
luigi
f6954f1a86 Support and document new stateful ipfw features.
Approved-by: jordan
2000-02-10 14:25:26 +00:00
luigi
d83a053c96 Support per-flow queueing in dummynet.
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
2000-01-08 11:19:19 +00:00
archie
a90457c20c Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
ru
d73b3f074e Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
green
6ea78090c5 Make the "uid" and "gid" code better. Now it can detect invalid user
names/numbers.

Reviewed by:	chris
1999-09-03 18:18:46 +00:00
peter
76f0c923fe $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
green
e3f950dd51 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
luigi
a97a8415d6 Whoops, forgot one line in previous patch. 1999-08-12 05:32:11 +00:00
luigi
fca87bca8c Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
green
d848a791d1 Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
green
280f8f95b4 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
ru
dc3c0e0e20 Document the usage of escape character in a service name.
PR:		7101
Reminded by:	jhs
1999-06-15 12:56:38 +00:00
ru
3bb755ec02 Workaround the problem that the first (and only first) port name
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:

# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any

PR:		7101
1999-06-11 09:43:53 +00:00
ru
d77ca2fb02 Fix the parsing of ip addresses on a command line.
PR:		5047
Reviewed by:	des
Test case:	ipfw add allow ip from 127.1 to any
1999-06-04 11:20:59 +00:00
ru
b1cc23e0b1 Spelling corrections for dummynet.
Reviewed by:	des,luigi
1999-06-02 05:59:48 +00:00
kris
bd85d67256 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by:	Philippe Charnier
1999-05-29 08:12:38 +00:00
luigi
20a6693414 close pr 10889:
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00
ghelmer
7af69b2bdc Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
ghelmer
5509f489bb Explain when packets are tesed by the firewall rules and what attributes
of packets can be tested.

PR:		docs/7437
1999-04-28 02:49:29 +00:00
ghelmer
12f0f111e6 Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
1999-04-08 13:56:25 +00:00
archie
d2ea85ad41 Fix bug where 'ipfw list' would choke if there were a large number of rules. 1999-01-22 01:46:32 +00:00
archie
1af6c2ec4a Fix misleading wording in ipfw(8) man page.
PR: docs/9603
1999-01-21 19:51:04 +00:00
luigi
ceacd398c6 Remove coredump when running "ipfw pipe" without more arguments.
PR: 8937
1998-12-27 11:23:05 +00:00
ghelmer
fe4bef1579 Mention affect of securelevel 3 and higher on attempts to change filter lists.
Prompted by:	PR docs/7785
1998-12-16 17:10:03 +00:00
luigi
12bd4907ac ipfw changes for dummynet. manpages still missing 1998-12-14 18:43:03 +00:00
archie
566ad38652 Disallow ipfw "tee" rules until it is actually implemented.
PR:		bin/8471
1998-12-07 05:54:37 +00:00
joerg
f17aeea6de Preprocessor support for `ipfw [-q] ... file'.
This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc.  Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.

While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).

A typical call with preprocessor invocation looks like

	ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules

Someone should probably add support for this feature to /etc/rc.firewall.
1998-11-23 10:54:28 +00:00
alex
b7f776d8de The flags type was recently changed from u_short to u_int, breaking
icmptypes.

PR:		8067
Submitted by:	Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com>

While I'm here, staticize functions.
1998-09-28 22:56:37 +00:00
thepish
73c173acec PR: 7475
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
1998-08-04 14:41:37 +00:00
julian
22a5d80812 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
danny
ade4291d50 Reminded by: Alex Nash
Bring man page up to date with -q flag behaviour.
1998-05-19 12:50:35 +00:00
max
1298bb5776 Typo fix. 1998-05-19 03:10:14 +00:00
danny
1cc49ca972 PR: 6641
Submitted by:	Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
Make -q work for zeroing a specific rule.
1998-05-15 12:38:07 +00:00
phk
3aab9d8b31 When ipfw reads its rules from an input file, the optind variable is
not reinitialized to 1 after calling getopt. This results in parsing
errors on all but the first rule. An added patch also allows '#'
comments at the end of a line.

PR:		6379
Reviewed by:	phk
Submitted by:	Neal Fachan <kneel@ishiboo.com>
1998-04-22 06:20:20 +00:00
cracauer
0009308669 (evil) hackers -> crackers 1998-04-08 12:00:48 +00:00
charnier
8e69ba3343 .Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq. 1998-03-19 07:46:04 +00:00
alex
1129389306 Get the arguments to show_usage right (like the MFC'ed code in -stable).
Submitted by:	bde
1998-03-13 02:31:21 +00:00
alex
0fbf800481 Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00
alex
35f59936c3 Bump up packet and byte counters to 64-bit unsigned ints. As a
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.

NOTE:
  o The ipfw struct has changed requiring a recompile of both kernel
    and userland ipfw utility.

  o This probably should not be brought into 2.2.

PR:		3738
1998-01-08 03:03:54 +00:00