270 Commits

Author SHA1 Message Date
archie
a90457c20c Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
ru
d73b3f074e Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
green
6ea78090c5 Make the "uid" and "gid" code better. Now it can detect invalid user
names/numbers.

Reviewed by:	chris
1999-09-03 18:18:46 +00:00
peter
76f0c923fe $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
green
e3f950dd51 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
luigi
a97a8415d6 Whoops, forgot one line in previous patch. 1999-08-12 05:32:11 +00:00
luigi
fca87bca8c Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
green
d848a791d1 Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
green
280f8f95b4 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
ru
dc3c0e0e20 Document the usage of escape character in a service name.
PR:		7101
Reminded by:	jhs
1999-06-15 12:56:38 +00:00
ru
3bb755ec02 Workaround the problem that the first (and only first) port name
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:

# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any

PR:		7101
1999-06-11 09:43:53 +00:00
ru
d77ca2fb02 Fix the parsing of ip addresses on a command line.
PR:		5047
Reviewed by:	des
Test case:	ipfw add allow ip from 127.1 to any
1999-06-04 11:20:59 +00:00
ru
b1cc23e0b1 Spelling corrections for dummynet.
Reviewed by:	des,luigi
1999-06-02 05:59:48 +00:00
kris
bd85d67256 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by:	Philippe Charnier
1999-05-29 08:12:38 +00:00
luigi
20a6693414 close pr 10889:
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00
ghelmer
7af69b2bdc Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
ghelmer
5509f489bb Explain when packets are tesed by the firewall rules and what attributes
of packets can be tested.

PR:		docs/7437
1999-04-28 02:49:29 +00:00
ghelmer
12f0f111e6 Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
1999-04-08 13:56:25 +00:00
archie
d2ea85ad41 Fix bug where 'ipfw list' would choke if there were a large number of rules. 1999-01-22 01:46:32 +00:00
archie
1af6c2ec4a Fix misleading wording in ipfw(8) man page.
PR: docs/9603
1999-01-21 19:51:04 +00:00
luigi
ceacd398c6 Remove coredump when running "ipfw pipe" without more arguments.
PR: 8937
1998-12-27 11:23:05 +00:00
ghelmer
fe4bef1579 Mention affect of securelevel 3 and higher on attempts to change filter lists.
Prompted by:	PR docs/7785
1998-12-16 17:10:03 +00:00
luigi
12bd4907ac ipfw changes for dummynet. manpages still missing 1998-12-14 18:43:03 +00:00
archie
566ad38652 Disallow ipfw "tee" rules until it is actually implemented.
PR:		bin/8471
1998-12-07 05:54:37 +00:00
joerg
f17aeea6de Preprocessor support for `ipfw [-q] ... file'.
This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc.  Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.

While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).

A typical call with preprocessor invocation looks like

	ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules

Someone should probably add support for this feature to /etc/rc.firewall.
1998-11-23 10:54:28 +00:00
alex
b7f776d8de The flags type was recently changed from u_short to u_int, breaking
icmptypes.

PR:		8067
Submitted by:	Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com>

While I'm here, staticize functions.
1998-09-28 22:56:37 +00:00
thepish
73c173acec PR: 7475
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
1998-08-04 14:41:37 +00:00
julian
22a5d80812 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
danny
ade4291d50 Reminded by: Alex Nash
Bring man page up to date with -q flag behaviour.
1998-05-19 12:50:35 +00:00
max
1298bb5776 Typo fix. 1998-05-19 03:10:14 +00:00
danny
1cc49ca972 PR: 6641
Submitted by:	Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
Make -q work for zeroing a specific rule.
1998-05-15 12:38:07 +00:00
phk
3aab9d8b31 When ipfw reads its rules from an input file, the optind variable is
not reinitialized to 1 after calling getopt. This results in parsing
errors on all but the first rule. An added patch also allows '#'
comments at the end of a line.

PR:		6379
Reviewed by:	phk
Submitted by:	Neal Fachan <kneel@ishiboo.com>
1998-04-22 06:20:20 +00:00
cracauer
0009308669 (evil) hackers -> crackers 1998-04-08 12:00:48 +00:00
charnier
8e69ba3343 .Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq. 1998-03-19 07:46:04 +00:00
alex
1129389306 Get the arguments to show_usage right (like the MFC'ed code in -stable).
Submitted by:	bde
1998-03-13 02:31:21 +00:00
alex
0fbf800481 Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00
alex
35f59936c3 Bump up packet and byte counters to 64-bit unsigned ints. As a
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.

NOTE:
  o The ipfw struct has changed requiring a recompile of both kernel
    and userland ipfw utility.

  o This probably should not be brought into 2.2.

PR:		3738
1998-01-08 03:03:54 +00:00
alex
0ff0dd536e Format mismatch in error message.
Submitted by:	bde
1998-01-08 00:27:31 +00:00
alex
c2173ecb3e Support listing/showing specific rules supplied on the command line.
Use error codes from <sysexits.h>.
1998-01-07 02:23:04 +00:00
alex
4e04c4e039 Display a better error message and use a non-zero exit code when
zero/delete operations fail.

PR:		4231
Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-01-06 00:11:57 +00:00
alex
367097735d Put the return value of getopt into an int, not a char. 1997-12-26 03:24:26 +00:00
julian
e434f4878b Allow ipfw to accept comments and blank lines.
This makes ipfw config files a LOT more readable.
1997-12-05 02:43:26 +00:00
wosch
8ee659dd96 Sort cross refereces in section SEE ALSO. 1997-09-29 19:11:55 +00:00
peter
821f87d72d Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect on
rule 65535
1997-09-10 04:02:37 +00:00
peter
f8ab40fb46 Fix typo (65434 -> 65534) 1997-09-10 03:52:50 +00:00
danny
dfd8a56d45 Bring comment on '-a' flag in line with reality. 1997-08-21 07:30:08 +00:00
alex
dc3ab85890 Support interface names up to 15 characters in length. In order to
accommodate the expanded name, the ICMP types bitmap has been
reduced from 256 bits to 32.

A recompile of kernel and user level ipfw is required.

To be merged into 2.2 after a brief period in -current.

PR:		bin/4209
Reviewed by:	Archie Cobbs <archie@whistle.com>
1997-08-08 14:36:29 +00:00
brian
fa74c6b5cf Allow service names as the divert/tee arg. 1997-07-25 03:13:46 +00:00
julian
b2627a7a7f Allow ipfw to look up service names from /etc/services (or NIS if turned on)
note.. this would be dangerous if your ipfw was blocking NIS access :)

Submitted by: archie@whistle.com (Archie Cobbs)
1997-06-23 22:32:13 +00:00
charnier
6e0b43d464 Remove __progname. Cosmetic in usage string. 1997-06-13 06:27:12 +00:00