Commit Graph

48 Commits

Author SHA1 Message Date
ume
1f2553e461 don't match packets other than IPv4 against divert rule.
divert supports only IPv4.

Reported by:	SAITOU Toshihide <toshi__at__ruby.ocn.ne.jp>
Discussed with:	suz
MFC after:	1 day
2005-11-18 02:23:59 +00:00
ru
c963c859f6 DNS should not necessarily be named(8), tweak the comment a bit. 2003-11-02 07:31:44 +00:00
trhodes
2791241073 Add a header: #!/bin/sh.
PR:	44363
2003-02-06 22:00:38 +00:00
cjc
f864694415 Bring rc.firewall{,6} more in line with the word and spirit of
rc.conf(5) and the files' inline documentation.

  - Add the "closed"-type, documented in both places, but which did not
    exist in the code.

  - When provided a ruleset, the system should not make any assumptions
    about the sites's policy and should add no rules of its own.

  - Make the "UNKNOWN" (documented in-line) actual work as advertised,
    load no rules.

Prodded by:	Igor M Podlesny <poige@morning.ru>
MFC after:	1 week
2002-02-21 13:14:19 +00:00
luigi
a3fca633a5 Remove a stale entry related to passing ARP with bridging and ipfw.
This feature has been removed since 4.1 times and it is only a source
of confusion.

Same needs to be done on -stable.

MFC after: 1 day
2001-12-27 05:40:09 +00:00
dd
9b57f556f5 Sync the code that sucks in rc.conf and friends with what's in
rc.firewall6.  Specifically, don't do anything
if [ -z ${source_rc_confs_defined} ].  Not doing this leads to a problem
with dependencies: chkdepend will set, e.g., portmap_enable to YES if
some service that needs portmap is enabled, but rc.network sources
rc.firewall, which used to source defaults/rc.conf unconditionally,
which would result in portmap_enable being set back to NO.

PR:		29631
Submitted by:	OGAWA Takaya <t-ogawa@triaez.kaisei.org>
2001-08-14 05:50:19 +00:00
obrien
332a3a9241 style nit 2001-03-06 02:15:38 +00:00
obrien
724856f88e Also deny 127.0.0.0/8 going out.
Submitted by:	grimes
2001-03-05 20:51:40 +00:00
des
4f21d5f03f Fix references to Chapman & Zwicky and Cheswick & Bellowin.
PR:		24652
Submitted by:	jjreynold@home.com
2001-02-25 11:44:51 +00:00
nsayer
763b2b7745 Fix some glaring insecurities in the prototype firewall configurations.
pass udp from any 53 to ${oip}

allows an attacker to access ANY local port by simply binding his local
side to 53. The state keeping mechanism is the correct way to allow DNS
replies to go back to their source.
2001-02-20 19:54:31 +00:00
obrien
6700db6a71 Add copyright notices. Other systems have been barrowing our /etc files
w/o giving any credit.
2000-10-08 19:20:36 +00:00
ru
7e189de72d Only install `divert natd' rule for predefined firewall types,
not when ${firewall_type} is set to a filename, as we know
nothing about user's script specifics.

Reported by:	Bernhard Valenti <bernhard.valenti@gmx.net>
2000-08-30 13:14:32 +00:00
ru
b19e603dc8 Make natd(8) "compatible" with firewall_type="simple".
PR:		conf/13769, conf/20197
2000-08-04 14:02:11 +00:00
obrien
4ab606e485 Update rev 1.29 -- 'draft-manning-dsua' is now in its 3rd version. 2000-07-30 19:28:05 +00:00
ps
1f5aecb400 Add an explicit rule number to natd so you do not end up with two
rule 100's.

Submitted by:	Jan Koum <jkb@yahoo-inc.com>
2000-05-08 20:28:20 +00:00
sheldonh
e9b1278038 Add to defaults/rc.conf a new function source_rc_confs which rc
scripts may use to source safely overrides in ${rc_conf_files}
files.

This protects users who insist on the bad practice of copying
/etc/defaults/rc.conf to /etc/rc.conf from a recursive loop
that exhausts available file descriptors.

Several people have expressed interest in breaking this function
out into its own shell script.  Anyone who wants to embark on
such an undertaking would do well to study the attributed PR.

PR:		17595
Reported by:	adrian
Submitted by:	Doug Barton <Doug@gorean.org>
2000-04-27 08:43:49 +00:00
bsd
a5a543c27b Back out the hook to execute the file ${firewall_type}. The intended
purpose of the hook was to provide the ability for a shell program to
instantiate the firewall rules instead of forcing them to be
statically coded.  This functionality was already present through the
use of ${firewall_script}, and I see no need to keep the
${firewall_type} hook around.

Reminded by: Dag-Erling Smorgrav <des@freebsd.org>
2000-04-27 00:48:59 +00:00
bsd
d70e245fbf Allow the firewall rules to be established by a shell script instead
of forcing them to be an 'ipfw' rules file.  This allows one to
determine interface addresses dynamically, etc.  The rule is if the
file referenced by ${firewall_type} is executable, it is sourced, but
if it is just readable, it is used as input to 'ipfw' like before.
2000-04-16 02:28:42 +00:00
paul
1526ff49b0 Add a firewall_flags option that is used when ipfw processes a file. It allows
you to run a preprocessor, such as m4, so that you can use macros in your
rules file.

Approved by:	jkh
2000-02-06 19:25:00 +00:00
rgrimes
286cc6ca6a Update this with the additional nets recomended by reading
draft-manning-dsua-01.txt.

Stop using public addresses as samples and use the recommended
192.0.2.0/24 netblock that has specifically been set aside for
documentation purposes.

Reviewed by:	readers of freebsd-security did not respond to a request
                for review
2000-01-28 11:30:28 +00:00
obrien
27b8e11386 Minor whitespace fix. 1999-12-04 01:27:51 +00:00
ru
28b2aeb2ae Pass IP fragments with non-zero offset. The semantics of matching
IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78.

Reminded by:	"Ronald F. Guilmette" <rfg@monkeys.com>
1999-11-04 10:13:59 +00:00
nsayer
cbd46ae245 Add commented entry to the lo0 section inviting bridge users to
enable ARP on filtering bridges.
1999-10-24 00:26:49 +00:00
ru
cacca31f11 Allow for incoming DNS UDP queries. 1999-10-20 08:15:13 +00:00
mpp
581ae56e3b Fix a typo in a comment. 1999-09-30 04:55:23 +00:00
sheldonh
d8a93d30ec Apply a consistent style to most of the etc scripts. Particularly, use
case instead of test where appropriate, since case allows case is a sh
builtin and (as a side-effect) allows case-insensitivity.

Changes discussed on freebsd-hackers.

Submitted by:	Doug Barton <Doug@gorean.org>
1999-09-13 15:44:20 +00:00
peter
289c0d262f $Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00
sheldonh
8cec588c44 Style clean-up:
* All variables are now embraced: ${foo}

	* All comparisons against some value now take the form:
	  [ "${foo}" ? "value" ]
	  where ? is a comparison operator

	* All empty string tests now take the form:
	  [ -z "${foo}" ]

	* All non-empty string tests now take the form:
	  [ -n "${foo}" ]

Submitted by:	jkh
1999-08-25 16:01:45 +00:00
jkh
e57466a1c3 Use /etc/defaults/rc.conf everywhere, falling back to /etc/rc.conf
as necessary (for half-assed upgrades).
1999-02-10 18:08:16 +00:00
alex
01c59a917d Strengthen the rules governing the 127.0.0.0/8 subnet. The previous rules
allowed external hosts to send packets to the 127.0.0.0/8 subnet on the
firewall host.

Renumber the lo0 rules to guarantee they appear first.

PR:		6406
Submitted by:	Archie Cobbs <archie@whistle.com>
1998-04-25 00:40:55 +00:00
brian
116081d5f2 Add natd support.
PR:		6339
Submitted by:	cdillon@wolves.k12.mo.us
1998-04-18 10:27:19 +00:00
phk
1ceef06f41 Better RFC1918 network protection
PR:		6278
Reviewed by:	phk
Submitted by:	Ruslan Ermilov <ru@ucb.crimea.ua>
1998-04-15 16:41:14 +00:00
adam
436bc98091 get default firewall type from rc.conf 1998-02-10 01:45:57 +00:00
danny
868b6abbca MF22 - make firewall_type a little more robust 1997-10-21 00:54:08 +00:00
danny
df61c66b40 Fix some problems in the rules file loading and need for modload detection.
Found by: "James E. Housley" <housley@pr-comm.com>
1997-09-18 22:43:48 +00:00
danny
347e2e3c36 Reviewed by: msmith, alex
Cosmetic changes to the loading of firewall rules and lkm.
1997-09-11 10:59:02 +00:00
jkh
07cd08d705 Add inetd_flags and way of passing ipfw a configuration file
(if firewall = "somefilename").

Fix typo fixes and URLs which were accidently nuked out of this
file (submitted by: soil@quick.net via PR#3501).

Submitted by:	"Danny J. Zerkel" <dzerkel@phofarm.com>
1997-05-05 07:08:31 +00:00
jkh
af4383e1b6 Update the etc world from RELENG_2_2 which is now more up-to-date
(gotta get myself -current again, this is a drag).

Also-fixes-problems-noted-by: Wolfgang Helbig & Joerg Wunsch
1997-05-03 11:22:17 +00:00
alex
7d79f25eed Typo police.
Added links to O'Reilly & Associates and Addison-Wesley's web sites
to accompany the book recommendations.
1997-04-27 20:12:34 +00:00
jkh
7be3f36014 Bring in rc file changes from -current. 1997-04-27 03:59:19 +00:00
peter
f173325ac8 Revert $FreeBSD$ to $Id$ 1997-02-23 09:21:14 +00:00
jkh
808a36ef65 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
adam
c7a799d363 don't ask for confirmation 1996-09-05 11:22:09 +00:00
wosch
8720405f01 space typo, the shell don't like name=<space>value 1996-08-19 15:34:29 +00:00
jkh
819b8778d2 Remove root dotfiles which did more harm than good. 1996-08-14 14:42:05 +00:00
alex
208516062f Flush out the rules before adding entries. This prevents duplicate
rules from appearing when switching back and forth from single to
multi-user modes.
1996-06-22 00:54:36 +00:00
phk
eb2d09c221 Add another good book to the required reading.
make a couple of rules more sensible.

Reviewed by:	phk
Submitted by:	jmb
1996-04-12 09:16:42 +00:00
phk
abe01fc216 Add skeleton firewall setup(s). Comments very welcome. 1996-04-03 17:13:59 +00:00