75 Commits

Author SHA1 Message Date
julian
ec367814e8 Slight tidy up of comments before MFC
MFC after:	2 days
2015-06-29 07:43:09 +00:00
julian
667f7507fb remove 16 rules and replace by 2 by using a table
I've been doing this ever since there were tables
coudl make more efficient by using "in recv"  and "out xmit" instead of via
but I'll leave that.

MFC after:	1 week
2015-06-22 04:25:41 +00:00
hrs
f8efef6094 Fix a typo.
Spotted by:	O. Hartmann
2014-10-20 04:14:35 +00:00
hrs
062adab01a Add support of "/{udp,tcp,proto}" suffix into $firewall_myservices, which
interpreted the listed items as port numbers of TCP services.

A service with no suffix still works and recognized as a TCP service for
backward compatibility.  It should be updated with /tcp suffix.

PR:		194292
MFC after:	1 week
2014-10-17 00:31:51 +00:00
kevlo
c587547ed2 Whitespace nit 2012-07-13 06:46:09 +00:00
uqs
a6f0acec24 Spelling fixes for etc/ 2012-01-07 16:10:32 +00:00
dougb
3df3a625bf Remove trailing white space. No functional changes. 2010-05-14 04:53:57 +00:00
ume
7ce3a4d539 Fix grammar in comment.
Submitted by:	"b. f." <bf1783__at__googlemail.com>
MFC after:	3 days
2010-04-11 15:31:09 +00:00
ume
3321f56bbe Disambiguate `IPs' to a more specific term.
Submitted by:	Garrett Cooper <yanefbsd__at__gmail.com>
MFC after:	3 days
2010-04-08 15:19:57 +00:00
ume
a21ba7584c firewall_trusted_ipv6 was gone by r202460. Remove stale comment about
it as well.
2010-04-07 18:14:30 +00:00
ume
a59ae58903 Remove the rules using 'me6'. Now, 'me' matches both any IPv6 address
and any IPv4 address configured on an interface in the system.

Reviewed by:	David Horn <dhorn2000__at__gmail.com>, luigi, qingli
MFC after:	2 weeks
2010-01-17 08:41:07 +00:00
ume
832ae2737b The client type rule allows DHCP, implicitly. Since DHCPv6 uses
link-local address unlike with DHCP, we need one more rule to allow
the DHCPv6.

Reported by:	David Horn <dhorn2000__at__gmail.com>
2010-01-09 19:16:27 +00:00
ume
41f06dea81 Since the IPv4 rule allows ICMP_TIMXCEED, allow
ICMP6_TIME_EXCEEDED as well for workstation type
firewall.  It makes traceroute6 work.
2010-01-07 17:46:25 +00:00
ume
5afec7265c Add missing me6 rules. Now, the IPv6 rules become equivalent
to the IPv4 rules.

Reported by:	David Horn <dhorn2000__at__gmail.com>
2009-12-29 11:27:51 +00:00
ume
ba7665678f Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.

Reviewed by:	dougb, jhb
MFC after:	1 month
2009-12-02 15:05:26 +00:00
jhb
6bfca819a4 Allow the network addresses and interface names for the "client" and
"workstation" firewall types to be set from rc.conf so that rc.firewall
no longer needs local patching to be usable for those types.  For now
I've set the variables in /etc/defaults/rc.conf to the previous defaults
in /etc/rc.firewall.

PR:		bin/65258
Submitted by:	Valentin Nechayev  netch of netch.kiev.ua
Silence from:	net
MFC after:	2 weeks
2008-08-15 19:20:59 +00:00
jhb
879012b8bd For the "client" and "simple" network types, collapse the separate "net"
and "mask" variables into a single "net" variable that contains a full
network address (including either a netmask or prefix length at the user's
choice).  Update the example settings to match.

MFC after:	2 weeks
2008-08-15 19:14:25 +00:00
jhb
358e19cca4 Use 'me' rather than explicit IP addresses for the "simple" and "client"
firewall configurations.

PR:		bin/65258
Silence on:	net@
MFC after:	1 week
2008-08-15 18:58:15 +00:00
danger
b6a62e0a11 - back out my last commit as it seems to be wrong.
Spotted by: das
2008-08-03 19:01:07 +00:00
danger
ac5e6208c0 - dns queries might go also over TCP, so allow it.
Approved by:	rink
MFC after:	1 week
2008-07-17 20:00:18 +00:00
keramida
0292737640 Tweak rc.firewall to allow incoming limited broadcast traffic,
when configured to run in 'client' mode.

PR:		conf/15010
Submitted by:	Bill Trost, trost at cloud.rain.com
Reviewed by:	bz
MFC after:	2 weeks
2008-06-06 07:17:04 +00:00
rafan
d70dd9e5a0 Improve kernel NAT support in rc.firewall
- Allow IP in firewall_nat_interface, just like natd_interface
- Allow additional configuration parameters passed to ipfw via
  firewall_nat_flags
- Document firewall_nat_* in defaults/rc.conf

Tested by:	Albert B. Wang <abwang at gmail.com>
MFC after:	1 month
2008-01-21 04:41:18 +00:00
maxim
74720d8946 o Correct an info about "Firewalls and Internet Security" book: name,
authors list, ISBN, URLs.

PR:		conf/119590
MFC after:	1 week
2008-01-12 19:02:09 +00:00
rwatson
533e9e57ea s/IPFW(4)/ipfw(4) to match the actual man page name.
Submitted by:	ru
2007-04-05 10:44:25 +00:00
rwatson
bedd4ae2b3 In rc.firewall, make it clear that this is the setup for IPFW(4), and not
for the sundry other firewalls in the system.

MFC after:	3 days
Submitted by:	Richard dot Clayton at cl dot cam dot ac dot uk
2007-04-02 14:02:06 +00:00
piso
0db606a3b1 Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
2006-12-29 21:59:17 +00:00
phk
417527cc24 Give rc.firewall a polish and a new method.
Factor out the loopback setup

Use "me" instead of hardcoded $ip where possible.

Add "workstation" which protects just this machine with stateful
    firewalling.  Put the variables for this in rc.conf.

Submitted by:	Flemming Jacobsen <fj@batmule.dk>
Reviewed by:	cperciva
2006-10-28 20:08:12 +00:00
ume
1f2553e461 don't match packets other than IPv4 against divert rule.
divert supports only IPv4.

Reported by:	SAITOU Toshihide <toshi__at__ruby.ocn.ne.jp>
Discussed with:	suz
MFC after:	1 day
2005-11-18 02:23:59 +00:00
ru
c963c859f6 DNS should not necessarily be named(8), tweak the comment a bit. 2003-11-02 07:31:44 +00:00
trhodes
2791241073 Add a header: #!/bin/sh.
PR:	44363
2003-02-06 22:00:38 +00:00
cjc
f864694415 Bring rc.firewall{,6} more in line with the word and spirit of
rc.conf(5) and the files' inline documentation.

  - Add the "closed"-type, documented in both places, but which did not
    exist in the code.

  - When provided a ruleset, the system should not make any assumptions
    about the sites's policy and should add no rules of its own.

  - Make the "UNKNOWN" (documented in-line) actual work as advertised,
    load no rules.

Prodded by:	Igor M Podlesny <poige@morning.ru>
MFC after:	1 week
2002-02-21 13:14:19 +00:00
luigi
a3fca633a5 Remove a stale entry related to passing ARP with bridging and ipfw.
This feature has been removed since 4.1 times and it is only a source
of confusion.

Same needs to be done on -stable.

MFC after: 1 day
2001-12-27 05:40:09 +00:00
dd
9b57f556f5 Sync the code that sucks in rc.conf and friends with what's in
rc.firewall6.  Specifically, don't do anything
if [ -z ${source_rc_confs_defined} ].  Not doing this leads to a problem
with dependencies: chkdepend will set, e.g., portmap_enable to YES if
some service that needs portmap is enabled, but rc.network sources
rc.firewall, which used to source defaults/rc.conf unconditionally,
which would result in portmap_enable being set back to NO.

PR:		29631
Submitted by:	OGAWA Takaya <t-ogawa@triaez.kaisei.org>
2001-08-14 05:50:19 +00:00
obrien
332a3a9241 style nit 2001-03-06 02:15:38 +00:00
obrien
724856f88e Also deny 127.0.0.0/8 going out.
Submitted by:	grimes
2001-03-05 20:51:40 +00:00
des
4f21d5f03f Fix references to Chapman & Zwicky and Cheswick & Bellowin.
PR:		24652
Submitted by:	jjreynold@home.com
2001-02-25 11:44:51 +00:00
nsayer
763b2b7745 Fix some glaring insecurities in the prototype firewall configurations.
pass udp from any 53 to ${oip}

allows an attacker to access ANY local port by simply binding his local
side to 53. The state keeping mechanism is the correct way to allow DNS
replies to go back to their source.
2001-02-20 19:54:31 +00:00
obrien
6700db6a71 Add copyright notices. Other systems have been barrowing our /etc files
w/o giving any credit.
2000-10-08 19:20:36 +00:00
ru
7e189de72d Only install `divert natd' rule for predefined firewall types,
not when ${firewall_type} is set to a filename, as we know
nothing about user's script specifics.

Reported by:	Bernhard Valenti <bernhard.valenti@gmx.net>
2000-08-30 13:14:32 +00:00
ru
b19e603dc8 Make natd(8) "compatible" with firewall_type="simple".
PR:		conf/13769, conf/20197
2000-08-04 14:02:11 +00:00
obrien
4ab606e485 Update rev 1.29 -- 'draft-manning-dsua' is now in its 3rd version. 2000-07-30 19:28:05 +00:00
ps
1f5aecb400 Add an explicit rule number to natd so you do not end up with two
rule 100's.

Submitted by:	Jan Koum <jkb@yahoo-inc.com>
2000-05-08 20:28:20 +00:00
sheldonh
e9b1278038 Add to defaults/rc.conf a new function source_rc_confs which rc
scripts may use to source safely overrides in ${rc_conf_files}
files.

This protects users who insist on the bad practice of copying
/etc/defaults/rc.conf to /etc/rc.conf from a recursive loop
that exhausts available file descriptors.

Several people have expressed interest in breaking this function
out into its own shell script.  Anyone who wants to embark on
such an undertaking would do well to study the attributed PR.

PR:		17595
Reported by:	adrian
Submitted by:	Doug Barton <Doug@gorean.org>
2000-04-27 08:43:49 +00:00
bsd
a5a543c27b Back out the hook to execute the file ${firewall_type}. The intended
purpose of the hook was to provide the ability for a shell program to
instantiate the firewall rules instead of forcing them to be
statically coded.  This functionality was already present through the
use of ${firewall_script}, and I see no need to keep the
${firewall_type} hook around.

Reminded by: Dag-Erling Smorgrav <des@freebsd.org>
2000-04-27 00:48:59 +00:00
bsd
d70e245fbf Allow the firewall rules to be established by a shell script instead
of forcing them to be an 'ipfw' rules file.  This allows one to
determine interface addresses dynamically, etc.  The rule is if the
file referenced by ${firewall_type} is executable, it is sourced, but
if it is just readable, it is used as input to 'ipfw' like before.
2000-04-16 02:28:42 +00:00
paul
1526ff49b0 Add a firewall_flags option that is used when ipfw processes a file. It allows
you to run a preprocessor, such as m4, so that you can use macros in your
rules file.

Approved by:	jkh
2000-02-06 19:25:00 +00:00
rgrimes
286cc6ca6a Update this with the additional nets recomended by reading
draft-manning-dsua-01.txt.

Stop using public addresses as samples and use the recommended
192.0.2.0/24 netblock that has specifically been set aside for
documentation purposes.

Reviewed by:	readers of freebsd-security did not respond to a request
                for review
2000-01-28 11:30:28 +00:00
obrien
27b8e11386 Minor whitespace fix. 1999-12-04 01:27:51 +00:00
ru
28b2aeb2ae Pass IP fragments with non-zero offset. The semantics of matching
IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78.

Reminded by:	"Ronald F. Guilmette" <rfg@monkeys.com>
1999-11-04 10:13:59 +00:00
nsayer
cbd46ae245 Add commented entry to the lo0 section inviting bridge users to
enable ARP on filtering bridges.
1999-10-24 00:26:49 +00:00