Commit Graph

67 Commits

Author SHA1 Message Date
Julian Elischer
e4676ba603 Submitted by: Whistle Communications (archie Cobbs)
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
1997-06-02 05:02:37 +00:00
Masafumi Max NAKANE
20aaa0e700 Typo.
PR:		3600
Submitted by:	Josh Gilliam <soil@quick.net>
1997-05-15 09:00:39 +00:00
Alexander Langer
c6a01512c6 Minor rewording of the examples section. 1997-05-15 00:51:08 +00:00
Warner Losh
8d64695c7c compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.
1997-03-29 03:33:12 +00:00
Bruce Evans
423f22330a Force null termination after 2 errant strncpy()s. 1997-03-05 12:08:44 +00:00
Peter Wemm
c0ec1f37ef Revert $FreeBSD$ to $Id$ 1997-02-22 14:40:44 +00:00
Daniel O'Callaghan
f607e2c314 Add '-q' quiet flag for flush/add/zero commands; add 'show' command as
synonym for '-a list'; stop SEGV when specifying 'via' with no interface;
change 2 instances of strcpy() to strncpy().

This is a candidate for 2.2
1997-02-10 15:36:54 +00:00
Jordan K. Hubbard
8d26fa1ec7 Adjust spelling of `fw_flg' so this thing compiles again. 1997-01-17 07:01:21 +00:00
Adam David
839cc09e53 implement "not" keyword for inverting the address logic 1997-01-16 21:04:29 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Mike Pritchard
bc41bb3f92 Minor mdoc/style fixes. 1996-12-23 02:03:15 +00:00
Garrett Wollman
628d2ac1b0 Fix up programs which expect <net/if.h> to include <sys/time.h> to instead
do it themselves.  (Some of these programs actually depended on this
beyond compiling the definition of struct ifinfo!)  Also fix up some
other #include messes while we're at it.
1996-12-10 17:11:53 +00:00
John Polstra
00f1098194 Fix a spelling error.
2.2 Candidate.
1996-11-05 22:27:33 +00:00
Alexander Langer
bf41740b43 Issue a warning if the user specifies an invalid interface in a rule.
The rule is still added to the chain since the interface may get
created later on after loading an LKM.
1996-10-17 01:05:03 +00:00
Alexander Langer
7de7ab65b6 Note that -N is only effective when ipfw is displaying chain entries. 1996-09-15 00:08:30 +00:00
Nate Williams
1285c95c4b Because 'ipfw flush' is such a dangerous command (given that most
firewalls are remote, and this command will kill the network connection
to them), prompt the user for confirmation of this command.

Also, add the '-f' flag which ignores the need for confirmation the
command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0)
assume '-f'.

If anyone is using ipfw flush in scripts it shouldn't affect them, but you
may want to change the script to use a 'ipfw -f flush'.

Reviewed by:	alex
1996-08-31 17:58:23 +00:00
Mike Pritchard
85cf659a76 Use the .Fx macro where appropriate. 1996-08-23 00:57:08 +00:00
Paul Traina
978eb210d1 Completely rewrite handling of protocol field for firewalls, things are
now completely consistent across all IP protocols and should be quite a
bit faster.

Use getprotoname() extensively, performed minor cleanups of admin utility.
The admin utility could use a good kick in the pants.

Basicly, these were the minimal changes I could make to the code
to get it up to tollerable shape.  There will be some future commits
to clean up the basic architecture of the firewall code, and if
I'm feeling ambitious, I may pull in changes like NAT from Linux
and make the firewall hooks comletely generic so that a user can
either load the ipfw module or the ipfilter module (cf Darren Reed).

Discussed with: fenner & alex
1996-08-13 19:43:24 +00:00
Paul Traina
73e3fe9132 Fix tcp/udp port ranges 1996-08-13 00:41:05 +00:00
Alexander Langer
593f7481aa Filter by IP protocol.
Submitted by: fenner (with modifications by me)

Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
1996-08-05 02:38:51 +00:00
Julian Elischer
93e0e11657 Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
1996-07-10 19:44:30 +00:00
Alexander Langer
f8cc1596e7 Correct definition of 'established' keyword. 1996-07-02 00:29:22 +00:00
Alexander Langer
97842144e3 Formatting fixes for 'in' and 'out' while listing.
Prevent ALL protocol from being used with port specifications.

Allow 'via' keyword at any point in the options list.  Disallow
multiple 'via' specifications.
1996-06-29 01:28:19 +00:00
Alexander Langer
700061451a Fix port specification syntax.
Submitted by:	nate
1996-06-29 01:21:07 +00:00
Alexander Langer
c06c129887 Fix address mask calculation when using ':' syntax. Allow a mask
of /0 to have the desired effect.  Normalize IP addresses that
won't match a given mask (i.e. 1.2.3.4/24 becomes 1.2.3.0/24).
Submitted by R. Bezuidenhout <rbezuide@mikom.csir.co.za>

Code formatting and "frag" display fixes.
1996-06-23 20:47:51 +00:00
Alexander Langer
2a7a2545a4 Set the program name before trying to use it.
Found by: Aage Robekk <aagero@aage.priv.no>
1996-06-18 01:46:34 +00:00
Alexander Langer
a85b3068a1 Fix a typo in the view accounting records example. 1996-06-15 23:01:44 +00:00
Alexander Langer
3f21e4122d Bring the man page more into line with reality. 1996-06-15 01:38:51 +00:00
Alexander Langer
b55b9e3f1d Big sweep over ipfw, picking up where Poul left off:
- Filter based on ICMP types.
  - Accept interface wildcards (e.g. ppp*).
  - Resolve service names with the -N option.
  - Accept host names in 'from' and 'to' specifications
  - Display chain entry time stamps with the -t option.
  - Added URG to tcpflags.
  - Print usage if an unknown tcpflag is used.
  - Ability to zero individual accounting entries.
  - Clarify usage of port ranges.
  - Misc code cleanup.

Closes PRs: 1193, 1220, and 1266.
1996-06-09 23:46:22 +00:00
Poul-Henning Kamp
9f30a5482e Some cosmetics and some better error-checking.
Reviewed by:	phk
Submitted by:	"Daniel O'Callaghan" <danny@panda.hilink.com.au>
Submitted by:	Archie Cobbs <archie@whistle.com>
1996-05-11 20:31:55 +00:00
Poul-Henning Kamp
6cece43912 recognize "allow", "accept" and "pass"
add new feature for "established"
1996-04-03 13:49:10 +00:00
Poul-Henning Kamp
5cc7c95375 A couple of bug-fixes.
Reviewed by:	phk
Submitted by:	"Frank ten Wolde" <franky@pinewood.nl>
1996-04-02 11:43:28 +00:00
Poul-Henning Kamp
72ee2a8b10 Update to match kernel code. 1996-02-24 13:39:46 +00:00
Poul-Henning Kamp
5b0c234e20 A new ipfw program that can set and control the new features.
An almost correct usage is printed.
1996-02-24 00:20:56 +00:00
Poul-Henning Kamp
41955e9114 Update -current ipfw program as well.
I hope it all compiles...
1996-02-23 15:52:28 +00:00
Poul-Henning Kamp
cfe3bbfda2 Document that the firewall will no longer reorder the rules. 1996-02-13 15:20:20 +00:00
Mike Pritchard
e71057d8d0 Fix a bunch of spelling errors. 1996-01-29 23:52:43 +00:00
Peter Wemm
a5b996a7ec recording cvs-1.6 file death 1995-12-30 19:02:48 +00:00
Nate Williams
01fc1ee969 Convert manpage to -mandoc macros.
Submitted by:	Gary Palmer <gary@palmer.demon.co.uk>

Minor cleanup by me in the English.
1995-10-26 05:36:24 +00:00
Ugen J.S. Antsilevich
7934237885 Support all the tcpflag options in firewall.
Add reading options from file, now ipfw <filename> will
read commands string after string from file , form of strings
same as command line interface.
1995-10-23 03:58:06 +00:00
Ugen J.S. Antsilevich
5a9bab798e Support IP Option smatching in grammar and listing.
TcpSyn option removed and will be shortly repoaced by support of all
TCP Flags including syn and ack...
1995-10-01 21:54:05 +00:00
Gary Palmer
38a98b2254 Correct minor nit - to filter out SYN packets, the keyword is
`syn' not `tcpsyn' (which matches `tcp' which blocks all tcp
packets)
1995-08-31 21:12:05 +00:00
Gary Palmer
7852d4b660 Add $Id$ 1995-08-22 00:38:02 +00:00
Rodney W. Grimes
5ebc7e6281 Remove trailing whitespace. 1995-05-30 06:12:45 +00:00
Ugen J.S. Antsilevich
9289ddbe2e make pass work also as the first keyword
(while addf skipped)
Reviewed by:
Submitted by:
Obtained from:
1995-03-30 12:18:10 +00:00
Ugen J.S. Antsilevich
009f85df0b Update manpage..BTW,if somebody wit good English
would go through it and fix it would be a really good idea.
1995-03-03 12:59:47 +00:00
Ugen J.S. Antsilevich
3c3f8b95a8 Oops..remove some debugging leftover.. 1995-03-03 12:47:23 +00:00
Ugen J.S. Antsilevich
9071ec3796 Ok..so everybody picking on me that ipfw syntacs
is a pain in ...wel.. trying to fix this
 * from/to/via position indepenndant syntax
 * "any" for 0/0 host address
 * addf/addb default keyword in case you skip it..
 * pass = accept new action, seems to be somewhat better
   in particular cases
 * on = via (as on ed0 instead of via ed0,loook at
   reject tcp on ed0 from hacker )
1995-03-03 12:28:34 +00:00
Ugen J.S. Antsilevich
ce83f1d6d8 Fixed manpage..ldeny,lreject and log options are there
and others not..
Submitted by:	torstenb@FreeBSD.ORG
1995-02-27 10:52:22 +00:00
Ugen J.S. Antsilevich
ab7d7f5827 Change utility to accept interface name
along with IP as "via" argument
1995-02-24 14:32:45 +00:00