#
259065 |
|
07-Dec-2013 |
gjb |
- Copy stable/10 (r259064) to releng/10.0 as part of the 10.0-RELEASE cycle. - Update __FreeBSD_version [1] - Set branch name to -RC1
[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so start releng/10.0 at '100' so the branch is started with a value ending in zero.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
238416 |
|
13-Jul-2012 |
kevlo |
Whitespace nit
|
#
229783 |
|
07-Jan-2012 |
uqs |
Spelling fixes for etc/
|
#
208060 |
|
14-May-2010 |
dougb |
Remove trailing white space. No functional changes.
|
#
206479 |
|
11-Apr-2010 |
ume |
Fix grammar in comment.
Submitted by: "b. f." <bf1783__at__googlemail.com> MFC after: 3 days
|
#
206399 |
|
08-Apr-2010 |
ume |
Disambiguate `IPs' to a more specific term.
Submitted by: Garrett Cooper <yanefbsd__at__gmail.com> MFC after: 3 days
|
#
206375 |
|
07-Apr-2010 |
ume |
firewall_trusted_ipv6 was gone by r202460. Remove stale comment about it as well.
|
#
202460 |
|
17-Jan-2010 |
ume |
Remove the rules using 'me6'. Now, 'me' matches both any IPv6 address and any IPv4 address configured on an interface in the system.
Reviewed by: David Horn <dhorn2000__at__gmail.com>, luigi, qingli MFC after: 2 weeks
|
#
201930 |
|
09-Jan-2010 |
ume |
The client type rule allows DHCP, implicitly. Since DHCPv6 uses link-local address unlike with DHCP, we need one more rule to allow the DHCPv6.
Reported by: David Horn <dhorn2000__at__gmail.com>
|
#
201752 |
|
07-Jan-2010 |
ume |
Since the IPv4 rule allows ICMP_TIMXCEED, allow ICMP6_TIME_EXCEEDED as well for workstation type firewall. It makes traceroute6 work.
|
#
201193 |
|
29-Dec-2009 |
ume |
Add missing me6 rules. Now, the IPv6 rules become equivalent to the IPv4 rules.
Reported by: David Horn <dhorn2000__at__gmail.com>
|
#
200028 |
|
02-Dec-2009 |
ume |
Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6 and rc.d/ip6fw.
Reviewed by: dougb, jhb MFC after: 1 month
|
#
181762 |
|
15-Aug-2008 |
jhb |
Allow the network addresses and interface names for the "client" and "workstation" firewall types to be set from rc.conf so that rc.firewall no longer needs local patching to be usable for those types. For now I've set the variables in /etc/defaults/rc.conf to the previous defaults in /etc/rc.firewall.
PR: bin/65258 Submitted by: Valentin Nechayev netch of netch.kiev.ua Silence from: net MFC after: 2 weeks
|
#
181761 |
|
15-Aug-2008 |
jhb |
For the "client" and "simple" network types, collapse the separate "net" and "mask" variables into a single "net" variable that contains a full network address (including either a netmask or prefix length at the user's choice). Update the example settings to match.
MFC after: 2 weeks
|
#
181760 |
|
15-Aug-2008 |
jhb |
Use 'me' rather than explicit IP addresses for the "simple" and "client" firewall configurations.
PR: bin/65258 Silence on: net@ MFC after: 1 week
|
#
181260 |
|
03-Aug-2008 |
danger |
- back out my last commit as it seems to be wrong.
Spotted by: das
|
#
180577 |
|
17-Jul-2008 |
danger |
- dns queries might go also over TCP, so allow it.
Approved by: rink MFC after: 1 week
|
#
179598 |
|
06-Jun-2008 |
keramida |
Tweak rc.firewall to allow incoming limited broadcast traffic, when configured to run in 'client' mode.
PR: conf/15010 Submitted by: Bill Trost, trost at cloud.rain.com Reviewed by: bz MFC after: 2 weeks
|
#
175522 |
|
21-Jan-2008 |
rafan |
Improve kernel NAT support in rc.firewall
- Allow IP in firewall_nat_interface, just like natd_interface - Allow additional configuration parameters passed to ipfw via firewall_nat_flags - Document firewall_nat_* in defaults/rc.conf
Tested by: Albert B. Wang <abwang at gmail.com> MFC after: 1 month
|
#
175244 |
|
12-Jan-2008 |
maxim |
o Correct an info about "Firewalls and Internet Security" book: name, authors list, ISBN, URLs.
PR: conf/119590 MFC after: 1 week
|
#
168384 |
|
05-Apr-2007 |
rwatson |
s/IPFW(4)/ipfw(4) to match the actual man page name.
Submitted by: ru
|
#
168269 |
|
02-Apr-2007 |
rwatson |
In rc.firewall, make it clear that this is the setup for IPFW(4), and not for the sundry other firewalls in the system.
MFC after: 3 days Submitted by: Richard dot Clayton at cl dot cam dot ac dot uk
|
#
165648 |
|
29-Dec-2006 |
piso |
Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:
-ipfw's in kernel nat
-redirect_* and LSNAT support
General information about nat syntax and some examples are available in the ipfw (8) man page. The redirect and LSNAT syntax are identical to natd, so please refer to natd (8) man page.
To enable in kernel nat in rc.conf, two options were added:
o firewall_nat_enable: equivalent to natd_enable
o firewall_nat_interface: equivalent to natd_interface
Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet to continue being checked by the firewall ruleset after being (de)aliased.
NOTA BENE: due to some problems with libalias architecture, in kernel nat won't work with TSO enabled nic, thus you have to disable TSO via ifconfig (ifconfig foo0 -tso).
Approved by: glebius (mentor)
|
#
163749 |
|
28-Oct-2006 |
phk |
Give rc.firewall a polish and a new method.
Factor out the loopback setup
Use "me" instead of hardcoded $ip where possible.
Add "workstation" which protects just this machine with stateful firewalling. Put the variables for this in rc.conf.
Submitted by: Flemming Jacobsen <fj@batmule.dk> Reviewed by: cperciva
|
#
152562 |
|
18-Nov-2005 |
ume |
don't match packets other than IPv4 against divert rule. divert supports only IPv4.
Reported by: SAITOU Toshihide <toshi__at__ruby.ocn.ne.jp> Discussed with: suz MFC after: 1 day
|
#
121881 |
|
02-Nov-2003 |
ru |
DNS should not necessarily be named(8), tweak the comment a bit.
|
#
110476 |
|
06-Feb-2003 |
trhodes |
Add a header: #!/bin/sh.
PR: 44363
|
#
91019 |
|
21-Feb-2002 |
cjc |
Bring rc.firewall{,6} more in line with the word and spirit of rc.conf(5) and the files' inline documentation.
- Add the "closed"-type, documented in both places, but which did not exist in the code.
- When provided a ruleset, the system should not make any assumptions about the sites's policy and should add no rules of its own.
- Make the "UNKNOWN" (documented in-line) actual work as advertised, load no rules.
Prodded by: Igor M Podlesny <poige@morning.ru> MFC after: 1 week
|
#
88523 |
|
27-Dec-2001 |
luigi |
Remove a stale entry related to passing ARP with bridging and ipfw. This feature has been removed since 4.1 times and it is only a source of confusion.
Same needs to be done on -stable.
MFC after: 1 day
|
#
81618 |
|
14-Aug-2001 |
dd |
Sync the code that sucks in rc.conf and friends with what's in rc.firewall6. Specifically, don't do anything if [ -z ${source_rc_confs_defined} ]. Not doing this leads to a problem with dependencies: chkdepend will set, e.g., portmap_enable to YES if some service that needs portmap is enabled, but rc.network sources rc.firewall, which used to source defaults/rc.conf unconditionally, which would result in portmap_enable being set back to NO.
PR: 29631 Submitted by: OGAWA Takaya <t-ogawa@triaez.kaisei.org>
|
#
73842 |
|
06-Mar-2001 |
obrien |
style nit
|
#
73785 |
|
05-Mar-2001 |
obrien |
Also deny 127.0.0.0/8 going out.
Submitted by: grimes
|
#
73023 |
|
25-Feb-2001 |
des |
Fix references to Chapman & Zwicky and Cheswick & Bellowin.
PR: 24652 Submitted by: jjreynold@home.com
|
#
72772 |
|
20-Feb-2001 |
nsayer |
Fix some glaring insecurities in the prototype firewall configurations.
pass udp from any 53 to ${oip}
allows an attacker to access ANY local port by simply binding his local side to 53. The state keeping mechanism is the correct way to allow DNS replies to go back to their source.
|
#
66830 |
|
08-Oct-2000 |
obrien |
Add copyright notices. Other systems have been barrowing our /etc files w/o giving any credit.
|
#
65257 |
|
30-Aug-2000 |
ru |
Only install `divert natd' rule for predefined firewall types, not when ${firewall_type} is set to a filename, as we know nothing about user's script specifics.
Reported by: Bernhard Valenti <bernhard.valenti@gmx.net>
|
#
64244 |
|
04-Aug-2000 |
ru |
Make natd(8) "compatible" with firewall_type="simple".
PR: conf/13769, conf/20197
|
#
64028 |
|
30-Jul-2000 |
obrien |
Update rev 1.29 -- 'draft-manning-dsua' is now in its 3rd version.
|
#
60208 |
|
08-May-2000 |
ps |
Add an explicit rule number to natd so you do not end up with two rule 100's.
Submitted by: Jan Koum <jkb@yahoo-inc.com>
|
#
59674 |
|
27-Apr-2000 |
sheldonh |
Add to defaults/rc.conf a new function source_rc_confs which rc scripts may use to source safely overrides in ${rc_conf_files} files.
This protects users who insist on the bad practice of copying /etc/defaults/rc.conf to /etc/rc.conf from a recursive loop that exhausts available file descriptors.
Several people have expressed interest in breaking this function out into its own shell script. Anyone who wants to embark on such an undertaking would do well to study the attributed PR.
PR: 17595 Reported by: adrian Submitted by: Doug Barton <Doug@gorean.org>
|
#
59669 |
|
26-Apr-2000 |
bsd |
Back out the hook to execute the file ${firewall_type}. The intended purpose of the hook was to provide the ability for a shell program to instantiate the firewall rules instead of forcing them to be statically coded. This functionality was already present through the use of ${firewall_script}, and I see no need to keep the ${firewall_type} hook around.
Reminded by: Dag-Erling Smorgrav <des@freebsd.org>
|
#
59270 |
|
16-Apr-2000 |
bsd |
Allow the firewall rules to be established by a shell script instead of forcing them to be an 'ipfw' rules file. This allows one to determine interface addresses dynamically, etc. The rule is if the file referenced by ${firewall_type} is executable, it is sourced, but if it is just readable, it is used as input to 'ipfw' like before.
|
#
57014 |
|
06-Feb-2000 |
paul |
Add a firewall_flags option that is used when ipfw processes a file. It allows you to run a preprocessor, such as m4, so that you can use macros in your rules file.
Approved by: jkh
|
#
56736 |
|
28-Jan-2000 |
rgrimes |
Update this with the additional nets recomended by reading draft-manning-dsua-01.txt.
Stop using public addresses as samples and use the recommended 192.0.2.0/24 netblock that has specifically been set aside for documentation purposes.
Reviewed by: readers of freebsd-security did not respond to a request for review
|
#
54108 |
|
03-Dec-1999 |
obrien |
Minor whitespace fix.
|
#
52873 |
|
04-Nov-1999 |
ru |
Pass IP fragments with non-zero offset. The semantics of matching IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78.
Reminded by: "Ronald F. Guilmette" <rfg@monkeys.com>
|
#
52449 |
|
23-Oct-1999 |
nsayer |
Add commented entry to the lo0 section inviting bridge users to enable ARP on filtering bridges.
|
#
52404 |
|
20-Oct-1999 |
ru |
Allow for incoming DNS UDP queries.
|
#
51805 |
|
30-Sep-1999 |
mpp |
Fix a typo in a comment.
|
#
51231 |
|
13-Sep-1999 |
sheldonh |
Apply a consistent style to most of the etc scripts. Particularly, use case instead of test where appropriate, since case allows case is a sh builtin and (as a side-effect) allows case-insensitivity.
Changes discussed on freebsd-hackers.
Submitted by: Doug Barton <Doug@gorean.org>
|
#
50472 |
|
27-Aug-1999 |
peter |
$Id$ -> $FreeBSD$
|
#
50357 |
|
25-Aug-1999 |
sheldonh |
Style clean-up:
* All variables are now embraced: ${foo}
* All comparisons against some value now take the form: [ "${foo}" ? "value" ] where ? is a comparison operator
* All empty string tests now take the form: [ -z "${foo}" ]
* All non-empty string tests now take the form: [ -n "${foo}" ]
Submitted by: jkh
|
#
43849 |
|
10-Feb-1999 |
jkh |
Use /etc/defaults/rc.conf everywhere, falling back to /etc/rc.conf as necessary (for half-assed upgrades).
|
#
35444 |
|
24-Apr-1998 |
alex |
Strengthen the rules governing the 127.0.0.0/8 subnet. The previous rules allowed external hosts to send packets to the 127.0.0.0/8 subnet on the firewall host.
Renumber the lo0 rules to guarantee they appear first.
PR: 6406 Submitted by: Archie Cobbs <archie@whistle.com>
|
#
35267 |
|
18-Apr-1998 |
brian |
Add natd support. PR: 6339 Submitted by: cdillon@wolves.k12.mo.us
|
#
35207 |
|
15-Apr-1998 |
phk |
Better RFC1918 network protection PR: 6278 Reviewed by: phk Submitted by: Ruslan Ermilov <ru@ucb.crimea.ua>
|
#
33203 |
|
09-Feb-1998 |
adam |
get default firewall type from rc.conf
|
#
30617 |
|
20-Oct-1997 |
danny |
MF22 - make firewall_type a little more robust
|
#
29590 |
|
18-Sep-1997 |
danny |
Fix some problems in the rules file loading and need for modload detection.
Found by: "James E. Housley" <housley@pr-comm.com>
|
#
29300 |
|
11-Sep-1997 |
danny |
Reviewed by: msmith, alex Cosmetic changes to the loading of firewall rules and lkm.
|
#
25478 |
|
05-May-1997 |
jkh |
Add inetd_flags and way of passing ipfw a configuration file (if firewall = "somefilename").
Fix typo fixes and URLs which were accidently nuked out of this file (submitted by: soil@quick.net via PR#3501).
Submitted by: "Danny J. Zerkel" <dzerkel@phofarm.com>
|
#
25412 |
|
03-May-1997 |
jkh |
Update the etc world from RELENG_2_2 which is now more up-to-date (gotta get myself -current again, this is a drag).
Also-fixes-problems-noted-by: Wolfgang Helbig & Joerg Wunsch
|
#
25203 |
|
27-Apr-1997 |
alex |
Typo police.
Added links to O'Reilly & Associates and Addison-Wesley's web sites to accompany the book recommendations.
|
#
25184 |
|
27-Apr-1997 |
jkh |
Bring in rc file changes from -current.
|
#
23037 |
|
23-Feb-1997 |
peter |
Revert $FreeBSD$ to $Id$
|
#
21673 |
|
14-Jan-1997 |
jkh |
Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
|
#
18045 |
|
05-Sep-1996 |
adam |
don't ask for confirmation
|
#
17671 |
|
19-Aug-1996 |
wosch |
space typo, the shell don't like name=<space>value
|
#
17594 |
|
14-Aug-1996 |
jkh |
Remove root dotfiles which did more harm than good.
|
#
16578 |
|
21-Jun-1996 |
alex |
Flush out the rules before adding entries. This prevents duplicate rules from appearing when switching back and forth from single to multi-user modes.
|
#
15210 |
|
12-Apr-1996 |
phk |
Add another good book to the required reading. make a couple of rules more sensible.
Reviewed by: phk Submitted by: jmb
|
#
15027 |
|
03-Apr-1996 |
phk |
Add skeleton firewall setup(s). Comments very welcome.
|