1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-16 10:20:30 +00:00
Commit Graph

34 Commits

Author SHA1 Message Date
Paul Saab
8cf43c44ea Add an explicit rule number to natd so you do not end up with two
rule 100's.

Submitted by:	Jan Koum <jkb@yahoo-inc.com>
2000-05-08 20:28:20 +00:00
Sheldon Hearn
f66e7afa28 Add to defaults/rc.conf a new function source_rc_confs which rc
scripts may use to source safely overrides in ${rc_conf_files}
files.

This protects users who insist on the bad practice of copying
/etc/defaults/rc.conf to /etc/rc.conf from a recursive loop
that exhausts available file descriptors.

Several people have expressed interest in breaking this function
out into its own shell script.  Anyone who wants to embark on
such an undertaking would do well to study the attributed PR.

PR:		17595
Reported by:	adrian
Submitted by:	Doug Barton <Doug@gorean.org>
2000-04-27 08:43:49 +00:00
Brian S. Dean
ee4619f2a7 Back out the hook to execute the file ${firewall_type}. The intended
purpose of the hook was to provide the ability for a shell program to
instantiate the firewall rules instead of forcing them to be
statically coded.  This functionality was already present through the
use of ${firewall_script}, and I see no need to keep the
${firewall_type} hook around.

Reminded by: Dag-Erling Smorgrav <des@freebsd.org>
2000-04-27 00:48:59 +00:00
Brian S. Dean
2ee229e5c3 Allow the firewall rules to be established by a shell script instead
of forcing them to be an 'ipfw' rules file.  This allows one to
determine interface addresses dynamically, etc.  The rule is if the
file referenced by ${firewall_type} is executable, it is sourced, but
if it is just readable, it is used as input to 'ipfw' like before.
2000-04-16 02:28:42 +00:00
Paul Richards
f49c61a73a Add a firewall_flags option that is used when ipfw processes a file. It allows
you to run a preprocessor, such as m4, so that you can use macros in your
rules file.

Approved by:	jkh
2000-02-06 19:25:00 +00:00
Rodney W. Grimes
9b20e2ca56 Update this with the additional nets recomended by reading
draft-manning-dsua-01.txt.

Stop using public addresses as samples and use the recommended
192.0.2.0/24 netblock that has specifically been set aside for
documentation purposes.

Reviewed by:	readers of freebsd-security did not respond to a request
                for review
2000-01-28 11:30:28 +00:00
David E. O'Brien
ee7f6d9f9b Minor whitespace fix. 1999-12-04 01:27:51 +00:00
Ruslan Ermilov
8a9c5a82c0 Pass IP fragments with non-zero offset. The semantics of matching
IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78.

Reminded by:	"Ronald F. Guilmette" <rfg@monkeys.com>
1999-11-04 10:13:59 +00:00
Nick Sayer
3af7d635f1 Add commented entry to the lo0 section inviting bridge users to
enable ARP on filtering bridges.
1999-10-24 00:26:49 +00:00
Ruslan Ermilov
59e92b4999 Allow for incoming DNS UDP queries. 1999-10-20 08:15:13 +00:00
Mike Pritchard
c124f1f780 Fix a typo in a comment. 1999-09-30 04:55:23 +00:00
Sheldon Hearn
321704296f Apply a consistent style to most of the etc scripts. Particularly, use
case instead of test where appropriate, since case allows case is a sh
builtin and (as a side-effect) allows case-insensitivity.

Changes discussed on freebsd-hackers.

Submitted by:	Doug Barton <Doug@gorean.org>
1999-09-13 15:44:20 +00:00
Peter Wemm
9b7a44a60e $Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00
Sheldon Hearn
b68adff6b7 Style clean-up:
* All variables are now embraced: ${foo}

	* All comparisons against some value now take the form:
	  [ "${foo}" ? "value" ]
	  where ? is a comparison operator

	* All empty string tests now take the form:
	  [ -z "${foo}" ]

	* All non-empty string tests now take the form:
	  [ -n "${foo}" ]

Submitted by:	jkh
1999-08-25 16:01:45 +00:00
Jordan K. Hubbard
9c63624e6f Use /etc/defaults/rc.conf everywhere, falling back to /etc/rc.conf
as necessary (for half-assed upgrades).
1999-02-10 18:08:16 +00:00
Alexander Langer
0804188c52 Strengthen the rules governing the 127.0.0.0/8 subnet. The previous rules
allowed external hosts to send packets to the 127.0.0.0/8 subnet on the
firewall host.

Renumber the lo0 rules to guarantee they appear first.

PR:		6406
Submitted by:	Archie Cobbs <archie@whistle.com>
1998-04-25 00:40:55 +00:00
Brian Somers
252ba33d3c Add natd support.
PR:		6339
Submitted by:	cdillon@wolves.k12.mo.us
1998-04-18 10:27:19 +00:00
Poul-Henning Kamp
3d10253c7d Better RFC1918 network protection
PR:		6278
Reviewed by:	phk
Submitted by:	Ruslan Ermilov <ru@ucb.crimea.ua>
1998-04-15 16:41:14 +00:00
Adam David
7f06341409 get default firewall type from rc.conf 1998-02-10 01:45:57 +00:00
Daniel O'Callaghan
a9a7f08317 MF22 - make firewall_type a little more robust 1997-10-21 00:54:08 +00:00
Daniel O'Callaghan
24e24b0737 Fix some problems in the rules file loading and need for modload detection.
Found by: "James E. Housley" <housley@pr-comm.com>
1997-09-18 22:43:48 +00:00
Daniel O'Callaghan
5f4feab696 Reviewed by: msmith, alex
Cosmetic changes to the loading of firewall rules and lkm.
1997-09-11 10:59:02 +00:00
Jordan K. Hubbard
1218780bd1 Add inetd_flags and way of passing ipfw a configuration file
(if firewall = "somefilename").

Fix typo fixes and URLs which were accidently nuked out of this
file (submitted by: soil@quick.net via PR#3501).

Submitted by:	"Danny J. Zerkel" <dzerkel@phofarm.com>
1997-05-05 07:08:31 +00:00
Jordan K. Hubbard
0862a4aff9 Update the etc world from RELENG_2_2 which is now more up-to-date
(gotta get myself -current again, this is a drag).

Also-fixes-problems-noted-by: Wolfgang Helbig & Joerg Wunsch
1997-05-03 11:22:17 +00:00
Alexander Langer
b33b5868a5 Typo police.
Added links to O'Reilly & Associates and Addison-Wesley's web sites
to accompany the book recommendations.
1997-04-27 20:12:34 +00:00
Jordan K. Hubbard
524a1478c8 Bring in rc file changes from -current. 1997-04-27 03:59:19 +00:00
Peter Wemm
79403fe300 Revert $FreeBSD$ to $Id$ 1997-02-23 09:21:14 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Adam David
e389e42669 don't ask for confirmation 1996-09-05 11:22:09 +00:00
Wolfram Schneider
7ea944f3a6 space typo, the shell don't like name=<space>value 1996-08-19 15:34:29 +00:00
Jordan K. Hubbard
38b411e309 Remove root dotfiles which did more harm than good. 1996-08-14 14:42:05 +00:00
Alexander Langer
2df2f6af71 Flush out the rules before adding entries. This prevents duplicate
rules from appearing when switching back and forth from single to
multi-user modes.
1996-06-22 00:54:36 +00:00
Poul-Henning Kamp
86c81cd529 Add another good book to the required reading.
make a couple of rules more sensible.

Reviewed by:	phk
Submitted by:	jmb
1996-04-12 09:16:42 +00:00
Poul-Henning Kamp
429c71776e Add skeleton firewall setup(s). Comments very welcome. 1996-04-03 17:13:59 +00:00