1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-22 11:17:19 +00:00
Commit Graph

99 Commits

Author SHA1 Message Date
Poul-Henning Kamp
bb07ec8c84 Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface.  This is useful for routers with
dynamic interfaces.  It is now possible to say:

        0100 allow       tcp from any to any established
        0200 skipto 1000 tcp from any to any
        0300 allow       ip from any to any
        1000 allow       tcp from 1.2.3.4 to me 22
        1010 deny        tcp from any to me 22
        1020 allow       tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
2001-02-13 14:12:37 +00:00
Robert Watson
65450f2f77 o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets.  This patch
  stops overloading those bits in the IP firewall rules, and moves
  colliding flags to a seperate field, ipflg.  The IPFW userland
  management tool, ipfw(8), is updated to reflect this change.  New TCP
  flags related to ECN are now included in tcp.h for reference, although
  we don't currently implement TCP+ECN.

o To use this fix without completely rebuilding, it is sufficient to copy
  ip_fw.h and tcp.h into your appropriate include directory, then rebuild
  the ipfw kernel module, and ipfw tool, and install both.  Note that a
  mismatch between module and userland tool will result in incorrect
  installation of firewall rules that may have unexpected effects.  This
  is an MFC candidate, following shakedown.  This bug does not appear
  to affect ipfilter.

Reviewed by:	security-officer, billf
Reported by:	Aragon Gouveia <aragon@phat.za.net>
2001-01-09 03:10:30 +00:00
Ruslan Ermilov
bc95ac80b2 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
2000-10-12 07:59:14 +00:00
Ruslan Ermilov
3ab6704228 Reset globals for every new command read from preprocessed file. 2000-10-11 13:02:30 +00:00
Ruslan Ermilov
de2e7393d6 Only interpret the last command line argument as a file to
be preprocessed if it is specified as an absolute pathname.

PR:		bin/16179
2000-10-11 12:17:06 +00:00
Ruslan Ermilov
79a74459fa Document the latest firewall knobs. 2000-10-06 11:17:06 +00:00
Ruslan Ermilov
507c85be96 Respect the protocol when looking the port up by service name.
PR:		21742
2000-10-04 07:59:19 +00:00
Ruslan Ermilov
8ace7a5e69 Do not force argument to ``ipid'' modifier be in hex, and
accept value of zero as valid for IP Identification field.
2000-10-03 11:23:29 +00:00
Ruslan Ermilov
1b4ea5a1a3 Fixed the printing of TCP flags. 2000-10-03 10:37:03 +00:00
Bill Fumerola
98b829924f Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:	silence on freebsd-{net,ipfw}
2000-10-02 03:03:31 +00:00
Warner Losh
595a9d6ebc optreset is declared in unistd.h now. 2000-08-16 07:36:30 +00:00
Bill Fumerola
9a6eeac9f4 Fix a paste-o in the tcpoptions check (not a security problem, just a
error in the usage printf())

Reviewed by:	rwatson
2000-07-17 03:02:15 +00:00
Kris Kennaway
ada79f6035 Don't call sprintf() with no format string. 2000-07-10 08:22:21 +00:00
Bill Fumerola
976a1c9106 Reorder the "prob" section in the output of list/show so it can be copy/pasted
into add without problems.

The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
2000-06-18 02:48:19 +00:00
Luigi Rizzo
8a0b95d610 Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
Dan Moschuk
9714563d83 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
Luigi Rizzo
6c28099089 userland side of WF2Q+ support in dummynet.
Manpage coming later...
2000-06-08 10:08:39 +00:00
Jeroen Ruigrok van der Werven
f1fb54a2f5 Remove unused include, and place sys includes at top, which enabled
us to remove this include.
2000-05-01 20:19:44 +00:00
Brian Feldman
0f95689794 Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
rule that logs without a log limit, use "logamount 0" in addition to "log".
2000-04-30 06:44:11 +00:00
Luigi Rizzo
20aed43d30 Use correct field for dst_port when displaying masks on dynamic pipes. 2000-02-13 11:46:59 +00:00
Luigi Rizzo
d69f84c0b4 Support and document new stateful ipfw features.
Approved-by: jordan
2000-02-10 14:25:26 +00:00
Luigi Rizzo
8c020cb775 Support per-flow queueing in dummynet.
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
2000-01-08 11:19:19 +00:00
Archie Cobbs
56345b0f5c Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
Brian Feldman
1efcedf596 Make the "uid" and "gid" code better. Now it can detect invalid user
names/numbers.

Reviewed by:	chris
1999-09-03 18:18:46 +00:00
Peter Wemm
7f3dea244c $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
Luigi Rizzo
e2bd328224 Whoops, forgot one line in previous patch. 1999-08-12 05:32:11 +00:00
Luigi Rizzo
f0706ad422 Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
Brian Feldman
0b6c1a832d Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
Brian Feldman
7a2aab80b0 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
Ruslan Ermilov
0a81860b0b Workaround the problem that the first (and only first) port name
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:

# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any

PR:		7101
1999-06-11 09:43:53 +00:00
Ruslan Ermilov
43866c3e76 Fix the parsing of ip addresses on a command line.
PR:		5047
Reviewed by:	des
Test case:	ipfw add allow ip from 127.1 to any
1999-06-04 11:20:59 +00:00
Ruslan Ermilov
06e70c77bb Spelling corrections for dummynet.
Reviewed by:	des,luigi
1999-06-02 05:59:48 +00:00
Kris Kennaway
39aa78dd44 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by:	Philippe Charnier
1999-05-29 08:12:38 +00:00
Luigi Rizzo
e142fadecb close pr 10889:
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00
Archie Cobbs
14112159be Fix bug where 'ipfw list' would choke if there were a large number of rules. 1999-01-22 01:46:32 +00:00
Luigi Rizzo
d120b1c1fc Remove coredump when running "ipfw pipe" without more arguments.
PR: 8937
1998-12-27 11:23:05 +00:00
Luigi Rizzo
b13ebaaa5c ipfw changes for dummynet. manpages still missing 1998-12-14 18:43:03 +00:00
Archie Cobbs
b31a38612b Disallow ipfw "tee" rules until it is actually implemented.
PR:		bin/8471
1998-12-07 05:54:37 +00:00
Joerg Wunsch
aa045fa499 Preprocessor support for `ipfw [-q] ... file'.
This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc.  Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.

While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).

A typical call with preprocessor invocation looks like

	ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules

Someone should probably add support for this feature to /etc/rc.firewall.
1998-11-23 10:54:28 +00:00
Alexander Langer
abe7f210b5 The flags type was recently changed from u_short to u_int, breaking
icmptypes.

PR:		8067
Submitted by:	Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com>

While I'm here, staticize functions.
1998-09-28 22:56:37 +00:00
Peter Hawkins
62cf03cd85 PR: 7475
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
1998-08-04 14:41:37 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Daniel O'Callaghan
0eaa45335d PR: 6641
Submitted by:	Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
Make -q work for zeroing a specific rule.
1998-05-15 12:38:07 +00:00
Poul-Henning Kamp
4419bba9fb When ipfw reads its rules from an input file, the optind variable is
not reinitialized to 1 after calling getopt. This results in parsing
errors on all but the first rule. An added patch also allows '#'
comments at the end of a line.

PR:		6379
Reviewed by:	phk
Submitted by:	Neal Fachan <kneel@ishiboo.com>
1998-04-22 06:20:20 +00:00
Alexander Langer
585054bfa6 Get the arguments to show_usage right (like the MFC'ed code in -stable).
Submitted by:	bde
1998-03-13 02:31:21 +00:00
Alexander Langer
ce78a1f6dd Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00
Alexander Langer
1c910ddbf9 Bump up packet and byte counters to 64-bit unsigned ints. As a
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.

NOTE:
  o The ipfw struct has changed requiring a recompile of both kernel
    and userland ipfw utility.

  o This probably should not be brought into 2.2.

PR:		3738
1998-01-08 03:03:54 +00:00
Alexander Langer
00bbf86dd5 Format mismatch in error message.
Submitted by:	bde
1998-01-08 00:27:31 +00:00
Alexander Langer
19b7e28d58 Support listing/showing specific rules supplied on the command line.
Use error codes from <sysexits.h>.
1998-01-07 02:23:04 +00:00
Alexander Langer
016d30080f Display a better error message and use a non-zero exit code when
zero/delete operations fail.

PR:		4231
Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-01-06 00:11:57 +00:00