aboutsummaryrefslogtreecommitdiff
path: root/etc/rc.firewall
Commit message (Collapse)AuthorAgeFilesLines
* pkgbase: Really move rc.firewallEmmanuel Vadot2019-05-221-557/+0
| | | | | | | Messed up with git->svn in r348098 Notes: svn path=/head/; revision=348103
* The firewall_type is ignored if not set in rc.conf or rc.conf.local,Marcelo Araujo2018-02-221-2/+10
| | | | | | | | | | | | | after r190575 there is an option to call rc.firewall with the firewall_type passed in as an argument. Submitted by: David P. Discher <dpd@dpdtech.com> MFC after: 3 weeks. Sponsored by: iXsystems Inc. Differential Revision: https://reviews.freebsd.org/D14286 Notes: svn path=/head/; revision=329817
* Slight tidy up of comments before MFCJulian Elischer2015-06-291-2/+2
| | | | | | | MFC after: 2 days Notes: svn path=/head/; revision=284920
* remove 16 rules and replace by 2 by using a tableJulian Elischer2015-06-221-22/+14
| | | | | | | | | | | I've been doing this ever since there were tables coudl make more efficient by using "in recv" and "out xmit" instead of via but I'll leave that. MFC after: 1 week Notes: svn path=/head/; revision=284691
* Fix a typo.Hiroki Sato2014-10-201-1/+2
| | | | | | | Spotted by: O. Hartmann Notes: svn path=/head/; revision=273301
* Add support of "/{udp,tcp,proto}" suffix into $firewall_myservices, whichHiroki Sato2014-10-171-3/+20
| | | | | | | | | | | | | interpreted the listed items as port numbers of TCP services. A service with no suffix still works and recognized as a TCP service for backward compatibility. It should be updated with /tcp suffix. PR: 194292 MFC after: 1 week Notes: svn path=/head/; revision=273201
* Whitespace nitKevin Lo2012-07-131-2/+2
| | | | Notes: svn path=/head/; revision=238416
* Spelling fixes for etc/Ulrich Spörlein2012-01-071-5/+5
| | | | Notes: svn path=/head/; revision=229783
* Remove trailing white space. No functional changes.Doug Barton2010-05-141-3/+3
| | | | Notes: svn path=/head/; revision=208060
* Fix grammar in comment.Hajimu UMEMOTO2010-04-111-3/+3
| | | | | | | | Submitted by: "b. f." <bf1783__at__googlemail.com> MFC after: 3 days Notes: svn path=/head/; revision=206479
* Disambiguate `IPs' to a more specific term.Hajimu UMEMOTO2010-04-081-6/+8
| | | | | | | | Submitted by: Garrett Cooper <yanefbsd__at__gmail.com> MFC after: 3 days Notes: svn path=/head/; revision=206399
* firewall_trusted_ipv6 was gone by r202460. Remove stale comment aboutHajimu UMEMOTO2010-04-071-6/+1
| | | | | | | it as well. Notes: svn path=/head/; revision=206375
* Remove the rules using 'me6'. Now, 'me' matches both any IPv6 addressHajimu UMEMOTO2010-01-171-45/+5
| | | | | | | | | | and any IPv4 address configured on an interface in the system. Reviewed by: David Horn <dhorn2000__at__gmail.com>, luigi, qingli MFC after: 2 weeks Notes: svn path=/head/; revision=202460
* The client type rule allows DHCP, implicitly. Since DHCPv6 usesHajimu UMEMOTO2010-01-091-0/+2
| | | | | | | | | | link-local address unlike with DHCP, we need one more rule to allow the DHCPv6. Reported by: David Horn <dhorn2000__at__gmail.com> Notes: svn path=/head/; revision=201930
* Since the IPv4 rule allows ICMP_TIMXCEED, allowHajimu UMEMOTO2010-01-071-1/+4
| | | | | | | | ICMP6_TIME_EXCEEDED as well for workstation type firewall. It makes traceroute6 work. Notes: svn path=/head/; revision=201752
* Add missing me6 rules. Now, the IPv6 rules become equivalentHajimu UMEMOTO2009-12-291-0/+29
| | | | | | | | | to the IPv4 rules. Reported by: David Horn <dhorn2000__at__gmail.com> Notes: svn path=/head/; revision=201193
* Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6Hajimu UMEMOTO2009-12-021-10/+146
| | | | | | | | | | and rc.d/ip6fw. Reviewed by: dougb, jhb MFC after: 1 month Notes: svn path=/head/; revision=200028
* Allow the network addresses and interface names for the "client" andJohn Baldwin2008-08-151-6/+15
| | | | | | | | | | | | | | | "workstation" firewall types to be set from rc.conf so that rc.firewall no longer needs local patching to be usable for those types. For now I've set the variables in /etc/defaults/rc.conf to the previous defaults in /etc/rc.firewall. PR: bin/65258 Submitted by: Valentin Nechayev netch of netch.kiev.ua Silence from: net MFC after: 2 weeks Notes: svn path=/head/; revision=181762
* For the "client" and "simple" network types, collapse the separate "net"John Baldwin2008-08-151-14/+11
| | | | | | | | | | | and "mask" variables into a single "net" variable that contains a full network address (including either a netmask or prefix length at the user's choice). Update the example settings to match. MFC after: 2 weeks Notes: svn path=/head/; revision=181761
* Use 'me' rather than explicit IP addresses for the "simple" and "client"John Baldwin2008-08-151-12/+9
| | | | | | | | | | | firewall configurations. PR: bin/65258 Silence on: net@ MFC after: 1 week Notes: svn path=/head/; revision=181760
* - back out my last commit as it seems to be wrong.Daniel Gerzo2008-08-031-2/+0
| | | | | | | Spotted by: das Notes: svn path=/head/; revision=181260
* - dns queries might go also over TCP, so allow it.Daniel Gerzo2008-07-171-0/+2
| | | | | | | | Approved by: rink MFC after: 1 week Notes: svn path=/head/; revision=180577
* Tweak rc.firewall to allow incoming limited broadcast traffic,Giorgos Keramidas2008-06-061-0/+3
| | | | | | | | | | | | when configured to run in 'client' mode. PR: conf/15010 Submitted by: Bill Trost, trost at cloud.rain.com Reviewed by: bz MFC after: 2 weeks Notes: svn path=/head/; revision=179598
* Improve kernel NAT support in rc.firewallRong-En Fan2008-01-211-1/+7
| | | | | | | | | | | | | - Allow IP in firewall_nat_interface, just like natd_interface - Allow additional configuration parameters passed to ipfw via firewall_nat_flags - Document firewall_nat_* in defaults/rc.conf Tested by: Albert B. Wang <abwang at gmail.com> MFC after: 1 month Notes: svn path=/head/; revision=175522
* o Correct an info about "Firewalls and Internet Security" book: name,Maxim Konovalov2008-01-121-7/+6
| | | | | | | | | | authors list, ISBN, URLs. PR: conf/119590 MFC after: 1 week Notes: svn path=/head/; revision=175244
* s/IPFW(4)/ipfw(4) to match the actual man page name.Robert Watson2007-04-051-1/+1
| | | | | | | Submitted by: ru Notes: svn path=/head/; revision=168384
* In rc.firewall, make it clear that this is the setup for IPFW(4), and notRobert Watson2007-04-021-1/+1
| | | | | | | | | | for the sundry other firewalls in the system. MFC after: 3 days Submitted by: Richard dot Clayton at cl dot cam dot ac dot uk Notes: svn path=/head/; revision=168269
* Summer of Code 2005: improve libalias - part 2 of 2Paolo Pisati2006-12-291-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With the second (and last) part of my previous Summer of Code work, we get: -ipfw's in kernel nat -redirect_* and LSNAT support General information about nat syntax and some examples are available in the ipfw (8) man page. The redirect and LSNAT syntax are identical to natd, so please refer to natd (8) man page. To enable in kernel nat in rc.conf, two options were added: o firewall_nat_enable: equivalent to natd_enable o firewall_nat_interface: equivalent to natd_interface Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet to continue being checked by the firewall ruleset after being (de)aliased. NOTA BENE: due to some problems with libalias architecture, in kernel nat won't work with TSO enabled nic, thus you have to disable TSO via ifconfig (ifconfig foo0 -tso). Approved by: glebius (mentor) Notes: svn path=/head/; revision=165648
* Give rc.firewall a polish and a new method.Poul-Henning Kamp2006-10-281-16/+107
| | | | | | | | | | | | | | | Factor out the loopback setup Use "me" instead of hardcoded $ip where possible. Add "workstation" which protects just this machine with stateful firewalling. Put the variables for this in rc.conf. Submitted by: Flemming Jacobsen <fj@batmule.dk> Reviewed by: cperciva Notes: svn path=/head/; revision=163749
* don't match packets other than IPv4 against divert rule.Hajimu UMEMOTO2005-11-181-1/+1
| | | | | | | | | | | divert supports only IPv4. Reported by: SAITOU Toshihide <toshi__at__ruby.ocn.ne.jp> Discussed with: suz MFC after: 1 day Notes: svn path=/head/; revision=152562
* DNS should not necessarily be named(8), tweak the comment a bit.Ruslan Ermilov2003-11-021-1/+1
| | | | Notes: svn path=/head/; revision=121881
* Add a header: #!/bin/sh.Tom Rhodes2003-02-061-0/+1
| | | | | | | PR: 44363 Notes: svn path=/head/; revision=110476
* Bring rc.firewall{,6} more in line with the word and spirit ofCrist J. Clark2002-02-211-7/+17
| | | | | | | | | | | | | | | | | | | rc.conf(5) and the files' inline documentation. - Add the "closed"-type, documented in both places, but which did not exist in the code. - When provided a ruleset, the system should not make any assumptions about the sites's policy and should add no rules of its own. - Make the "UNKNOWN" (documented in-line) actual work as advertised, load no rules. Prodded by: Igor M Podlesny <poige@morning.ru> MFC after: 1 week Notes: svn path=/head/; revision=91019
* Remove a stale entry related to passing ARP with bridging and ipfw.Luigi Rizzo2001-12-271-2/+0
| | | | | | | | | | | | This feature has been removed since 4.1 times and it is only a source of confusion. Same needs to be done on -stable. MFC after: 1 day Notes: svn path=/head/; revision=88523
* Sync the code that sucks in rc.conf and friends with what's inDima Dorfman2001-08-141-5/+7
| | | | | | | | | | | | | | | rc.firewall6. Specifically, don't do anything if [ -z ${source_rc_confs_defined} ]. Not doing this leads to a problem with dependencies: chkdepend will set, e.g., portmap_enable to YES if some service that needs portmap is enabled, but rc.network sources rc.firewall, which used to source defaults/rc.conf unconditionally, which would result in portmap_enable being set back to NO. PR: 29631 Submitted by: OGAWA Takaya <t-ogawa@triaez.kaisei.org> Notes: svn path=/head/; revision=81618
* style nitDavid E. O'Brien2001-03-061-1/+1
| | | | Notes: svn path=/head/; revision=73842
* Also deny 127.0.0.0/8 going out.David E. O'Brien2001-03-051-1/+2
| | | | | | | Submitted by: grimes Notes: svn path=/head/; revision=73785
* Fix references to Chapman & Zwicky and Cheswick & Bellowin.Dag-Erling Smørgrav2001-02-251-3/+5
| | | | | | | | PR: 24652 Submitted by: jjreynold@home.com Notes: svn path=/head/; revision=73023
* Fix some glaring insecurities in the prototype firewall configurations.Nick Sayer2001-02-201-8/+4
| | | | | | | | | | | pass udp from any 53 to ${oip} allows an attacker to access ANY local port by simply binding his local side to 53. The state keeping mechanism is the correct way to allow DNS replies to go back to their source. Notes: svn path=/head/; revision=72772
* Add copyright notices. Other systems have been barrowing our /etc filesDavid E. O'Brien2000-10-081-2/+29
| | | | | | | w/o giving any credit. Notes: svn path=/head/; revision=66830
* Only install `divert natd' rule for predefined firewall types,Ruslan Ermilov2000-08-301-3/+1
| | | | | | | | | | not when ${firewall_type} is set to a filename, as we know nothing about user's script specifics. Reported by: Bernhard Valenti <bernhard.valenti@gmx.net> Notes: svn path=/head/; revision=65257
* Make natd(8) "compatible" with firewall_type="simple".Ruslan Ermilov2000-08-041-17/+46
| | | | | | | PR: conf/13769, conf/20197 Notes: svn path=/head/; revision=64244
* Update rev 1.29 -- 'draft-manning-dsua' is now in its 3rd version.David E. O'Brien2000-07-301-1/+3
| | | | Notes: svn path=/head/; revision=64028
* Add an explicit rule number to natd so you do not end up with twoPaul Saab2000-05-081-1/+1
| | | | | | | | | rule 100's. Submitted by: Jan Koum <jkb@yahoo-inc.com> Notes: svn path=/head/; revision=60208
* Add to defaults/rc.conf a new function source_rc_confs which rcSheldon Hearn2000-04-271-0/+1
| | | | | | | | | | | | | | | | | | | | scripts may use to source safely overrides in ${rc_conf_files} files. This protects users who insist on the bad practice of copying /etc/defaults/rc.conf to /etc/rc.conf from a recursive loop that exhausts available file descriptors. Several people have expressed interest in breaking this function out into its own shell script. Anyone who wants to embark on such an undertaking would do well to study the attributed PR. PR: 17595 Reported by: adrian Submitted by: Doug Barton <Doug@gorean.org> Notes: svn path=/head/; revision=59674
* Back out the hook to execute the file ${firewall_type}. The intendedBrian S. Dean2000-04-271-3/+1
| | | | | | | | | | | | | purpose of the hook was to provide the ability for a shell program to instantiate the firewall rules instead of forcing them to be statically coded. This functionality was already present through the use of ${firewall_script}, and I see no need to keep the ${firewall_type} hook around. Reminded by: Dag-Erling Smorgrav <des@freebsd.org> Notes: svn path=/head/; revision=59669
* Allow the firewall rules to be established by a shell script insteadBrian S. Dean2000-04-161-1/+3
| | | | | | | | | | of forcing them to be an 'ipfw' rules file. This allows one to determine interface addresses dynamically, etc. The rule is if the file referenced by ${firewall_type} is executable, it is sourced, but if it is just readable, it is used as input to 'ipfw' like before. Notes: svn path=/head/; revision=59270
* Add a firewall_flags option that is used when ipfw processes a file. It allowsPaul Richards2000-02-061-1/+1
| | | | | | | | | | you to run a preprocessor, such as m4, so that you can use macros in your rules file. Approved by: jkh Notes: svn path=/head/; revision=57014
* Update this with the additional nets recomended by readingRodney W. Grimes2000-01-281-14/+26
| | | | | | | | | | | | | | draft-manning-dsua-01.txt. Stop using public addresses as samples and use the recommended 192.0.2.0/24 netblock that has specifically been set aside for documentation purposes. Reviewed by: readers of freebsd-security did not respond to a request for review Notes: svn path=/head/; revision=56736
* Minor whitespace fix.David E. O'Brien1999-12-041-2/+1
| | | | Notes: svn path=/head/; revision=54108
generated by cgit v1.3 (git 2.53.0) at 2026-05-27 16:50:21 +0000