| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Notes:
svn path=/head/; revision=121881
|
|
|
|
|
|
|
| |
PR: 44363
Notes:
svn path=/head/; revision=110476
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rc.conf(5) and the files' inline documentation.
- Add the "closed"-type, documented in both places, but which did not
exist in the code.
- When provided a ruleset, the system should not make any assumptions
about the sites's policy and should add no rules of its own.
- Make the "UNKNOWN" (documented in-line) actual work as advertised,
load no rules.
Prodded by: Igor M Podlesny <poige@morning.ru>
MFC after: 1 week
Notes:
svn path=/head/; revision=91019
|
|
|
|
|
|
|
|
|
|
|
|
| |
This feature has been removed since 4.1 times and it is only a source
of confusion.
Same needs to be done on -stable.
MFC after: 1 day
Notes:
svn path=/head/; revision=88523
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rc.firewall6. Specifically, don't do anything
if [ -z ${source_rc_confs_defined} ]. Not doing this leads to a problem
with dependencies: chkdepend will set, e.g., portmap_enable to YES if
some service that needs portmap is enabled, but rc.network sources
rc.firewall, which used to source defaults/rc.conf unconditionally,
which would result in portmap_enable being set back to NO.
PR: 29631
Submitted by: OGAWA Takaya <t-ogawa@triaez.kaisei.org>
Notes:
svn path=/head/; revision=81618
|
|
|
|
| |
Notes:
svn path=/head/; revision=73842
|
|
|
|
|
|
|
| |
Submitted by: grimes
Notes:
svn path=/head/; revision=73785
|
|
|
|
|
|
|
|
| |
PR: 24652
Submitted by: jjreynold@home.com
Notes:
svn path=/head/; revision=73023
|
|
|
|
|
|
|
|
|
|
|
| |
pass udp from any 53 to ${oip}
allows an attacker to access ANY local port by simply binding his local
side to 53. The state keeping mechanism is the correct way to allow DNS
replies to go back to their source.
Notes:
svn path=/head/; revision=72772
|
|
|
|
|
|
|
| |
w/o giving any credit.
Notes:
svn path=/head/; revision=66830
|
|
|
|
|
|
|
|
|
|
| |
not when ${firewall_type} is set to a filename, as we know
nothing about user's script specifics.
Reported by: Bernhard Valenti <bernhard.valenti@gmx.net>
Notes:
svn path=/head/; revision=65257
|
|
|
|
|
|
|
| |
PR: conf/13769, conf/20197
Notes:
svn path=/head/; revision=64244
|
|
|
|
| |
Notes:
svn path=/head/; revision=64028
|
|
|
|
|
|
|
|
|
| |
rule 100's.
Submitted by: Jan Koum <jkb@yahoo-inc.com>
Notes:
svn path=/head/; revision=60208
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scripts may use to source safely overrides in ${rc_conf_files}
files.
This protects users who insist on the bad practice of copying
/etc/defaults/rc.conf to /etc/rc.conf from a recursive loop
that exhausts available file descriptors.
Several people have expressed interest in breaking this function
out into its own shell script. Anyone who wants to embark on
such an undertaking would do well to study the attributed PR.
PR: 17595
Reported by: adrian
Submitted by: Doug Barton <Doug@gorean.org>
Notes:
svn path=/head/; revision=59674
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
purpose of the hook was to provide the ability for a shell program to
instantiate the firewall rules instead of forcing them to be
statically coded. This functionality was already present through the
use of ${firewall_script}, and I see no need to keep the
${firewall_type} hook around.
Reminded by: Dag-Erling Smorgrav <des@freebsd.org>
Notes:
svn path=/head/; revision=59669
|
|
|
|
|
|
|
|
|
|
| |
of forcing them to be an 'ipfw' rules file. This allows one to
determine interface addresses dynamically, etc. The rule is if the
file referenced by ${firewall_type} is executable, it is sourced, but
if it is just readable, it is used as input to 'ipfw' like before.
Notes:
svn path=/head/; revision=59270
|
|
|
|
|
|
|
|
|
|
| |
you to run a preprocessor, such as m4, so that you can use macros in your
rules file.
Approved by: jkh
Notes:
svn path=/head/; revision=57014
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
draft-manning-dsua-01.txt.
Stop using public addresses as samples and use the recommended
192.0.2.0/24 netblock that has specifically been set aside for
documentation purposes.
Reviewed by: readers of freebsd-security did not respond to a request
for review
Notes:
svn path=/head/; revision=56736
|
|
|
|
| |
Notes:
svn path=/head/; revision=54108
|
|
|
|
|
|
|
|
|
| |
IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78.
Reminded by: "Ronald F. Guilmette" <rfg@monkeys.com>
Notes:
svn path=/head/; revision=52873
|
|
|
|
|
|
|
| |
enable ARP on filtering bridges.
Notes:
svn path=/head/; revision=52449
|
|
|
|
| |
Notes:
svn path=/head/; revision=52404
|
|
|
|
| |
Notes:
svn path=/head/; revision=51805
|
|
|
|
|
|
|
|
|
|
|
|
| |
case instead of test where appropriate, since case allows case is a sh
builtin and (as a side-effect) allows case-insensitivity.
Changes discussed on freebsd-hackers.
Submitted by: Doug Barton <Doug@gorean.org>
Notes:
svn path=/head/; revision=51231
|
|
|
|
| |
Notes:
svn path=/head/; revision=50472
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* All variables are now embraced: ${foo}
* All comparisons against some value now take the form:
[ "${foo}" ? "value" ]
where ? is a comparison operator
* All empty string tests now take the form:
[ -z "${foo}" ]
* All non-empty string tests now take the form:
[ -n "${foo}" ]
Submitted by: jkh
Notes:
svn path=/head/; revision=50357
|
|
|
|
|
|
|
| |
as necessary (for half-assed upgrades).
Notes:
svn path=/head/; revision=43849
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allowed external hosts to send packets to the 127.0.0.0/8 subnet on the
firewall host.
Renumber the lo0 rules to guarantee they appear first.
PR: 6406
Submitted by: Archie Cobbs <archie@whistle.com>
Notes:
svn path=/head/; revision=35444
|
|
|
|
|
|
|
|
| |
PR: 6339
Submitted by: cdillon@wolves.k12.mo.us
Notes:
svn path=/head/; revision=35267
|
|
|
|
|
|
|
|
|
| |
PR: 6278
Reviewed by: phk
Submitted by: Ruslan Ermilov <ru@ucb.crimea.ua>
Notes:
svn path=/head/; revision=35207
|
|
|
|
| |
Notes:
svn path=/head/; revision=33203
|
|
|
|
| |
Notes:
svn path=/head/; revision=30617
|
|
|
|
|
|
|
| |
Found by: "James E. Housley" <housley@pr-comm.com>
Notes:
svn path=/head/; revision=29590
|
|
|
|
|
|
|
| |
Cosmetic changes to the loading of firewall rules and lkm.
Notes:
svn path=/head/; revision=29300
|
|
|
|
|
|
|
|
|
|
|
|
| |
(if firewall = "somefilename").
Fix typo fixes and URLs which were accidently nuked out of this
file (submitted by: soil@quick.net via PR#3501).
Submitted by: "Danny J. Zerkel" <dzerkel@phofarm.com>
Notes:
svn path=/head/; revision=25478
|
|
|
|
|
|
|
|
|
| |
(gotta get myself -current again, this is a drag).
Also-fixes-problems-noted-by: Wolfgang Helbig & Joerg Wunsch
Notes:
svn path=/head/; revision=25412
|
|
|
|
|
|
|
|
| |
Added links to O'Reilly & Associates and Addison-Wesley's web sites
to accompany the book recommendations.
Notes:
svn path=/head/; revision=25203
|
|
|
|
| |
Notes:
svn path=/head/; revision=25184
|
|
|
|
| |
Notes:
svn path=/head/; revision=23037
|
|
|
|
|
|
|
|
|
|
|
| |
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
Notes:
svn path=/head/; revision=21673
|
|
|
|
| |
Notes:
svn path=/head/; revision=18045
|
|
|
|
| |
Notes:
svn path=/head/; revision=17671
|
|
|
|
| |
Notes:
svn path=/head/; revision=17594
|
|
|
|
|
|
|
|
| |
rules from appearing when switching back and forth from single to
multi-user modes.
Notes:
svn path=/head/; revision=16578
|
|
|
|
|
|
|
|
|
|
| |
make a couple of rules more sensible.
Reviewed by: phk
Submitted by: jmb
Notes:
svn path=/head/; revision=15210
|
|
Notes:
svn path=/head/; revision=15027
|