mirror of
https://github.com/opnsense/src.git
synced 2026-06-08 16:22:46 -04:00
Allow a compile-time override of the ipfw deny rule. For a 'firewall'
you don't want this (and the documentation explains why), but if you use ipfw as an as-needed casual filter as needed which normally runs as 'allow all' then having the kernel and /sbin/ipfw get out of sync is a *MAJOR* pain in the behind. PR: 4141 Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
This commit is contained in:
Peter Wemm
parent
10a91a42fc
commit
ffdd472de7
5 changed files with 45 additions and 12 deletions
|
|
@ -2,7 +2,7 @@
|
|||
# LINT -- config file for checking all the sources, tries to pull in
|
||||
# as much of the source tree as it can.
|
||||
#
|
||||
# $Id: LINT,v 1.362 1997/09/04 23:03:09 yokota Exp $
|
||||
# $Id: LINT,v 1.363 1997/09/09 12:40:53 jmg Exp $
|
||||
#
|
||||
# NB: You probably don't want to try running a kernel built from this
|
||||
# file. Instead, you should start from GENERIC, and add options from
|
||||
|
|
@ -368,6 +368,13 @@ pseudo-device tun 1 #Tunnel driver(user process ppp)
|
|||
# conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends
|
||||
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
|
||||
# limits the number of times a matching entry can be logged.
|
||||
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
|
||||
# allow everything. Use with care, if a cracker can crash your
|
||||
# firewall machine, they can get to your protected machines. However,
|
||||
# if you are using it as an as-needed filter for specific problems as
|
||||
# they arise, then this may be for you. Changing the default to 'allow'
|
||||
# means that you won't get stuck if the kernel and /sbin/ipfw binary get
|
||||
# out of sync.
|
||||
#
|
||||
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
|
||||
#
|
||||
|
|
@ -379,6 +386,7 @@ options IPFIREWALL #firewall
|
|||
options IPFIREWALL_VERBOSE #print information about
|
||||
# dropped packets
|
||||
options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by defalt
|
||||
options IPDIVERT #divert sockets
|
||||
options TCPDEBUG
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# $Id: options,v 1.31 1997/06/04 16:44:22 pst Exp $
|
||||
# $Id: options,v 1.32 1997/08/19 17:05:23 peter Exp $
|
||||
|
||||
# Format:
|
||||
# Option name filename
|
||||
|
|
@ -98,5 +98,6 @@ MROUTING opt_mrouting.h
|
|||
IPFIREWALL opt_ipfw.h
|
||||
IPFIREWALL_VERBOSE opt_ipfw.h
|
||||
IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h
|
||||
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
|
||||
PPP_BSDCOMP opt_ppp.h
|
||||
PPP_DEFLATE opt_ppp.h
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# LINT -- config file for checking all the sources, tries to pull in
|
||||
# as much of the source tree as it can.
|
||||
#
|
||||
# $Id: LINT,v 1.362 1997/09/04 23:03:09 yokota Exp $
|
||||
# $Id: LINT,v 1.363 1997/09/09 12:40:53 jmg Exp $
|
||||
#
|
||||
# NB: You probably don't want to try running a kernel built from this
|
||||
# file. Instead, you should start from GENERIC, and add options from
|
||||
|
|
@ -368,6 +368,13 @@ pseudo-device tun 1 #Tunnel driver(user process ppp)
|
|||
# conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends
|
||||
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
|
||||
# limits the number of times a matching entry can be logged.
|
||||
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
|
||||
# allow everything. Use with care, if a cracker can crash your
|
||||
# firewall machine, they can get to your protected machines. However,
|
||||
# if you are using it as an as-needed filter for specific problems as
|
||||
# they arise, then this may be for you. Changing the default to 'allow'
|
||||
# means that you won't get stuck if the kernel and /sbin/ipfw binary get
|
||||
# out of sync.
|
||||
#
|
||||
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
|
||||
#
|
||||
|
|
@ -379,6 +386,7 @@ options IPFIREWALL #firewall
|
|||
options IPFIREWALL_VERBOSE #print information about
|
||||
# dropped packets
|
||||
options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by defalt
|
||||
options IPDIVERT #divert sockets
|
||||
options TCPDEBUG
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# LINT -- config file for checking all the sources, tries to pull in
|
||||
# as much of the source tree as it can.
|
||||
#
|
||||
# $Id: LINT,v 1.362 1997/09/04 23:03:09 yokota Exp $
|
||||
# $Id: LINT,v 1.363 1997/09/09 12:40:53 jmg Exp $
|
||||
#
|
||||
# NB: You probably don't want to try running a kernel built from this
|
||||
# file. Instead, you should start from GENERIC, and add options from
|
||||
|
|
@ -368,6 +368,13 @@ pseudo-device tun 1 #Tunnel driver(user process ppp)
|
|||
# conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends
|
||||
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
|
||||
# limits the number of times a matching entry can be logged.
|
||||
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
|
||||
# allow everything. Use with care, if a cracker can crash your
|
||||
# firewall machine, they can get to your protected machines. However,
|
||||
# if you are using it as an as-needed filter for specific problems as
|
||||
# they arise, then this may be for you. Changing the default to 'allow'
|
||||
# means that you won't get stuck if the kernel and /sbin/ipfw binary get
|
||||
# out of sync.
|
||||
#
|
||||
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
|
||||
#
|
||||
|
|
@ -379,6 +386,7 @@ options IPFIREWALL #firewall
|
|||
options IPFIREWALL_VERBOSE #print information about
|
||||
# dropped packets
|
||||
options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by defalt
|
||||
options IPDIVERT #divert sockets
|
||||
options TCPDEBUG
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
*
|
||||
* This software is provided ``AS IS'' without any warranties of any kind.
|
||||
*
|
||||
* $Id: ip_fw.c,v 1.61 1997/08/06 00:19:05 alex Exp $
|
||||
* $Id: ip_fw.c,v 1.62 1997/08/23 14:28:22 alex Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
|
|
@ -936,18 +936,23 @@ ip_fw_ctl(int stage, struct mbuf **mm)
|
|||
void
|
||||
ip_fw_init(void)
|
||||
{
|
||||
struct ip_fw deny;
|
||||
struct ip_fw default_rule;
|
||||
|
||||
ip_fw_chk_ptr = ip_fw_chk;
|
||||
ip_fw_ctl_ptr = ip_fw_ctl;
|
||||
LIST_INIT(&ip_fw_chain);
|
||||
|
||||
bzero(&deny, sizeof deny);
|
||||
deny.fw_prot = IPPROTO_IP;
|
||||
deny.fw_number = (u_short)-1;
|
||||
deny.fw_flg |= IP_FW_F_DENY;
|
||||
deny.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
|
||||
if (check_ipfw_struct(&deny) == NULL || add_entry(&ip_fw_chain, &deny))
|
||||
bzero(&default_rule, sizeof default_rule);
|
||||
default_rule.fw_prot = IPPROTO_IP;
|
||||
default_rule.fw_number = (u_short)-1;
|
||||
#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
|
||||
default_rule.fw_flg |= IP_FW_F_ACCEPT;
|
||||
#else
|
||||
default_rule.fw_flg |= IP_FW_F_DENY;
|
||||
#endif
|
||||
default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
|
||||
if (check_ipfw_struct(&default_rule) == NULL ||
|
||||
add_entry(&ip_fw_chain, &default_rule))
|
||||
panic(__FUNCTION__);
|
||||
|
||||
printf("IP packet filtering initialized, "
|
||||
|
|
@ -956,6 +961,9 @@ ip_fw_init(void)
|
|||
#else
|
||||
"divert disabled, ");
|
||||
#endif
|
||||
#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
|
||||
printf("default to accept, ");
|
||||
#endif
|
||||
#ifndef IPFIREWALL_VERBOSE
|
||||
printf("logging disabled\n");
|
||||
#else
|
||||
|
|
|
|||
Loading…
Reference in a new issue