Skip to content

Commit

Permalink
Patch from Carlos Villegas <[email protected]>:
Browse files Browse the repository at this point in the history 
- Fix correct rejecting for rules using all in ipfilter
- Fixed rejecting for rules using all and tcp in ipfw and ipfw4
- Fixed statefull support in ipfw4 (at least for mac os x)
  • Loading branch information
@alaunay
alaunay committed Nov 16, 2002
1 parent b0058e3 commit dfa0c5e
Show file tree
Hide file tree
Showing 2 changed files with 90 additions and 14 deletions.
88 changes: 74 additions & 14 deletions src/bsd_ipfw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,11 +121,11 @@ char *interface;
} else {
if (active_translator == TRANSLATOR_IPFW4) {
fprintf(fout,
"$ipfw -f add allow%s %s from %s %s to %s %s out %s %s keep state\n",
"$ipfw -f add allow%s %s from %s %s to %s %s out %s %s keep-state\n",
logit, proto, src, sports, dst,
dports, icmp_code, via);
fprintf(fout,
"$ipfw -f add allow%s %s from %s %s to %s %s in %s %s keep state\n",
"$ipfw -f add allow%s %s from %s %s to %s %s in %s %s keep-state\n",
logit, proto, dst, dports, src,
sports, icmp_code, via);
} else {
Expand Down Expand Up @@ -176,12 +176,35 @@ char *interface;
logit, proto, dst, dports, src, sports, icmp_code, via);
break;
case REJECT_ALL:
fprintf(fout,
"$ipfw -f add reject%s %s from %s %s to %s %s out %s %s\n",
logit, proto, src, sports, dst, dports, icmp_code, via);
fprintf(fout,
"$ipfw -f add reject%s %s from %s %s to %s %s in %s %s\n",
logit, proto, dst, dports, src, sports, icmp_code, via);
/* Add an additional rule to correctly reject tcp when rejecting all */
if ( !strcmp(proto, "all") )
{
fprintf(fout,
"$ipfw -f add reset%s tcp from %s %s to %s %s out %s %s\n",
logit, src, sports, dst, dports, icmp_code, via);
fprintf(fout,
"$ipfw -f add reset%s tcp from %s %s to %s %s in %s %s\n",
logit, dst, dports, src, sports, icmp_code, via);
}
/* Correctly reject tcp */
if ( !strcmp(proto, "tcp") )
{
fprintf(fout,
"$ipfw -f add reset%s %s from %s %s to %s %s out %s %s\n",
logit, proto, src, sports, dst, dports, icmp_code, via);
fprintf(fout,
"$ipfw -f add reset%s %s from %s %s to %s %s in %s %s\n",
logit, proto, dst, dports, src, sports, icmp_code, via);
}
else
{
fprintf(fout,
"$ipfw -f add reject%s %s from %s %s to %s %s out %s %s\n",
logit, proto, src, sports, dst, dports, icmp_code, via);
fprintf(fout,
"$ipfw -f add reject%s %s from %s %s to %s %s in %s %s\n",
logit, proto, dst, dports, src, sports, icmp_code, via);
}
break;
case DENY_OUT:
fprintf(fout,
Expand All @@ -194,14 +217,48 @@ char *interface;
logit, proto, dst, dports, src, sports, icmp_code, via);
break;
case REJECT_OUT:
fprintf(fout,
"$ipfw -f add reject%s %s from %s %s to %s %s out %s %s\n",
logit, proto, src, sports, dst, dports, icmp_code, via);
/* Add an additional rule to correctly reject tcp when rejecting all */
if ( !strcmp(proto, "all") )
{
fprintf(fout,
"$ipfw -f add reset%s tcp from %s %s to %s %s out %s %s\n",
logit, src, sports, dst, dports, icmp_code, via);
}
/* Correctly reject tcp */
if ( !strcmp(proto, "tcp") )
{
fprintf(fout,
"$ipfw -f add reset%s %s from %s %s to %s %s out %s %s\n",
logit, proto, src, sports, dst, dports, icmp_code, via);
}
else
{
fprintf(fout,
"$ipfw -f add reject%s %s from %s %s to %s %s out %s %s\n",
logit, proto, src, sports, dst, dports, icmp_code, via);
}
break;
case REJECT_IN:
fprintf(fout,
"$ipfw -f add reject%s %s from %s %s to %s %s in %s %s\n",
logit, proto, dst, dports, src, sports, icmp_code, via);
/* Add an additional rule to correctly reject tcp when rejecting all */
if ( !strcmp(proto, "all") )
{
fprintf(fout,
"$ipfw -f add reset%s tcp from %s %s to %s %s in %s %s\n",
logit, dst, dports, src, sports, icmp_code, via);
}
/* Correctly reject tcp */
if ( !strcmp(proto, "tcp") )
{
fprintf(fout,
"$ipfw -f add reset%s %s from %s %s to %s %s in %s %s\n",
logit, proto, dst, dports, src, sports, icmp_code, via);
}
else
{
fprintf(fout,
"$ipfw -f add reject%s %s from %s %s to %s %s in %s %s\n",
logit, proto, dst, dports, src, sports, icmp_code, via);
}
break;
}
free(via);
Expand All @@ -220,6 +277,9 @@ int translate_bsd_ipfw_start(FILE * output_file)

fprintf(fout, "ipfw=\"/sbin/ipfw -q\"\n\n");
fprintf(fout, "$ipfw -f flush\n\n");

fprintf(fout, "$ipfw -f add check-state\n\n");

return 0;
}

Expand Down
16 changes: 16 additions & 0 deletions src/ipfilter.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,14 @@ char *interface;
logit, via, p, dst, dports, src, sports, icmp_code);
break;
case REJECT_ALL:
/* If protocol is all, add decent rejecting rules for tcp
Carlos */
if (!strcmp(proto, "all"))
{
fprintf(fout,
"block return-rst in%s quick %s proto tcp from %s %s to %s %s %s\n",
logit, via, dst, dports, src, sports, icmp_code);
}
if (!strcmp(proto, "tcp"))
fprintf(fout,
"block return-rst in%s quick %s %s from %s %s to %s %s %s\n",
Expand Down Expand Up @@ -202,6 +210,14 @@ char *interface;
logit, via, p, src, sports, dst, dports, icmp_code);
break;
case REJECT_IN:
/* If protocol is all, add decent rejecting rules for tcp
Carlos */
if (!strcmp(proto, "all"))
{
fprintf(fout,
"block return-rst in%s quick %s proto tcp from %s %s to %s %s %s\n",
logit, via, dst, dports, src, sports, icmp_code);
}
if (!strcmp(proto, "tcp"))
fprintf(fout,
"block return-rst in%s quick %s %s from %s %s to %s %s %s\n",
Expand Down

0 comments on commit dfa0c5e

Please sign in to comment.