Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

rc.firewall: Merge two identical conditions into one.

No functional change intended.

PR: 247949
Submitted by: Jose Luis Duran <jlduran@gmail.com>
MFC after: 1 week

pkgbase: Really move rc.firewall

Messed up with git->svn in r348098

The firewall_type is ignored if not set in rc.conf or rc.conf.local,
after r190575 there is an option to call rc.firewall with the firewall_type
passed in as an argument.

Submitted by: David P. Disc

The firewall_type is ignored if not set in rc.conf or rc.conf.local,
after r190575 there is an option to call rc.firewall with the firewall_type
passed in as an argument.

Submitted by: David P. Discher <dpd@dpdtech.com>
MFC after: 3 weeks.
Sponsored by: iXsystems Inc.
Differential Revision: https://reviews.freebsd.org/D14286

show more ...

Slight tidy up of comments before MFC

MFC after: 2 days

remove 16 rules and replace by 2 by using a table
I've been doing this ever since there were tables
coudl make more efficient by using "in recv" and "out xmit" instead of via
but I'll leave that.

M

remove 16 rules and replace by 2 by using a table
I've been doing this ever since there were tables
coudl make more efficient by using "in recv" and "out xmit" instead of via
but I'll leave that.

MFC after: 1 week

show more ...

Fix a typo.

Spotted by: O. Hartmann

Add support of "/{udp,tcp,proto}" suffix into $firewall_myservices, which
interpreted the listed items as port numbers of TCP services.

A service with no suffix still works and recognized as a TCP s

Add support of "/{udp,tcp,proto}" suffix into $firewall_myservices, which
interpreted the listed items as port numbers of TCP services.

A service with no suffix still works and recognized as a TCP service for
backward compatibility. It should be updated with /tcp suffix.

PR: 194292
MFC after: 1 week

show more ...

Whitespace nit

Spelling fixes for etc/

Remove trailing white space. No functional changes.

Fix grammar in comment.

Submitted by: "b. f." <bf1783__at__googlemail.com>
MFC after: 3 days

Disambiguate `IPs' to a more specific term.

Submitted by: Garrett Cooper <yanefbsd__at__gmail.com>
MFC after: 3 days

firewall_trusted_ipv6 was gone by r202460. Remove stale comment about
it as well.

Remove the rules using 'me6'. Now, 'me' matches both any IPv6 address
and any IPv4 address configured on an interface in the system.

Reviewed by: David Horn <dhorn2000__at__gmail.com>, luigi, qingl

Remove the rules using 'me6'. Now, 'me' matches both any IPv6 address
and any IPv4 address configured on an interface in the system.

Reviewed by: David Horn <dhorn2000__at__gmail.com>, luigi, qingli
MFC after: 2 weeks

show more ...

The client type rule allows DHCP, implicitly. Since DHCPv6 uses
link-local address unlike with DHCP, we need one more rule to allow
the DHCPv6.

Reported by: David Horn <dhorn2000__at__gmail.com>

Since the IPv4 rule allows ICMP_TIMXCEED, allow
ICMP6_TIME_EXCEEDED as well for workstation type
firewall. It makes traceroute6 work.

Add missing me6 rules. Now, the IPv6 rules become equivalent
to the IPv4 rules.

Reported by: David Horn <dhorn2000__at__gmail.com>

Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.

Reviewed by: dougb, jhb
MFC after: 1 month

Allow the network addresses and interface names for the "client" and
"workstation" firewall types to be set from rc.conf so that rc.firewall
no longer needs local patching to be usable for those type

Allow the network addresses and interface names for the "client" and
"workstation" firewall types to be set from rc.conf so that rc.firewall
no longer needs local patching to be usable for those types. For now
I've set the variables in /etc/defaults/rc.conf to the previous defaults
in /etc/rc.firewall.

PR: bin/65258
Submitted by: Valentin Nechayev netch of netch.kiev.ua
Silence from: net
MFC after: 2 weeks

show more ...

For the "client" and "simple" network types, collapse the separate "net"
and "mask" variables into a single "net" variable that contains a full
network address (including either a netmask or prefix l

For the "client" and "simple" network types, collapse the separate "net"
and "mask" variables into a single "net" variable that contains a full
network address (including either a netmask or prefix length at the user's
choice). Update the example settings to match.

MFC after: 2 weeks

show more ...

Use 'me' rather than explicit IP addresses for the "simple" and "client"
firewall configurations.

PR: bin/65258
Silence on: net@
MFC after: 1 week

- back out my last commit as it seems to be wrong.

Spotted by: das

- dns queries might go also over TCP, so allow it.

Approved by: rink
MFC after: 1 week

Tweak rc.firewall to allow incoming limited broadcast traffic,
when configured to run in 'client' mode.

PR: conf/15010
Submitted by: Bill Trost, trost at cloud.rain.com
Reviewed by: bz
MFC after: 2

Tweak rc.firewall to allow incoming limited broadcast traffic,
when configured to run in 'client' mode.

PR: conf/15010
Submitted by: Bill Trost, trost at cloud.rain.com
Reviewed by: bz
MFC after: 2 weeks

show more ...