summaryrefslogtreecommitdiff
path: root/usr.sbin/authpf
AgeCommit message (Collapse)Author
2005-09-23default port for ftp-proxy is 8021;Jason McIntyre
from johnb (pr #4520); ok deraadt@ ian@
2005-05-23useless endpwentHenning Brauer
2005-05-12Xr securelevel 7Jason McIntyre
from tamas tevesz;
2005-05-02more setres[ug]id; ok deraadt@Damien Miller
2005-02-10Minor punctuation nit.Joel Knight
ok henning@
2005-01-31warn(3) + _exit(2) instead of err(3) in the forked childHenning Brauer
From: Andrey Matveev <andrushock@korovino.net>
2005-01-31-Wsign-compare clean, Andrey Matveev <andrushock@korovino.net>Henning Brauer
2005-01-04simplified FILTER AND TRANSLATION RULES;Jason McIntyre
from michael knudsen;
2004-09-16ftruncate() with ftello() instead of ftell(); ok millertTheo de Raadt
2004-09-15AllowTcpForwarding should be disabled for authpf users;Jason McIntyre
plus a typo; from michael knudsen; ok beck@
2004-08-15document the use of "authpf/*" as anchor name for pf to processCan Erkin Acar
sub rulesets added by authpf. ok dhartmei@, oh yes! henning@
2004-08-08spacingTheo de Raadt
2004-06-14Use new ioctls. ok beck@ henning@Cedric Berger
2004-06-07consistently refer to the authpf_users table;Jason McIntyre
noticed by die tuere; ok beck@
2004-05-21Use '/' instead of ':' as separator for anchor path components. Note thatDaniel Hartmeier
the parser now needs quotes around paths containing separators. ok mcbride@
2004-05-19Allow recursive anchors (anchors within anchors, up to 64Daniel Hartmeier
levels deep). More work required, but this is already functional. authpf users will need to adjust their anchor calls, but this will change again soon. ok beck@, cedric@, henning@, mcbride@
2004-05-13as the authpf manpage describes, the connecting user's shell can beHenning Brauer
overloaded via login.conf. When verifying that the user's login shell is indeed authpf it is not sufficient to look at (struct passwd)->pw_shell, we also have to use login_getclass etc to check wether the shell gets overloaded. ok millert@ beck@
2004-04-28kill whitespace and make example consistent w/ rest of page;Jason McIntyre
2004-04-28speed up -> sped up, from tedu@, ok beck@Cedric Berger
2004-04-28Put authpf user's IP addresses in the <authpf_users> table.Cedric Berger
ok deraadt@ dhartmei@ markus@ mcbride@
2004-04-28IPv6 support; ok beck@Damien Miller
2004-04-25clean; ok beckTheo de Raadt
2004-04-25Make authpf exec pfctl instead of sucking in code from pfctlBob Beck
ok cedric@
2004-04-09Do not try to load directories. found+ok mpech@Cedric Berger
2004-01-29MORE BULLSHIT BECAUSE THIS PIECE OF SHIT IS INTERTWINED WITH PFCTLTheo de Raadt
2004-01-13handle ruleset names containing usernames, fixes PR 3627, ok BobDaniel Hartmeier
2003-12-15Add initial support for pf state synchronization over the network.Ryan Thomas McBride
Implemented as an in-kernel multicast IP protocol. Turn it on like this: # ifconfig pfsync0 up syncif fxp0 There is not yet any authentication on this protocol, so the syncif must be on a trusted network. ie, a crossover cable between the two firewalls. NOTABLE CHANGES: - A new index based on a unique (creatorid, stateid) tuple has been added to the state tree. - Updates now appear on the pfsync(4) interface; multiple updates may be compressed into a single update. - Applications which use bpf on pfsync(4) will need modification; packets on pfsync no longer contains regular pf_state structs, but pfsync_state structs which contain no pointers. Much more to come. ok deraadt@
2003-12-10- fix a few exit cases that would exit with no logBob Beck
- add username to added ruleset names when possible - add much needed example to man page showing how to use NAT with tagging to track NATed authpfed connections. ok henning@ dhartmei@, man page cleanup by jmc@
2003-11-20remove -Werror from userland builds, to give us a chance toAnil Madhavapeddy
use more verbose warning options if desired. ok millert@, henning@, david@
2003-11-14catch up with pfctl changesHenning Brauer
2003-09-26Rearchitecture of the userland/kernel IOCTL interface for transactions.Cedric Berger
This brings us close to 100% atomicity for a "pfctl -f pf.conf" command. (some splxxx work remain in the kernel). Basically, improvements are: - Anchors/Rulesets cannot disappear unexpectedly anymore. - No more leftover in the kernel if "pfctl -f" fail. - Commit is now done in a single atomic IOCTL. WARNING: The kernel code is fully backward compatible, but the new pfctl/authpf userland utilities will only run on a new kernel. The following ioctls are deprecated (i.e. will be deleted sooner or later, depending on how many 3rd party utilities use them and how soon they can be upgraded): - DIOCBEGINRULES - DIOCCOMMITRULES - DIOCBEGINALTQS - DIOCCOMMITALTQS - DIOCRINABEGIN - DIOCRINADEFINE They are replaced by the following ioctls (yes, PF(4) will follow) which operate on a vector of rulesets: - DIOCXBEGIN - DIOCXCOMMIT - DIOCXROLLBACK Ok dhartmei@ mcbride@
2003-09-26erm, committing to teh right repository helps sometimes.Henning Brauer
don't reject usernames > 15 chars; username is not used as ruleset name any more, thus, this restriction is gone. PR3491, fix from dhartmei
2003-08-21stuff needed for passive OS fingerprinting PF rulesMike Frantzen
2003-08-17damn liesHenning Brauer
2003-08-04ClientAliveInterval requires Protocol 2;Jason McIntyre
noted by Marc Revial on misc@; ok markus@
2003-08-01tickets are now u_int32_t, not int, fixes tree breakage; from Andrey SmaginTodd C. Miller
2003-07-11Better parsing and -v support for tables:Cedric Berger
- remove the tableaddrs and tableaddr yacc production and reuse host_list instead. - produce better error messages. - do not load addresses from external file when it is not required (like with -R option). - store initializers in a new node_tinit linked list before putting them into the address buffer (see next point). - add a new print_tabledef() function, which makes "pfctl -nvf" print something useful for table definitions, which in turn makes it possible to write better regress tests (see first chunk of the diff) and bring table definition consistant with other parsed rules. ok dhartmei@
2003-07-08Fix a bug that caused removal of previous users' rules when more then oneDaniel Hartmeier
user loggged in concurrently. And fix a smaller bug which prevented complete removal of a user's state entries on logout. Bug report and testing by Ed Powers.
2003-07-03Bye bye atexit(), bye bye globals...Cedric Berger
The pfctl.c part will probably need some further improvements. ok henning@
2003-07-03This patch finally cleanup pfctl_table.c. No more global buffer,Cedric Berger
and a couple of parsing functions moved to parse.y or pfctl_parser where they belong. I also took the opportunity to replace "void" functions with exit(1) or err() inside by "int" functions, with the caller checking the return value for errors (much cleaner and an old request from Theo) ok dhartmei@ henning@
2003-06-28() to (void)Theo de Raadt
2003-06-27/etc/authpf.allow -> /etc/authpf/authpf.allow in commentsHenning Brauer
spotted by Joel Knight again
2003-06-24cleanTheo de Raadt
2003-06-24(long)getpid(); andrushock@korovino.netTheo de Raadt
2003-06-23authpf can handle binat nowadays; from Joel KnightHenning Brauer
ok daniel
2003-06-12- section reorderJason McIntyre
- macro fixes - kill whitespace at EOL - new sentence, new line
2003-06-03remove term 3, with permission from Chris Kuethe for pathnames.hBob Beck
2003-05-10Be polite about leaving invalid data around in globals, just in caseChad Loder
someone comes along later, modifies the code, and runs into a problem. OK beck@
2003-05-10catch up with pfctl changesHenning Brauer
2003-04-30Allow tables to be loaded into anchors.Cedric Berger
Most pfctl table commands (excluding 'show' and 'flush') support the "-a" modifier. ok dhartmei@