diff options
author | edwin <edwin@FreeBSD.org> | 2003-09-28 21:27:06 +0800 |
---|---|---|
committer | edwin <edwin@FreeBSD.org> | 2003-09-28 21:27:06 +0800 |
commit | 39560db23498cb01c8f7b0173672a5d5f7e2339d (patch) | |
tree | d9c42661a6ff190257eb67d14531d49796fb879a /security | |
parent | 961f1950b0e85bfc7e94188b75b4ec206e7f92d3 (diff) | |
download | freebsd-ports-gnome-39560db23498cb01c8f7b0173672a5d5f7e2339d.tar.gz freebsd-ports-gnome-39560db23498cb01c8f7b0173672a5d5f7e2339d.tar.zst freebsd-ports-gnome-39560db23498cb01c8f7b0173672a5d5f7e2339d.zip |
Update port: security/pf - OpenBSD 3.4 pf
Port update after API change in PFIL_HOOKS in -current and
OpenBSD 3.4 Release.
PR: ports/57305
Submitted by: Max Laier <max@love2party.net>
Diffstat (limited to 'security')
-rw-r--r-- | security/pf/Makefile | 70 | ||||
-rw-r--r-- | security/pf/distinfo | 2 | ||||
-rw-r--r-- | security/pf/files/patch-aa | 41 | ||||
-rw-r--r-- | security/pf/files/patch-ab | 77 | ||||
-rw-r--r-- | security/pf/files/patch-ac | 53 | ||||
-rw-r--r-- | security/pf/files/patch-ad | 161 | ||||
-rw-r--r-- | security/pf/files/patch-ae | 13 | ||||
-rw-r--r-- | security/pf/files/patch-af | 19 | ||||
-rw-r--r-- | security/pf/files/patch-ag | 383 | ||||
-rw-r--r-- | security/pf/files/pf-port.diff | 1523 | ||||
-rw-r--r-- | security/pf/files/pf.conf.default | 6 | ||||
-rw-r--r-- | security/pf/files/pf.os.default | 551 | ||||
-rw-r--r-- | security/pf/pkg-plist | 14 |
13 files changed, 2179 insertions, 734 deletions
diff --git a/security/pf/Makefile b/security/pf/Makefile index c28667dbc1ff..c1498e873e5a 100644 --- a/security/pf/Makefile +++ b/security/pf/Makefile @@ -6,8 +6,7 @@ # PORTNAME= pf_freebsd -PORTVERSION= 1.0 -PORTREVISION= 7 +PORTVERSION= 1.65 CATEGORIES= security ipv6 MASTER_SITES= http://pf4freebsd.love2party.net/ .if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") @@ -24,11 +23,12 @@ IS_INTERACTIVE= yes STARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample SAMPLE_CONFIG= ${PREFIX}/etc/pf.conf.default +SAMPLE_PFOS= ${PREFIX}/etc/pf.os MAN1= pftcpdump.1 MAN4= pf.4 pflog.4 pfsync.4 -MAN5= pf.conf.5 -MAN8= ftp-proxy.8 pfctl.8 pflogd.8 pftop.8 +MAN5= pf.conf.5 pf.os.5 +MAN8= ftp-proxy.8 pfctl.8 pflogd.8 MANCOMPRESSED= maybe @@ -57,54 +57,72 @@ IGNORE= "Kernel source files required" .if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes") pre-fetch: - @${ECHO_CMD} "=======================================================" - @${ECHO_CMD} "* If you have ALTQ support from: *" - @${ECHO_CMD} "* http://www.rofug.ro/projects/freebsd-altq/ *" - @${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it *" - @${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src *" - @${ECHO_CMD} "* *" - @${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=${SRC_BASE}/sys.altq *" - @${ECHO_CMD} "* *" - @${ECHO_CMD} "=======================================================" + @${ECHO_MSG} "=======================================================" + @${ECHO_MSG} "* If you have ALTQ support from: *" + @${ECHO_MSG} "* http://www.nipsi.de/altq/index.html *" + @${ECHO_MSG} "* You can may define WITH_ALTQ=yes to make use of it *" + @${ECHO_MSG} "* Please define SYS_ALTQ to point to the patched src *" + @${ECHO_MSG} "* *" + @${ECHO_MSG} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=/usr/src/sys.altq *" + @${ECHO_MSG} "* *" + @${ECHO_MSG} "=======================================================" @sleep 2 .endif -pre-install: +post-patch: + @${CP} ${WRKSRC}/pfctl/pfctl_parser.h \ + ${WRKSRC}/pfctl/pfctl_parser.h.orig + @${SED} -e 's!%%PREFIX%%!${PREFIX}!' \ + ${WRKSRC}/pfctl/pfctl_parser.h.orig > \ + ${WRKSRC}/pfctl/pfctl_parser.h +pre-su-install: ${MKDIR} ${KMODDIR} ${MKDIR} ${PREFIX}/include/pf ${MKDIR} ${PREFIX}/include/pf/net +.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") + ${MKDIR} ${PREFIX}/include/pf/altq +.endif .if !defined(BATCH) && !defined(PACKAGE_BUILDING) @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL .endif post-install: - ${ECHO} "Installing include files ..." + ${ECHO_MSG} "Installing include files ..." ${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h \ - ${PREFIX}/include/pf/net + ${PREFIX}/include/pf/net ${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h \ - ${PREFIX}/include/pf/net + ${PREFIX}/include/pf/net ${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h \ - ${PREFIX}/include/pf/net + ${PREFIX}/include/pf/net +.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") + ${INSTALL_DATA} ${WRKSRC}/include/altq/*.h \ + ${PREFIX}/include/pf/altq +.endif @if [ -f ${WRKSRC}/man/pf.4.gz ]; then \ - ${ECHO} "Installing pftcpdump(1) man page."; \ + ${ECHO_MSG} "Installing pftcpdump(1) man page."; \ ${GZIP_CMD} -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 > \ ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ; \ ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz \ - ${PREFIX}/man/man1/pftcpdump.1.gz ; \ + ${PREFIX}/man/man1/pftcpdump.1.gz ; \ else \ - ${ECHO} "Installing pftcpdump(1) man page."; \ + ${ECHO_MSG} "Installing pftcpdump(1) man page."; \ ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1 \ - ${PREFIX}/man/man1/pftcpdump.1 ; \ + ${PREFIX}/man/man1/pftcpdump.1 ; \ fi @if [ ! -f ${STARTUP_SCRIPT} ]; then \ - ${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ; \ + ${ECHO_MSG} "Installing ${STARTUP_SCRIPT} startup file." ; \ ${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample \ - ${STARTUP_SCRIPT} ; \ + ${STARTUP_SCRIPT} ; \ fi @if [ ! -f ${SAMPLE_CONFIG} ]; then \ - ${ECHO} "Installing ${SAMPLE_CONFIG} config file." ; \ + ${ECHO_MSG} "Installing ${SAMPLE_CONFIG} config file." ; \ ${INSTALL_DATA} ${FILESDIR}/pf.conf.default \ - ${SAMPLE_CONFIG}; \ + ${SAMPLE_CONFIG}; \ + fi + @if [ ! -f ${SAMPLE_PFOS} ]; then \ + ${ECHO_MSG} "Installing ${SAMPLE_PFOS} config file."; \ + ${INSTALL_DATA} ${FILESDIR}/pf.os.default \ + ${SAMPLE_PFOS}; \ fi ${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PKGMESSAGE} diff --git a/security/pf/distinfo b/security/pf/distinfo index 38a8f2633367..fa00347b1c11 100644 --- a/security/pf/distinfo +++ b/security/pf/distinfo @@ -1 +1 @@ -MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e +MD5 (pf_freebsd_1.65.tar.gz) = 6956f275a7b971ab07f4ee8e0bdd83e0 diff --git a/security/pf/files/patch-aa b/security/pf/files/patch-aa index 24724598f4fb..f1a35d32cee9 100644 --- a/security/pf/files/patch-aa +++ b/security/pf/files/patch-aa @@ -1,32 +1,11 @@ ---- freebsd_tcpdump/print-pflog.c.orig Fri Jun 13 18:14:50 2003 -+++ freebsd_tcpdump/print-pflog.c Fri Jun 13 18:15:39 2003 -@@ -64,7 +64,9 @@ - u_int length = h->len; - u_int caplen = h->caplen; - const struct ip *ip; -+#ifdef INET6 - const struct ip6_hdr *ip6; -+#endif - const struct pfloghdr *hdr; - u_short res; - char reason[128], *why; -@@ -129,13 +131,16 @@ - if (xflag) - default_print((const u_char *)ip, - caplen - PFLOG_HDRLEN); -- } else { -+ } -+#ifdef INET6 -+ else { - ip6 = (struct ip6_hdr *)(p + PFLOG_HDRLEN); - ip6_print((const u_char *)ip6, length); - if (xflag) - default_print((const u_char *)ip6, - caplen - PFLOG_HDRLEN); - } -+#endif +--- Makefile.orig Sat Sep 27 10:17:32 2003 ++++ Makefile Sat Sep 27 10:17:46 2003 +@@ -6,7 +6,7 @@ + SUBDIR= libpcap + .endif + +-SUBDIR+= pfctl authpf ftp-proxy man pf pflog pfsync ++SUBDIR+= pfctl ftp-proxy man pf pflog pfsync + + .include "include/mk/util.mk" - out: - putchar('\n'); - - diff --git a/security/pf/files/patch-ab b/security/pf/files/patch-ab index 0355d57ac1cd..630ae913fb4e 100644 --- a/security/pf/files/patch-ab +++ b/security/pf/files/patch-ab @@ -1,70 +1,11 @@ ---- pf/pf_support.h Mon Apr 14 05:54:15 2003 -+++ pf/pf_support.h Tue Jun 17 14:26:33 2003 -@@ -16,10 +16,16 @@ - * Original numbers changed from 11, 12, 13. - * sys/mbuf.h - */ --#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */ --#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */ --#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */ --#define PACKET_TAG_PF_QID 22 /* PF queue id */ -+#if defined(PACKET_TAG_MACLABEL) -+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL) -+#else -+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD) -+#endif -+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1) -+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2) -+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3) -+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4) -+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5) +--- pfctl/pfctl_parser.h.orig Sat Sep 27 10:39:47 2003 ++++ pfctl/pfctl_parser.h Sat Sep 27 10:40:21 2003 +@@ -33,7 +33,7 @@ + #ifndef _PFCTL_PARSER_H_ + #define _PFCTL_PARSER_H_ - /* - * sys/limits.h ---- pfaltq/pf_support.h Mon Apr 14 06:04:19 2003 -+++ pfaltq/pf_support.h Tue Jun 17 14:26:34 2003 -@@ -16,10 +16,16 @@ - * Original numbers changed from 11, 12, 13. - * sys/mbuf.h - */ --#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */ --#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */ --#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */ --#define PACKET_TAG_PF_QID 22 /* PF queue id */ -+#if defined(PACKET_TAG_MACLABEL) -+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL) -+#else -+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD) -+#endif -+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1) -+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2) -+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3) -+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4) -+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5) +-#define PF_OSFP_FILE "/etc/pf.os" ++#define PF_OSFP_FILE "%%PREFIX%%/etc/pf.os" - /* - * sys/limits.h ---- pfctl/pf_support.h Mon Apr 14 05:55:07 2003 -+++ pfctl/pf_support.h Tue Jun 17 14:26:34 2003 -@@ -16,10 +16,16 @@ - * Original numbers changed from 11, 12, 13. - * sys/mbuf.h - */ --#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */ --#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */ --#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */ --#define PACKET_TAG_PF_QID 22 /* PF queue id */ -+#if defined(PACKET_TAG_MACLABEL) -+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL) -+#else -+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD) -+#endif -+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1) -+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2) -+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3) -+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4) -+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5) - - /* - * sys/limits.h - + #define PF_OPT_DISABLE 0x0001 + #define PF_OPT_ENABLE 0x0002 diff --git a/security/pf/files/patch-ac b/security/pf/files/patch-ac index a239c523bf08..f3860bda7b1d 100644 --- a/security/pf/files/patch-ac +++ b/security/pf/files/patch-ac @@ -1,29 +1,24 @@ ---- pf/pf.c Wed May 7 09:33:21 2003 -+++ pf/pf.c Tue Jun 17 17:02:08 2003 -@@ -2837,6 +2837,7 @@ - /* check incoming packet for BINAT/RDR */ - if ((rdr = pf_get_translation(PF_IN, ifp, pd->proto, - saddr, 0, daddr, 0, &naddr, NULL, af)) != NULL) { -+ PF_ACPY(&baddr, daddr, af); - switch (af) { - #ifdef INET - case AF_INET: -@@ -3179,7 +3180,7 @@ - /* Retrans: not more than one window back */ - (ackskew >= -MAXACKWINDOW) && - /* Acking not more than one window back */ -- (ackskew <= MAXACKWINDOW)) { -+ (ackskew <= (MAXACKWINDOW << sws))) { - /* Acking not more than one window forward */ - - (*state)->packets++; -@@ -3346,7 +3347,7 @@ - SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? - ' ': '2', - (ackskew >= -MAXACKWINDOW) ? ' ' : '3', -- (ackskew <= MAXACKWINDOW) ? ' ' : '4', -+ (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', - SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', - SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); - } - +--- pf/pf_ioctl.c.orig Sun Sep 28 15:00:08 2003 ++++ pf/pf_ioctl.c Sun Sep 28 15:00:16 2003 +@@ -201,7 +201,7 @@ + /* psize */ nopsize, + /* flags */ 0, + /* kqfilter */ nokqfilter, +-#else ++#elif (__FreeBSD_version < 501109) + .d_open = pfopen, + .d_close = pfclose, + .d_read = noread, +@@ -215,6 +215,12 @@ + .d_dump = nodump, + .d_flags = 0, + .d_kqfilter = nokqfilter, ++#else ++ .d_open = pfopen, ++ .d_close = pfclose, ++ .d_ioctl = pfioctl, ++ .d_name = PF_NAME, ++ .d_flags = 0, + #endif + }; + #endif /* __FreeBSD__ */ diff --git a/security/pf/files/patch-ad b/security/pf/files/patch-ad deleted file mode 100644 index a9ec79cc117c..000000000000 --- a/security/pf/files/patch-ad +++ /dev/null @@ -1,161 +0,0 @@ ---- pfctl/pfctl.c Sat Jun 21 17:29:45 2003 -+++ pfctl/pfctl.c Sat Jun 21 18:31:19 2003 -@@ -46,6 +46,7 @@ - #include <err.h> - #include <errno.h> - #include <fcntl.h> -+#include <inttypes.h> - #include <limits.h> - #include <netdb.h> - #include <stdio.h> -@@ -565,8 +566,8 @@ - rule->qname, rule->qid, rule->pqname, rule->pqid); - } - if (opts & PF_OPT_VERBOSE) -- printf("[ Evaluations: %-8llu Packets: %-8llu " -- "Bytes: %-10llu States: %-6u]\n\n", -+ printf("[ Evaluations: %-8"PRIu64" Packets: %-8"PRIu64" " -+ "Bytes: %-10"PRIu64" States: %-6u]\n\n", - rule->evaluations, rule->packets, - rule->bytes, rule->states); - } -@@ -630,7 +631,7 @@ - case 1: - if (pr.rule.label[0]) { - printf("%s ", pr.rule.label); -- printf("%llu %llu %llu\n", -+ printf("%"PRIu64" %"PRIu64" %"PRIu64"\n", - pr.rule.evaluations, pr.rule.packets, - pr.rule.bytes); - } -@@ -662,7 +663,7 @@ - case 1: - if (pr.rule.label[0]) { - printf("%s ", pr.rule.label); -- printf("%llu %llu %llu\n", -+ printf("%"PRIu64" %"PRIu64" %"PRIu64"\n", - pr.rule.evaluations, pr.rule.packets, - pr.rule.bytes); - } ---- pfctl/pfctl_parser.c Sat Jun 21 17:29:45 2003 -+++ pfctl/pfctl_parser.c Sat Jun 21 18:32:00 2003 -@@ -49,6 +49,7 @@ - #include <stdarg.h> - #include <errno.h> - #include <err.h> -+#include <inttypes.h> - #include <ifaddrs.h> - - #if defined(__FreeBSD__) -@@ -503,29 +504,29 @@ - if (s->ifname[0] != 0) { - printf("Interface Stats for %-16s %5s %16s\n", - s->ifname, "IPv4", "IPv6"); -- printf(" %-25s %14llu %16llu\n", "Bytes In", -+ printf(" %-25s %14"PRIu64" %16"PRIu64"\n", "Bytes In", - s->bcounters[0][0], s->bcounters[1][0]); -- printf(" %-25s %14llu %16llu\n", "Bytes Out", -+ printf(" %-25s %14"PRIu64" %16"PRIu64"\n", "Bytes Out", - s->bcounters[0][1], s->bcounters[1][1]); - printf(" Packets In\n"); -- printf(" %-23s %14llu %16llu\n", "Passed", -+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Passed", - s->pcounters[0][0][PF_PASS], - s->pcounters[1][0][PF_PASS]); -- printf(" %-23s %14llu %16llu\n", "Blocked", -+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Blocked", - s->pcounters[0][0][PF_DROP], - s->pcounters[1][0][PF_DROP]); - printf(" Packets Out\n"); -- printf(" %-23s %14llu %16llu\n", "Passed", -+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Passed", - s->pcounters[0][1][PF_PASS], - s->pcounters[1][1][PF_PASS]); -- printf(" %-23s %14llu %16llu\n\n", "Blocked", -+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n\n", "Blocked", - s->pcounters[0][1][PF_DROP], - s->pcounters[1][1][PF_DROP]); - } - printf("%-27s %14s %16s\n", "State Table", "Total", "Rate"); - printf(" %-25s %14u %14s\n", "current entries", s->states, ""); - for (i = 0; i < FCNT_MAX; i++) { -- printf(" %-25s %14lld ", pf_fcounters[i], -+ printf(" %-25s %14"PRId64" ", pf_fcounters[i], - s->fcounters[i]); - if (runtime > 0) - printf("%14.1f/s\n", -@@ -535,7 +536,7 @@ - } - printf("Counters\n"); - for (i = 0; i < PFRES_MAX; i++) { -- printf(" %-25s %14lld ", pf_reasons[i], -+ printf(" %-25s %14"PRId64" ", pf_reasons[i], - s->counters[i]); - if (runtime > 0) - printf("%14.1f/s\n", ---- pfctl/pfctl_qstats.c Sat Jun 21 17:29:45 2003 -+++ pfctl/pfctl_qstats.c Sat Jun 21 18:32:19 2003 -@@ -40,6 +40,7 @@ - #include <arpa/inet.h> - - #include <err.h> -+#include <inttypes.h> - #include <stdio.h> - #include <stdlib.h> - #include <string.h> -@@ -280,8 +281,8 @@ - { - double interval; - -- printf("[ pkts: %10llu bytes: %10llu " -- "dropped pkts: %6llu bytes: %6llu ]\n", -+ printf("[ pkts: %10"PRIu64" bytes: %10"PRIu64" " -+ "dropped pkts: %6"PRIu64" bytes: %6"PRIu64" ]\n", - cur.data.cbq_stats.xmit_cnt.packets, - cur.data.cbq_stats.xmit_cnt.bytes, - cur.data.cbq_stats.drop_cnt.packets, -@@ -306,8 +307,8 @@ - { - double interval; - -- printf("[ pkts: %10llu bytes: %10llu " -- "dropped pkts: %6llu bytes: %6llu ]\n", -+ printf("[ pkts: %10"PRIu64" bytes: %10"PRIu64" " -+ "dropped pkts: %6"PRIu64" bytes: %6"PRIu64" ]\n", - cur.data.priq_stats.xmitcnt.packets, - cur.data.priq_stats.xmitcnt.bytes, - cur.data.priq_stats.dropcnt.packets, ---- pfctl/pfctl_table.c Sat Jun 21 17:29:45 2003 -+++ pfctl/pfctl_table.c Sat Jun 21 18:32:36 2003 -@@ -42,6 +42,7 @@ - #include <ctype.h> - #include <err.h> - #include <errno.h> -+#include <inttypes.h> - #include <netdb.h> - #include <stdarg.h> - #include <stdio.h> -@@ -363,11 +364,11 @@ - printf("\tAddresses: %d\n", ts->pfrts_cnt); - printf("\tReferences: %d\n", ts->pfrts_refcnt); - printf("\tCleared: %s", ctime(&time)); -- printf("\tEvaluations: [ NoMatch: %-18llu Match: %-18llu ]\n", -+ printf("\tEvaluations: [ NoMatch: %-18"PRIu64" Match: %-18"PRIu64" ]\n", - ts->pfrts_nomatch, ts->pfrts_match); - for (dir = 0; dir < PFR_DIR_MAX; dir++) - for (op = 0; op < PFR_OP_TABLE_MAX; op++) -- printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n", -+ printf("\t%-12s [ Packets: %-18"PRIu64" Bytes: %-18"PRIu64" ]\n", - stats_text[dir][op], - ts->pfrts_packets[dir][op], - ts->pfrts_bytes[dir][op]); -@@ -541,7 +542,7 @@ - printf("\tCleared: %s", ctime(&time)); - for (dir = 0; dir < PFR_DIR_MAX; dir++) - for (op = 0; op < PFR_OP_ADDR_MAX; op++) -- printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n", -+ printf("\t%-12s [ Packets: %-18"PRIu64" Bytes: %-18"PRIu64" ]\n", - stats_text[dir][op], - as->pfras_packets[dir][op], - as->pfras_bytes[dir][op]); - diff --git a/security/pf/files/patch-ae b/security/pf/files/patch-ae deleted file mode 100644 index 739e91417366..000000000000 --- a/security/pf/files/patch-ae +++ /dev/null @@ -1,13 +0,0 @@ ---- pf/pf_norm.c 7 Apr 2003 15:31:41 -0000 1.2 -+++ pf/pf_norm.c 3 Jul 2003 02:40:10 -0000 1.2.16.1 -@@ -747,6 +747,9 @@ - */ - #if defined(__FreeBSD__) - *m0 = m_dup(m, M_NOWAIT); -+ /* From KAME Project : We have missed this! */ -+ m_adj(*m0, (h->ip_hl << 2) - -+ (*m0)->m_pkthdr.len); - #else - *m0 = m_copym2(m, 0, h->ip_hl << 2, M_NOWAIT); - #endif - diff --git a/security/pf/files/patch-af b/security/pf/files/patch-af deleted file mode 100644 index 9ae4ad0066b7..000000000000 --- a/security/pf/files/patch-af +++ /dev/null @@ -1,19 +0,0 @@ ---- pf/pf_norm.c 3 Jul 2003 02:40:10 -0000 1.2.16.1 -+++ pf/pf_norm.c 14 Jul 2003 07:11:17 -0000 1.2.16.2 -@@ -1050,12 +1050,12 @@ - goto bad; - } - -- max = fragoff + ip_len; - /* Respect maximum length */ -- if (max > IP_MAXPACKET) { -- DPFPRINTF(("max packet %d\n", max)); -+ if (fragoff + ip_len > IP_MAXPACKET) { -+ DPFPRINTF(("max packet %d\n", fragoff + ip_len)); - goto bad; - } -+ max = fragoff + ip_len; - - if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0) { - /* Fully buffer all of the fragments */ - diff --git a/security/pf/files/patch-ag b/security/pf/files/patch-ag deleted file mode 100644 index ed4cd5d7d904..000000000000 --- a/security/pf/files/patch-ag +++ /dev/null @@ -1,383 +0,0 @@ ---- pf/pf_norm.c Fri Aug 29 03:31:24 2003 -+++ pf/pf_norm.c Fri Aug 29 03:40:58 2003 -@@ -117,10 +117,10 @@ - void pf_flush_fragments(void); - void pf_free_fragment(struct pf_fragment *); - struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *); --struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment *, -+struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **, - struct pf_frent *, int); - struct mbuf *pf_fragcache(struct mbuf **, struct ip*, -- struct pf_fragment *, int, int, int *); -+ struct pf_fragment **, int, int, int *); - u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t); - int pf_normalize_tcp(int, struct ifnet *, struct mbuf *, - int, int, void *, struct pf_pdesc *); -@@ -385,7 +385,7 @@ - } - - struct mbuf * --pf_reassemble(struct mbuf **m0, struct pf_fragment *frag, -+pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, - struct pf_frent *frent, int mff) - { - struct mbuf *m = *m0, *m2; -@@ -397,10 +397,10 @@ - u_int16_t max = ip->ip_len + off; - - #if defined(__FreeBSD__) -- KASSERT((frag == NULL || BUFFER_FRAGMENTS(frag)), -- ("! (frag == NULL || BUFFER_FRAGMENTS(frag)): %s", __FUNCTION__)); -+ KASSERT((*frag == NULL || BUFFER_FRAGMENTS(*frag)), -+ ("! (*frag == NULL || BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__)); - #else -- KASSERT(frag == NULL || BUFFER_FRAGMENTS(frag)); -+ KASSERT(*frag == NULL || BUFFER_FRAGMENTS(*frag)); - #endif - - /* Strip off ip header */ -@@ -408,38 +408,38 @@ - m->m_len -= hlen; - - /* Create a new reassembly queue for this packet */ -- if (frag == NULL) { -+ if (*frag == NULL) { - #if defined(__FreeBSD__) -- frag = uma_zalloc(pf_frag_pl, M_NOWAIT); -+ *frag = uma_zalloc(pf_frag_pl, M_NOWAIT); - #else -- frag = pool_get(&pf_frag_pl, PR_NOWAIT); -+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT); - #endif -- if (frag == NULL) { -+ if (*frag == NULL) { - pf_flush_fragments(); - #if defined(__FreeBSD__) -- frag = uma_zalloc(pf_frag_pl, M_NOWAIT); -+ *frag = uma_zalloc(pf_frag_pl, M_NOWAIT); - #else -- frag = pool_get(&pf_frag_pl, PR_NOWAIT); -+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT); - #endif -- if (frag == NULL) -+ if (*frag == NULL) - goto drop_fragment; - } - -- frag->fr_flags = 0; -- frag->fr_max = 0; -- frag->fr_src = frent->fr_ip->ip_src; -- frag->fr_dst = frent->fr_ip->ip_dst; -- frag->fr_p = frent->fr_ip->ip_p; -- frag->fr_id = frent->fr_ip->ip_id; -+ (*frag)->fr_flags = 0; -+ (*frag)->fr_max = 0; -+ (*frag)->fr_src = frent->fr_ip->ip_src; -+ (*frag)->fr_dst = frent->fr_ip->ip_dst; -+ (*frag)->fr_p = frent->fr_ip->ip_p; -+ (*frag)->fr_id = frent->fr_ip->ip_id; - #if defined(__FreeBSD__) -- frag->fr_timeout = time_second; -+ (*frag)->fr_timeout = time_second; - #else -- frag->fr_timeout = time.tv_sec; -+ (*frag)->fr_timeout = time.tv_sec; - #endif -- LIST_INIT(&frag->fr_queue); -+ LIST_INIT(&(*frag)->fr_queue); - -- RB_INSERT(pf_frag_tree, &pf_frag_tree, frag); -- TAILQ_INSERT_HEAD(&pf_fragqueue, frag, frag_next); -+ RB_INSERT(pf_frag_tree, &pf_frag_tree, *frag); -+ TAILQ_INSERT_HEAD(&pf_fragqueue, *frag, frag_next); - - /* We do not have a previous fragment */ - frep = NULL; -@@ -450,7 +450,7 @@ - * Find a fragment after the current one: - * - off contains the real shifted offset. - */ -- LIST_FOREACH(frea, &frag->fr_queue, fr_next) { -+ LIST_FOREACH(frea, &(*frag)->fr_queue, fr_next) { - if (frea->fr_ip->ip_off > off) - break; - frep = frea; -@@ -503,41 +503,41 @@ - - insert: - /* Update maximum data size */ -- if (frag->fr_max < max) -- frag->fr_max = max; -+ if ((*frag)->fr_max < max) -+ (*frag)->fr_max = max; - /* This is the last segment */ - if (!mff) -- frag->fr_flags |= PFFRAG_SEENLAST; -+ (*frag)->fr_flags |= PFFRAG_SEENLAST; - - if (frep == NULL) -- LIST_INSERT_HEAD(&frag->fr_queue, frent, fr_next); -+ LIST_INSERT_HEAD(&(*frag)->fr_queue, frent, fr_next); - else - LIST_INSERT_AFTER(frep, frent, fr_next); - - /* Check if we are completely reassembled */ -- if (!(frag->fr_flags & PFFRAG_SEENLAST)) -+ if (!((*frag)->fr_flags & PFFRAG_SEENLAST)) - return (NULL); - - /* Check if we have all the data */ - off = 0; -- for (frep = LIST_FIRST(&frag->fr_queue); frep; frep = next) { -+ for (frep = LIST_FIRST(&(*frag)->fr_queue); frep; frep = next) { - next = LIST_NEXT(frep, fr_next); - - off += frep->fr_ip->ip_len; -- if (off < frag->fr_max && -+ if (off < (*frag)->fr_max && - (next == NULL || next->fr_ip->ip_off != off)) { - DPFPRINTF(("missing fragment at %d, next %d, max %d\n", - off, next == NULL ? -1 : next->fr_ip->ip_off, -- frag->fr_max)); -+ (*frag)->fr_max)); - return (NULL); - } - } -- DPFPRINTF(("%d < %d?\n", off, frag->fr_max)); -- if (off < frag->fr_max) -+ DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max)); -+ if (off < (*frag)->fr_max) - return (NULL); - - /* We have all the data */ -- frent = LIST_FIRST(&frag->fr_queue); -+ frent = LIST_FIRST(&(*frag)->fr_queue); - #if defined(__FreeBSD__) - KASSERT((frent != NULL), ("frent == NULL: %s", __FUNCTION__)); - #else -@@ -545,7 +545,8 @@ - #endif - if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) { - DPFPRINTF(("drop: too big: %d\n", off)); -- pf_free_fragment(frag); -+ pf_free_fragment(*frag); -+ *frag = NULL; - return (NULL); - } - next = LIST_NEXT(frent, fr_next); -@@ -575,11 +576,12 @@ - m_cat(m, m2); - } - -- ip->ip_src = frag->fr_src; -- ip->ip_dst = frag->fr_dst; -+ ip->ip_src = (*frag)->fr_src; -+ ip->ip_dst = (*frag)->fr_dst; - - /* Remove from fragment queue */ -- pf_remove_fragment(frag); -+ pf_remove_fragment(*frag); -+ *frag = NULL; - - hlen = ip->ip_hl << 2; - ip->ip_len = off + hlen; -@@ -611,7 +613,7 @@ - } - - struct mbuf * --pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment *frag, int mff, -+pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment **frag, int mff, - int drop, int *nomem) - { - struct mbuf *m = *m0; -@@ -622,27 +624,27 @@ - int hosed = 0; - - #if defined(__FreeBSD__) -- KASSERT((frag == NULL || !BUFFER_FRAGMENTS(frag)), -- ("!(frag == NULL || !BUFFER_FRAGMENTS(frag)): %s", __FUNCTION__)); -+ KASSERT((*frag == NULL || !BUFFER_FRAGMENTS(*frag)), -+ ("!(*frag == NULL || !BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__)); - #else -- KASSERT(frag == NULL || !BUFFER_FRAGMENTS(frag)); -+ KASSERT(*frag == NULL || !BUFFER_FRAGMENTS(*frag)); - #endif - - /* Create a new range queue for this packet */ -- if (frag == NULL) { -+ if (*frag == NULL) { - #if defined(__FreeBSD__) -- frag = uma_zalloc(pf_cache_pl, M_NOWAIT); -+ *frag = uma_zalloc(pf_cache_pl, M_NOWAIT); - #else -- frag = pool_get(&pf_cache_pl, PR_NOWAIT); -+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT); - #endif -- if (frag == NULL) { -+ if (*frag == NULL) { - pf_flush_fragments(); - #if defined(__FreeBSD__) -- frag = uma_zalloc(pf_cache_pl, M_NOWAIT); -+ *frag = uma_zalloc(pf_cache_pl, M_NOWAIT); - #else -- frag = pool_get(&pf_cache_pl, PR_NOWAIT); -+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT); - #endif -- if (frag == NULL) -+ if (*frag == NULL) - goto no_mem; - } - -@@ -654,33 +656,34 @@ - #endif - if (cur == NULL) { - #if defined(__FreeBSD__) -- uma_zfree(pf_cache_pl, frag); -+ uma_zfree(pf_cache_pl, *frag); - #else -- pool_put(&pf_cache_pl, frag); -+ pool_put(&pf_cache_pl, *frag); - #endif -+ *frag = NULL; - goto no_mem; - } - pf_ncache++; - -- frag->fr_flags = PFFRAG_NOBUFFER; -- frag->fr_max = 0; -- frag->fr_src = h->ip_src; -- frag->fr_dst = h->ip_dst; -- frag->fr_p = h->ip_p; -- frag->fr_id = h->ip_id; -+ (*frag)->fr_flags = PFFRAG_NOBUFFER; -+ (*frag)->fr_max = 0; -+ (*frag)->fr_src = h->ip_src; -+ (*frag)->fr_dst = h->ip_dst; -+ (*frag)->fr_p = h->ip_p; -+ (*frag)->fr_id = h->ip_id; - #if defined(__FreeBSD__) -- frag->fr_timeout = time_second; -+ (*frag)->fr_timeout = time_second; - #else -- frag->fr_timeout = time.tv_sec; -+ (*frag)->fr_timeout = time.tv_sec; - #endif - - cur->fr_off = off; - cur->fr_end = max; -- LIST_INIT(&frag->fr_cache); -- LIST_INSERT_HEAD(&frag->fr_cache, cur, fr_next); -+ LIST_INIT(&(*frag)->fr_cache); -+ LIST_INSERT_HEAD(&(*frag)->fr_cache, cur, fr_next); - -- RB_INSERT(pf_frag_tree, &pf_cache_tree, frag); -- TAILQ_INSERT_HEAD(&pf_cachequeue, frag, frag_next); -+ RB_INSERT(pf_frag_tree, &pf_cache_tree, *frag); -+ TAILQ_INSERT_HEAD(&pf_cachequeue, *frag, frag_next); - - DPFPRINTF(("fragcache[%d]: new %d-%d\n", h->ip_id, off, max)); - -@@ -692,7 +695,7 @@ - * - off contains the real shifted offset. - */ - frp = NULL; -- LIST_FOREACH(fra, &frag->fr_cache, fr_next) { -+ LIST_FOREACH(fra, &(*frag)->fr_cache, fr_next) { - if (fra->fr_off > off) - break; - frp = fra; -@@ -929,21 +932,22 @@ - - pass: - /* Update maximum data size */ -- if (frag->fr_max < max) -- frag->fr_max = max; -+ if ((*frag)->fr_max < max) -+ (*frag)->fr_max = max; - - /* This is the last segment */ - if (!mff) -- frag->fr_flags |= PFFRAG_SEENLAST; -+ (*frag)->fr_flags |= PFFRAG_SEENLAST; - - /* Check if we are completely reassembled */ -- if ((frag->fr_flags & PFFRAG_SEENLAST) && -- LIST_FIRST(&frag->fr_cache)->fr_off == 0 && -- LIST_FIRST(&frag->fr_cache)->fr_end == frag->fr_max) { -+ if (((*frag)->fr_flags & PFFRAG_SEENLAST) && -+ LIST_FIRST(&(*frag)->fr_cache)->fr_off == 0 && -+ LIST_FIRST(&(*frag)->fr_cache)->fr_end == (*frag)->fr_max) { - /* Remove from fragment queue */ - DPFPRINTF(("fragcache[%d]: done 0-%d\n", h->ip_id, -- frag->fr_max)); -- pf_free_fragment(frag); -+ (*frag)->fr_max)); -+ pf_free_fragment(*frag); -+ *frag = NULL; - } - - return (m); -@@ -952,8 +956,8 @@ - *nomem = 1; - - /* Still need to pay attention to !IP_MF */ -- if (!mff && frag) -- frag->fr_flags |= PFFRAG_SEENLAST; -+ if (!mff && *frag != NULL) -+ (*frag)->fr_flags |= PFFRAG_SEENLAST; - - m_freem(m); - return (NULL); -@@ -961,15 +965,15 @@ - drop_fragment: - - /* Still need to pay attention to !IP_MF */ -- if (!mff && frag) -- frag->fr_flags |= PFFRAG_SEENLAST; -+ if (!mff && *frag != NULL) -+ (*frag)->fr_flags |= PFFRAG_SEENLAST; - - if (drop) { - /* This fragment has been deemed bad. Don't reass */ -- if ((frag->fr_flags & PFFRAG_DROP) == 0) -+ if (((*frag)->fr_flags & PFFRAG_DROP) == 0) - DPFPRINTF(("fragcache[%d]: dropping overall fragment\n", - h->ip_id)); -- frag->fr_flags |= PFFRAG_DROP; -+ (*frag)->fr_flags |= PFFRAG_DROP; - } - - m_freem(m); -@@ -1085,12 +1089,12 @@ - - /* Might return a completely reassembled mbuf, or NULL */ - DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max)); -- *m0 = m = pf_reassemble(m0, frag, frent, mff); -+ *m0 = m = pf_reassemble(m0, &frag, frent, mff); - - if (m == NULL) - return (PF_DROP); - -- if (frag && (frag->fr_flags & PFFRAG_DROP)) -+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) - goto drop; - - h = mtod(m, struct ip *); -@@ -1119,7 +1123,7 @@ - goto bad; - } - -- *m0 = m = pf_fragcache(m0, h, frag, mff, -+ *m0 = m = pf_fragcache(m0, h, &frag, mff, - (r->rule_flag & PFRULE_FRAGDROP) ? 1 : 0, &nomem); - if (m == NULL) { - if (nomem) -@@ -1135,7 +1139,7 @@ - goto no_mem; - m_tag_prepend(m, mtag); - } -- if (frag && (frag->fr_flags & PFFRAG_DROP)) -+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) - goto drop; - goto fragment_pass; - } diff --git a/security/pf/files/pf-port.diff b/security/pf/files/pf-port.diff new file mode 100644 index 000000000000..94d44631cab7 --- /dev/null +++ b/security/pf/files/pf-port.diff @@ -0,0 +1,1523 @@ +diff -ruN /usr/ports/security/pf/Makefile pf/Makefile +--- /usr/ports/security/pf/Makefile Fri Aug 29 05:14:03 2003 ++++ pf/Makefile Sat Sep 27 14:32:18 2003 +@@ -6,8 +6,7 @@ + # + + PORTNAME= pf_freebsd +-PORTVERSION= 1.0 +-PORTREVISION= 7 ++PORTVERSION= 1.65 + CATEGORIES= security ipv6 + MASTER_SITES= http://pf4freebsd.love2party.net/ + .if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") +@@ -24,11 +23,12 @@ + + STARTUP_SCRIPT= ${PREFIX}/etc/rc.d/pf.sh.sample + SAMPLE_CONFIG= ${PREFIX}/etc/pf.conf.default ++SAMPLE_PFOS= ${PREFIX}/etc/pf.os + + MAN1= pftcpdump.1 + MAN4= pf.4 pflog.4 pfsync.4 +-MAN5= pf.conf.5 +-MAN8= ftp-proxy.8 pfctl.8 pflogd.8 pftop.8 ++MAN5= pf.conf.5 pf.os.5 ++MAN8= ftp-proxy.8 pfctl.8 pflogd.8 + + MANCOMPRESSED= maybe + +@@ -57,54 +57,72 @@ + + .if !defined(WITH_ALTQ) || (${WITH_ALTQ} != "yes") + pre-fetch: +- @${ECHO_CMD} "=======================================================" +- @${ECHO_CMD} "* If you have ALTQ support from: *" +- @${ECHO_CMD} "* http://www.rofug.ro/projects/freebsd-altq/ *" +- @${ECHO_CMD} "* You can may define WITH_ALTQ=yes to make use of it *" +- @${ECHO_CMD} "* Please define SYS_ALTQ to point to the patched src *" +- @${ECHO_CMD} "* *" +- @${ECHO_CMD} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=${SRC_BASE}/sys.altq *" +- @${ECHO_CMD} "* *" +- @${ECHO_CMD} "=======================================================" ++ @${ECHO_MSG} "=======================================================" ++ @${ECHO_MSG} "* If you have ALTQ support from: *" ++ @${ECHO_MSG} "* http://www.nipsi.de/altq/index.html *" ++ @${ECHO_MSG} "* You can may define WITH_ALTQ=yes to make use of it *" ++ @${ECHO_MSG} "* Please define SYS_ALTQ to point to the patched src *" ++ @${ECHO_MSG} "* *" ++ @${ECHO_MSG} "* e.g.: make WITH_ALTQ=yes SYS_ALTQ=/usr/src/sys.altq *" ++ @${ECHO_MSG} "* *" ++ @${ECHO_MSG} "=======================================================" + @sleep 2 + .endif + +-pre-install: ++post-patch: ++ @${CP} ${WRKSRC}/pfctl/pfctl_parser.h \ ++ ${WRKSRC}/pfctl/pfctl_parser.h.orig ++ @${SED} -e 's!%%PREFIX%%!${PREFIX}!' \ ++ ${WRKSRC}/pfctl/pfctl_parser.h.orig > \ ++ ${WRKSRC}/pfctl/pfctl_parser.h ++pre-su-install: + ${MKDIR} ${KMODDIR} + ${MKDIR} ${PREFIX}/include/pf + ${MKDIR} ${PREFIX}/include/pf/net ++.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") ++ ${MKDIR} ${PREFIX}/include/pf/altq ++.endif + .if !defined(BATCH) && !defined(PACKAGE_BUILDING) + @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL + .endif + + post-install: +- ${ECHO} "Installing include files ..." ++ ${ECHO_MSG} "Installing include files ..." + ${INSTALL_DATA} ${WRKSRC}/include/net/pfvar.h \ +- ${PREFIX}/include/pf/net ++ ${PREFIX}/include/pf/net + ${INSTALL_DATA} ${WRKSRC}/include/net/if_pflog.h \ +- ${PREFIX}/include/pf/net ++ ${PREFIX}/include/pf/net + ${INSTALL_DATA} ${WRKSRC}/include/net/if_pfsync.h \ +- ${PREFIX}/include/pf/net ++ ${PREFIX}/include/pf/net ++.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") ++ ${INSTALL_DATA} ${WRKSRC}/include/altq/*.h \ ++ ${PREFIX}/include/pf/altq ++.endif + @if [ -f ${WRKSRC}/man/pf.4.gz ]; then \ +- ${ECHO} "Installing pftcpdump(1) man page."; \ ++ ${ECHO_MSG} "Installing pftcpdump(1) man page."; \ + ${GZIP_CMD} -cn ${WRKSRC}/freebsd_tcpdump/tcpdump.1 > \ + ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz ; \ + ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1.gz \ +- ${PREFIX}/man/man1/pftcpdump.1.gz ; \ ++ ${PREFIX}/man/man1/pftcpdump.1.gz ; \ + else \ +- ${ECHO} "Installing pftcpdump(1) man page."; \ ++ ${ECHO_MSG} "Installing pftcpdump(1) man page."; \ + ${INSTALL_MAN} ${WRKSRC}/freebsd_tcpdump/tcpdump.1 \ +- ${PREFIX}/man/man1/pftcpdump.1 ; \ ++ ${PREFIX}/man/man1/pftcpdump.1 ; \ + fi + @if [ ! -f ${STARTUP_SCRIPT} ]; then \ +- ${ECHO} "Installing ${STARTUP_SCRIPT} startup file." ; \ ++ ${ECHO_MSG} "Installing ${STARTUP_SCRIPT} startup file." ; \ + ${INSTALL_SCRIPT} ${FILESDIR}/pf.sh.sample \ +- ${STARTUP_SCRIPT} ; \ ++ ${STARTUP_SCRIPT} ; \ + fi + @if [ ! -f ${SAMPLE_CONFIG} ]; then \ +- ${ECHO} "Installing ${SAMPLE_CONFIG} config file." ; \ ++ ${ECHO_MSG} "Installing ${SAMPLE_CONFIG} config file." ; \ + ${INSTALL_DATA} ${FILESDIR}/pf.conf.default \ +- ${SAMPLE_CONFIG}; \ ++ ${SAMPLE_CONFIG}; \ ++ fi ++ @if [ ! -f ${SAMPLE_PFOS} ]; then \ ++ ${ECHO_MSG} "Installing ${SAMPLE_PFOS} config file."; \ ++ ${INSTALL_DATA} ${FILESDIR}/pf.os.default \ ++ ${SAMPLE_PFOS}; \ + fi + ${SED} -e 's!%%PREFIX%%!${PREFIX}!' ${PKGMESSAGE} + +diff -ruN /usr/ports/security/pf/distinfo pf/distinfo +--- /usr/ports/security/pf/distinfo Fri Jun 13 03:09:29 2003 ++++ pf/distinfo Sat Sep 27 13:31:03 2003 +@@ -1 +1 @@ +-MD5 (pf_freebsd_1.0.tar.gz) = 66b573f0f6884b61f41240111425b93e ++MD5 (pf_freebsd_1.65.tar.gz) = 6956f275a7b971ab07f4ee8e0bdd83e0 +diff -ruN /usr/ports/security/pf/files/patch-aa pf/files/patch-aa +--- /usr/ports/security/pf/files/patch-aa Mon Jun 16 05:14:27 2003 ++++ pf/files/patch-aa Sat Sep 27 10:18:08 2003 +@@ -1,32 +1,11 @@ +---- freebsd_tcpdump/print-pflog.c.orig Fri Jun 13 18:14:50 2003 +-+++ freebsd_tcpdump/print-pflog.c Fri Jun 13 18:15:39 2003 +-@@ -64,7 +64,9 @@ +- u_int length = h->len; +- u_int caplen = h->caplen; +- const struct ip *ip; +-+#ifdef INET6 +- const struct ip6_hdr *ip6; +-+#endif +- const struct pfloghdr *hdr; +- u_short res; +- char reason[128], *why; +-@@ -129,13 +131,16 @@ +- if (xflag) +- default_print((const u_char *)ip, +- caplen - PFLOG_HDRLEN); +-- } else { +-+ } +-+#ifdef INET6 +-+ else { +- ip6 = (struct ip6_hdr *)(p + PFLOG_HDRLEN); +- ip6_print((const u_char *)ip6, length); +- if (xflag) +- default_print((const u_char *)ip6, +- caplen - PFLOG_HDRLEN); +- } +-+#endif ++--- Makefile.orig Sat Sep 27 10:17:32 2003 +++++ Makefile Sat Sep 27 10:17:46 2003 ++@@ -6,7 +6,7 @@ ++ SUBDIR= libpcap ++ .endif ++ ++-SUBDIR+= pfctl authpf ftp-proxy man pf pflog pfsync +++SUBDIR+= pfctl ftp-proxy man pf pflog pfsync ++ ++ .include "include/mk/util.mk" + +- out: +- putchar('\n'); +- +- +diff -ruN /usr/ports/security/pf/files/patch-ab pf/files/patch-ab +--- /usr/ports/security/pf/files/patch-ab Wed Jun 18 06:46:34 2003 ++++ pf/files/patch-ab Sat Sep 27 10:41:00 2003 +@@ -1,70 +1,11 @@ +---- pf/pf_support.h Mon Apr 14 05:54:15 2003 +-+++ pf/pf_support.h Tue Jun 17 14:26:33 2003 +-@@ -16,10 +16,16 @@ +- * Original numbers changed from 11, 12, 13. +- * sys/mbuf.h +- */ +--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */ +--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */ +--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */ +--#define PACKET_TAG_PF_QID 22 /* PF queue id */ +-+#if defined(PACKET_TAG_MACLABEL) +-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL) +-+#else +-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD) +-+#endif +-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1) +-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2) +-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3) +-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4) +-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5) ++--- pfctl/pfctl_parser.h.orig Sat Sep 27 10:39:47 2003 +++++ pfctl/pfctl_parser.h Sat Sep 27 10:40:21 2003 ++@@ -33,7 +33,7 @@ ++ #ifndef _PFCTL_PARSER_H_ ++ #define _PFCTL_PARSER_H_ + +- /* +- * sys/limits.h +---- pfaltq/pf_support.h Mon Apr 14 06:04:19 2003 +-+++ pfaltq/pf_support.h Tue Jun 17 14:26:34 2003 +-@@ -16,10 +16,16 @@ +- * Original numbers changed from 11, 12, 13. +- * sys/mbuf.h +- */ +--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */ +--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */ +--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */ +--#define PACKET_TAG_PF_QID 22 /* PF queue id */ +-+#if defined(PACKET_TAG_MACLABEL) +-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL) +-+#else +-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD) +-+#endif +-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1) +-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2) +-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3) +-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4) +-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5) ++-#define PF_OSFP_FILE "/etc/pf.os" +++#define PF_OSFP_FILE "%%PREFIX%%/etc/pf.os" + +- /* +- * sys/limits.h +---- pfctl/pf_support.h Mon Apr 14 05:55:07 2003 +-+++ pfctl/pf_support.h Tue Jun 17 14:26:34 2003 +-@@ -16,10 +16,16 @@ +- * Original numbers changed from 11, 12, 13. +- * sys/mbuf.h +- */ +--#define PACKET_TAG_PF_GENERATED 19 /* PF generated, pass always */ +--#define PACKET_TAG_PF_ROUTED 20 /* PF routed, no route loops */ +--#define PACKET_TAG_PF_FRAGCACHE 21 /* PF fragment cached */ +--#define PACKET_TAG_PF_QID 22 /* PF queue id */ +-+#if defined(PACKET_TAG_MACLABEL) +-+#define PACKET_TAG_FB_END (PACKET_TAG_MACLABEL) +-+#else +-+#define PACKET_TAG_FB_END (PACKET_TAG_IPFORWARD) +-+#endif +-+#define PACKET_TAG_PF_GENERATED (PACKET_TAG_FB_END+1) +-+#define PACKET_TAG_PF_ROUTED (PACKET_TAG_FB_END+2) +-+#define PACKET_TAG_PF_FRAGCACHE (PACKET_TAG_FB_END+3) +-+#define PACKET_TAG_PF_QID (PACKET_TAG_FB_END+4) +-+#define PACKET_TAG_PF_TAG (PACKET_TAG_FB_END+5) +- +- /* +- * sys/limits.h +- ++ #define PF_OPT_DISABLE 0x0001 ++ #define PF_OPT_ENABLE 0x0002 +diff -ruN /usr/ports/security/pf/files/patch-ac pf/files/patch-ac +--- /usr/ports/security/pf/files/patch-ac Wed Jun 18 06:46:34 2003 ++++ pf/files/patch-ac Sun Sep 28 14:04:09 2003 +@@ -1,29 +1,24 @@ +---- pf/pf.c Wed May 7 09:33:21 2003 +-+++ pf/pf.c Tue Jun 17 17:02:08 2003 +-@@ -2837,6 +2837,7 @@ +- /* check incoming packet for BINAT/RDR */ +- if ((rdr = pf_get_translation(PF_IN, ifp, pd->proto, +- saddr, 0, daddr, 0, &naddr, NULL, af)) != NULL) { +-+ PF_ACPY(&baddr, daddr, af); +- switch (af) { +- #ifdef INET +- case AF_INET: +-@@ -3179,7 +3180,7 @@ +- /* Retrans: not more than one window back */ +- (ackskew >= -MAXACKWINDOW) && +- /* Acking not more than one window back */ +-- (ackskew <= MAXACKWINDOW)) { +-+ (ackskew <= (MAXACKWINDOW << sws))) { +- /* Acking not more than one window forward */ +- +- (*state)->packets++; +-@@ -3346,7 +3347,7 @@ +- SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ? +- ' ': '2', +- (ackskew >= -MAXACKWINDOW) ? ' ' : '3', +-- (ackskew <= MAXACKWINDOW) ? ' ' : '4', +-+ (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4', +- SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5', +- SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6'); +- } +- ++--- pf/pf_ioctl.c.orig Sun Sep 28 15:00:08 2003 +++++ pf/pf_ioctl.c Sun Sep 28 15:00:16 2003 ++@@ -201,7 +201,7 @@ ++ /* psize */ nopsize, ++ /* flags */ 0, ++ /* kqfilter */ nokqfilter, ++-#else +++#elif (__FreeBSD_version < 501109) ++ .d_open = pfopen, ++ .d_close = pfclose, ++ .d_read = noread, ++@@ -215,6 +215,12 @@ ++ .d_dump = nodump, ++ .d_flags = 0, ++ .d_kqfilter = nokqfilter, +++#else +++ .d_open = pfopen, +++ .d_close = pfclose, +++ .d_ioctl = pfioctl, +++ .d_name = PF_NAME, +++ .d_flags = 0, ++ #endif ++ }; ++ #endif /* __FreeBSD__ */ +diff -ruN /usr/ports/security/pf/files/patch-ad pf/files/patch-ad +--- /usr/ports/security/pf/files/patch-ad Thu Jun 26 18:20:13 2003 ++++ pf/files/patch-ad Thu Jan 1 01:00:00 1970 +@@ -1,161 +0,0 @@ +---- pfctl/pfctl.c Sat Jun 21 17:29:45 2003 +-+++ pfctl/pfctl.c Sat Jun 21 18:31:19 2003 +-@@ -46,6 +46,7 @@ +- #include <err.h> +- #include <errno.h> +- #include <fcntl.h> +-+#include <inttypes.h> +- #include <limits.h> +- #include <netdb.h> +- #include <stdio.h> +-@@ -565,8 +566,8 @@ +- rule->qname, rule->qid, rule->pqname, rule->pqid); +- } +- if (opts & PF_OPT_VERBOSE) +-- printf("[ Evaluations: %-8llu Packets: %-8llu " +-- "Bytes: %-10llu States: %-6u]\n\n", +-+ printf("[ Evaluations: %-8"PRIu64" Packets: %-8"PRIu64" " +-+ "Bytes: %-10"PRIu64" States: %-6u]\n\n", +- rule->evaluations, rule->packets, +- rule->bytes, rule->states); +- } +-@@ -630,7 +631,7 @@ +- case 1: +- if (pr.rule.label[0]) { +- printf("%s ", pr.rule.label); +-- printf("%llu %llu %llu\n", +-+ printf("%"PRIu64" %"PRIu64" %"PRIu64"\n", +- pr.rule.evaluations, pr.rule.packets, +- pr.rule.bytes); +- } +-@@ -662,7 +663,7 @@ +- case 1: +- if (pr.rule.label[0]) { +- printf("%s ", pr.rule.label); +-- printf("%llu %llu %llu\n", +-+ printf("%"PRIu64" %"PRIu64" %"PRIu64"\n", +- pr.rule.evaluations, pr.rule.packets, +- pr.rule.bytes); +- } +---- pfctl/pfctl_parser.c Sat Jun 21 17:29:45 2003 +-+++ pfctl/pfctl_parser.c Sat Jun 21 18:32:00 2003 +-@@ -49,6 +49,7 @@ +- #include <stdarg.h> +- #include <errno.h> +- #include <err.h> +-+#include <inttypes.h> +- #include <ifaddrs.h> +- +- #if defined(__FreeBSD__) +-@@ -503,29 +504,29 @@ +- if (s->ifname[0] != 0) { +- printf("Interface Stats for %-16s %5s %16s\n", +- s->ifname, "IPv4", "IPv6"); +-- printf(" %-25s %14llu %16llu\n", "Bytes In", +-+ printf(" %-25s %14"PRIu64" %16"PRIu64"\n", "Bytes In", +- s->bcounters[0][0], s->bcounters[1][0]); +-- printf(" %-25s %14llu %16llu\n", "Bytes Out", +-+ printf(" %-25s %14"PRIu64" %16"PRIu64"\n", "Bytes Out", +- s->bcounters[0][1], s->bcounters[1][1]); +- printf(" Packets In\n"); +-- printf(" %-23s %14llu %16llu\n", "Passed", +-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Passed", +- s->pcounters[0][0][PF_PASS], +- s->pcounters[1][0][PF_PASS]); +-- printf(" %-23s %14llu %16llu\n", "Blocked", +-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Blocked", +- s->pcounters[0][0][PF_DROP], +- s->pcounters[1][0][PF_DROP]); +- printf(" Packets Out\n"); +-- printf(" %-23s %14llu %16llu\n", "Passed", +-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n", "Passed", +- s->pcounters[0][1][PF_PASS], +- s->pcounters[1][1][PF_PASS]); +-- printf(" %-23s %14llu %16llu\n\n", "Blocked", +-+ printf(" %-23s %14"PRIu64" %16"PRIu64"\n\n", "Blocked", +- s->pcounters[0][1][PF_DROP], +- s->pcounters[1][1][PF_DROP]); +- } +- printf("%-27s %14s %16s\n", "State Table", "Total", "Rate"); +- printf(" %-25s %14u %14s\n", "current entries", s->states, ""); +- for (i = 0; i < FCNT_MAX; i++) { +-- printf(" %-25s %14lld ", pf_fcounters[i], +-+ printf(" %-25s %14"PRId64" ", pf_fcounters[i], +- s->fcounters[i]); +- if (runtime > 0) +- printf("%14.1f/s\n", +-@@ -535,7 +536,7 @@ +- } +- printf("Counters\n"); +- for (i = 0; i < PFRES_MAX; i++) { +-- printf(" %-25s %14lld ", pf_reasons[i], +-+ printf(" %-25s %14"PRId64" ", pf_reasons[i], +- s->counters[i]); +- if (runtime > 0) +- printf("%14.1f/s\n", +---- pfctl/pfctl_qstats.c Sat Jun 21 17:29:45 2003 +-+++ pfctl/pfctl_qstats.c Sat Jun 21 18:32:19 2003 +-@@ -40,6 +40,7 @@ +- #include <arpa/inet.h> +- +- #include <err.h> +-+#include <inttypes.h> +- #include <stdio.h> +- #include <stdlib.h> +- #include <string.h> +-@@ -280,8 +281,8 @@ +- { +- double interval; +- +-- printf("[ pkts: %10llu bytes: %10llu " +-- "dropped pkts: %6llu bytes: %6llu ]\n", +-+ printf("[ pkts: %10"PRIu64" bytes: %10"PRIu64" " +-+ "dropped pkts: %6"PRIu64" bytes: %6"PRIu64" ]\n", +- cur.data.cbq_stats.xmit_cnt.packets, +- cur.data.cbq_stats.xmit_cnt.bytes, +- cur.data.cbq_stats.drop_cnt.packets, +-@@ -306,8 +307,8 @@ +- { +- double interval; +- +-- printf("[ pkts: %10llu bytes: %10llu " +-- "dropped pkts: %6llu bytes: %6llu ]\n", +-+ printf("[ pkts: %10"PRIu64" bytes: %10"PRIu64" " +-+ "dropped pkts: %6"PRIu64" bytes: %6"PRIu64" ]\n", +- cur.data.priq_stats.xmitcnt.packets, +- cur.data.priq_stats.xmitcnt.bytes, +- cur.data.priq_stats.dropcnt.packets, +---- pfctl/pfctl_table.c Sat Jun 21 17:29:45 2003 +-+++ pfctl/pfctl_table.c Sat Jun 21 18:32:36 2003 +-@@ -42,6 +42,7 @@ +- #include <ctype.h> +- #include <err.h> +- #include <errno.h> +-+#include <inttypes.h> +- #include <netdb.h> +- #include <stdarg.h> +- #include <stdio.h> +-@@ -363,11 +364,11 @@ +- printf("\tAddresses: %d\n", ts->pfrts_cnt); +- printf("\tReferences: %d\n", ts->pfrts_refcnt); +- printf("\tCleared: %s", ctime(&time)); +-- printf("\tEvaluations: [ NoMatch: %-18llu Match: %-18llu ]\n", +-+ printf("\tEvaluations: [ NoMatch: %-18"PRIu64" Match: %-18"PRIu64" ]\n", +- ts->pfrts_nomatch, ts->pfrts_match); +- for (dir = 0; dir < PFR_DIR_MAX; dir++) +- for (op = 0; op < PFR_OP_TABLE_MAX; op++) +-- printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n", +-+ printf("\t%-12s [ Packets: %-18"PRIu64" Bytes: %-18"PRIu64" ]\n", +- stats_text[dir][op], +- ts->pfrts_packets[dir][op], +- ts->pfrts_bytes[dir][op]); +-@@ -541,7 +542,7 @@ +- printf("\tCleared: %s", ctime(&time)); +- for (dir = 0; dir < PFR_DIR_MAX; dir++) +- for (op = 0; op < PFR_OP_ADDR_MAX; op++) +-- printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n", +-+ printf("\t%-12s [ Packets: %-18"PRIu64" Bytes: %-18"PRIu64" ]\n", +- stats_text[dir][op], +- as->pfras_packets[dir][op], +- as->pfras_bytes[dir][op]); +- +diff -ruN /usr/ports/security/pf/files/patch-ae pf/files/patch-ae +--- /usr/ports/security/pf/files/patch-ae Fri Jul 4 03:28:53 2003 ++++ pf/files/patch-ae Thu Jan 1 01:00:00 1970 +@@ -1,13 +0,0 @@ +---- pf/pf_norm.c 7 Apr 2003 15:31:41 -0000 1.2 +-+++ pf/pf_norm.c 3 Jul 2003 02:40:10 -0000 1.2.16.1 +-@@ -747,6 +747,9 @@ +- */ +- #if defined(__FreeBSD__) +- *m0 = m_dup(m, M_NOWAIT); +-+ /* From KAME Project : We have missed this! */ +-+ m_adj(*m0, (h->ip_hl << 2) - +-+ (*m0)->m_pkthdr.len); +- #else +- *m0 = m_copym2(m, 0, h->ip_hl << 2, M_NOWAIT); +- #endif +- +diff -ruN /usr/ports/security/pf/files/patch-af pf/files/patch-af +--- /usr/ports/security/pf/files/patch-af Fri Jul 18 03:51:24 2003 ++++ pf/files/patch-af Thu Jan 1 01:00:00 1970 +@@ -1,19 +0,0 @@ +---- pf/pf_norm.c 3 Jul 2003 02:40:10 -0000 1.2.16.1 +-+++ pf/pf_norm.c 14 Jul 2003 07:11:17 -0000 1.2.16.2 +-@@ -1050,12 +1050,12 @@ +- goto bad; +- } +- +-- max = fragoff + ip_len; +- /* Respect maximum length */ +-- if (max > IP_MAXPACKET) { +-- DPFPRINTF(("max packet %d\n", max)); +-+ if (fragoff + ip_len > IP_MAXPACKET) { +-+ DPFPRINTF(("max packet %d\n", fragoff + ip_len)); +- goto bad; +- } +-+ max = fragoff + ip_len; +- +- if ((r->rule_flag & (PFRULE_FRAGCROP|PFRULE_FRAGDROP)) == 0) { +- /* Fully buffer all of the fragments */ +- +diff -ruN /usr/ports/security/pf/files/patch-ag pf/files/patch-ag +--- /usr/ports/security/pf/files/patch-ag Fri Aug 29 05:14:03 2003 ++++ pf/files/patch-ag Thu Jan 1 01:00:00 1970 +@@ -1,383 +0,0 @@ +---- pf/pf_norm.c Fri Aug 29 03:31:24 2003 +-+++ pf/pf_norm.c Fri Aug 29 03:40:58 2003 +-@@ -117,10 +117,10 @@ +- void pf_flush_fragments(void); +- void pf_free_fragment(struct pf_fragment *); +- struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *); +--struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment *, +-+struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **, +- struct pf_frent *, int); +- struct mbuf *pf_fragcache(struct mbuf **, struct ip*, +-- struct pf_fragment *, int, int, int *); +-+ struct pf_fragment **, int, int, int *); +- u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t); +- int pf_normalize_tcp(int, struct ifnet *, struct mbuf *, +- int, int, void *, struct pf_pdesc *); +-@@ -385,7 +385,7 @@ +- } +- +- struct mbuf * +--pf_reassemble(struct mbuf **m0, struct pf_fragment *frag, +-+pf_reassemble(struct mbuf **m0, struct pf_fragment **frag, +- struct pf_frent *frent, int mff) +- { +- struct mbuf *m = *m0, *m2; +-@@ -397,10 +397,10 @@ +- u_int16_t max = ip->ip_len + off; +- +- #if defined(__FreeBSD__) +-- KASSERT((frag == NULL || BUFFER_FRAGMENTS(frag)), +-- ("! (frag == NULL || BUFFER_FRAGMENTS(frag)): %s", __FUNCTION__)); +-+ KASSERT((*frag == NULL || BUFFER_FRAGMENTS(*frag)), +-+ ("! (*frag == NULL || BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__)); +- #else +-- KASSERT(frag == NULL || BUFFER_FRAGMENTS(frag)); +-+ KASSERT(*frag == NULL || BUFFER_FRAGMENTS(*frag)); +- #endif +- +- /* Strip off ip header */ +-@@ -408,38 +408,38 @@ +- m->m_len -= hlen; +- +- /* Create a new reassembly queue for this packet */ +-- if (frag == NULL) { +-+ if (*frag == NULL) { +- #if defined(__FreeBSD__) +-- frag = uma_zalloc(pf_frag_pl, M_NOWAIT); +-+ *frag = uma_zalloc(pf_frag_pl, M_NOWAIT); +- #else +-- frag = pool_get(&pf_frag_pl, PR_NOWAIT); +-+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT); +- #endif +-- if (frag == NULL) { +-+ if (*frag == NULL) { +- pf_flush_fragments(); +- #if defined(__FreeBSD__) +-- frag = uma_zalloc(pf_frag_pl, M_NOWAIT); +-+ *frag = uma_zalloc(pf_frag_pl, M_NOWAIT); +- #else +-- frag = pool_get(&pf_frag_pl, PR_NOWAIT); +-+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT); +- #endif +-- if (frag == NULL) +-+ if (*frag == NULL) +- goto drop_fragment; +- } +- +-- frag->fr_flags = 0; +-- frag->fr_max = 0; +-- frag->fr_src = frent->fr_ip->ip_src; +-- frag->fr_dst = frent->fr_ip->ip_dst; +-- frag->fr_p = frent->fr_ip->ip_p; +-- frag->fr_id = frent->fr_ip->ip_id; +-+ (*frag)->fr_flags = 0; +-+ (*frag)->fr_max = 0; +-+ (*frag)->fr_src = frent->fr_ip->ip_src; +-+ (*frag)->fr_dst = frent->fr_ip->ip_dst; +-+ (*frag)->fr_p = frent->fr_ip->ip_p; +-+ (*frag)->fr_id = frent->fr_ip->ip_id; +- #if defined(__FreeBSD__) +-- frag->fr_timeout = time_second; +-+ (*frag)->fr_timeout = time_second; +- #else +-- frag->fr_timeout = time.tv_sec; +-+ (*frag)->fr_timeout = time.tv_sec; +- #endif +-- LIST_INIT(&frag->fr_queue); +-+ LIST_INIT(&(*frag)->fr_queue); +- +-- RB_INSERT(pf_frag_tree, &pf_frag_tree, frag); +-- TAILQ_INSERT_HEAD(&pf_fragqueue, frag, frag_next); +-+ RB_INSERT(pf_frag_tree, &pf_frag_tree, *frag); +-+ TAILQ_INSERT_HEAD(&pf_fragqueue, *frag, frag_next); +- +- /* We do not have a previous fragment */ +- frep = NULL; +-@@ -450,7 +450,7 @@ +- * Find a fragment after the current one: +- * - off contains the real shifted offset. +- */ +-- LIST_FOREACH(frea, &frag->fr_queue, fr_next) { +-+ LIST_FOREACH(frea, &(*frag)->fr_queue, fr_next) { +- if (frea->fr_ip->ip_off > off) +- break; +- frep = frea; +-@@ -503,41 +503,41 @@ +- +- insert: +- /* Update maximum data size */ +-- if (frag->fr_max < max) +-- frag->fr_max = max; +-+ if ((*frag)->fr_max < max) +-+ (*frag)->fr_max = max; +- /* This is the last segment */ +- if (!mff) +-- frag->fr_flags |= PFFRAG_SEENLAST; +-+ (*frag)->fr_flags |= PFFRAG_SEENLAST; +- +- if (frep == NULL) +-- LIST_INSERT_HEAD(&frag->fr_queue, frent, fr_next); +-+ LIST_INSERT_HEAD(&(*frag)->fr_queue, frent, fr_next); +- else +- LIST_INSERT_AFTER(frep, frent, fr_next); +- +- /* Check if we are completely reassembled */ +-- if (!(frag->fr_flags & PFFRAG_SEENLAST)) +-+ if (!((*frag)->fr_flags & PFFRAG_SEENLAST)) +- return (NULL); +- +- /* Check if we have all the data */ +- off = 0; +-- for (frep = LIST_FIRST(&frag->fr_queue); frep; frep = next) { +-+ for (frep = LIST_FIRST(&(*frag)->fr_queue); frep; frep = next) { +- next = LIST_NEXT(frep, fr_next); +- +- off += frep->fr_ip->ip_len; +-- if (off < frag->fr_max && +-+ if (off < (*frag)->fr_max && +- (next == NULL || next->fr_ip->ip_off != off)) { +- DPFPRINTF(("missing fragment at %d, next %d, max %d\n", +- off, next == NULL ? -1 : next->fr_ip->ip_off, +-- frag->fr_max)); +-+ (*frag)->fr_max)); +- return (NULL); +- } +- } +-- DPFPRINTF(("%d < %d?\n", off, frag->fr_max)); +-- if (off < frag->fr_max) +-+ DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max)); +-+ if (off < (*frag)->fr_max) +- return (NULL); +- +- /* We have all the data */ +-- frent = LIST_FIRST(&frag->fr_queue); +-+ frent = LIST_FIRST(&(*frag)->fr_queue); +- #if defined(__FreeBSD__) +- KASSERT((frent != NULL), ("frent == NULL: %s", __FUNCTION__)); +- #else +-@@ -545,7 +545,8 @@ +- #endif +- if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) { +- DPFPRINTF(("drop: too big: %d\n", off)); +-- pf_free_fragment(frag); +-+ pf_free_fragment(*frag); +-+ *frag = NULL; +- return (NULL); +- } +- next = LIST_NEXT(frent, fr_next); +-@@ -575,11 +576,12 @@ +- m_cat(m, m2); +- } +- +-- ip->ip_src = frag->fr_src; +-- ip->ip_dst = frag->fr_dst; +-+ ip->ip_src = (*frag)->fr_src; +-+ ip->ip_dst = (*frag)->fr_dst; +- +- /* Remove from fragment queue */ +-- pf_remove_fragment(frag); +-+ pf_remove_fragment(*frag); +-+ *frag = NULL; +- +- hlen = ip->ip_hl << 2; +- ip->ip_len = off + hlen; +-@@ -611,7 +613,7 @@ +- } +- +- struct mbuf * +--pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment *frag, int mff, +-+pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment **frag, int mff, +- int drop, int *nomem) +- { +- struct mbuf *m = *m0; +-@@ -622,27 +624,27 @@ +- int hosed = 0; +- +- #if defined(__FreeBSD__) +-- KASSERT((frag == NULL || !BUFFER_FRAGMENTS(frag)), +-- ("!(frag == NULL || !BUFFER_FRAGMENTS(frag)): %s", __FUNCTION__)); +-+ KASSERT((*frag == NULL || !BUFFER_FRAGMENTS(*frag)), +-+ ("!(*frag == NULL || !BUFFER_FRAGMENTS(*frag)): %s", __FUNCTION__)); +- #else +-- KASSERT(frag == NULL || !BUFFER_FRAGMENTS(frag)); +-+ KASSERT(*frag == NULL || !BUFFER_FRAGMENTS(*frag)); +- #endif +- +- /* Create a new range queue for this packet */ +-- if (frag == NULL) { +-+ if (*frag == NULL) { +- #if defined(__FreeBSD__) +-- frag = uma_zalloc(pf_cache_pl, M_NOWAIT); +-+ *frag = uma_zalloc(pf_cache_pl, M_NOWAIT); +- #else +-- frag = pool_get(&pf_cache_pl, PR_NOWAIT); +-+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT); +- #endif +-- if (frag == NULL) { +-+ if (*frag == NULL) { +- pf_flush_fragments(); +- #if defined(__FreeBSD__) +-- frag = uma_zalloc(pf_cache_pl, M_NOWAIT); +-+ *frag = uma_zalloc(pf_cache_pl, M_NOWAIT); +- #else +-- frag = pool_get(&pf_cache_pl, PR_NOWAIT); +-+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT); +- #endif +-- if (frag == NULL) +-+ if (*frag == NULL) +- goto no_mem; +- } +- +-@@ -654,33 +656,34 @@ +- #endif +- if (cur == NULL) { +- #if defined(__FreeBSD__) +-- uma_zfree(pf_cache_pl, frag); +-+ uma_zfree(pf_cache_pl, *frag); +- #else +-- pool_put(&pf_cache_pl, frag); +-+ pool_put(&pf_cache_pl, *frag); +- #endif +-+ *frag = NULL; +- goto no_mem; +- } +- pf_ncache++; +- +-- frag->fr_flags = PFFRAG_NOBUFFER; +-- frag->fr_max = 0; +-- frag->fr_src = h->ip_src; +-- frag->fr_dst = h->ip_dst; +-- frag->fr_p = h->ip_p; +-- frag->fr_id = h->ip_id; +-+ (*frag)->fr_flags = PFFRAG_NOBUFFER; +-+ (*frag)->fr_max = 0; +-+ (*frag)->fr_src = h->ip_src; +-+ (*frag)->fr_dst = h->ip_dst; +-+ (*frag)->fr_p = h->ip_p; +-+ (*frag)->fr_id = h->ip_id; +- #if defined(__FreeBSD__) +-- frag->fr_timeout = time_second; +-+ (*frag)->fr_timeout = time_second; +- #else +-- frag->fr_timeout = time.tv_sec; +-+ (*frag)->fr_timeout = time.tv_sec; +- #endif +- +- cur->fr_off = off; +- cur->fr_end = max; +-- LIST_INIT(&frag->fr_cache); +-- LIST_INSERT_HEAD(&frag->fr_cache, cur, fr_next); +-+ LIST_INIT(&(*frag)->fr_cache); +-+ LIST_INSERT_HEAD(&(*frag)->fr_cache, cur, fr_next); +- +-- RB_INSERT(pf_frag_tree, &pf_cache_tree, frag); +-- TAILQ_INSERT_HEAD(&pf_cachequeue, frag, frag_next); +-+ RB_INSERT(pf_frag_tree, &pf_cache_tree, *frag); +-+ TAILQ_INSERT_HEAD(&pf_cachequeue, *frag, frag_next); +- +- DPFPRINTF(("fragcache[%d]: new %d-%d\n", h->ip_id, off, max)); +- +-@@ -692,7 +695,7 @@ +- * - off contains the real shifted offset. +- */ +- frp = NULL; +-- LIST_FOREACH(fra, &frag->fr_cache, fr_next) { +-+ LIST_FOREACH(fra, &(*frag)->fr_cache, fr_next) { +- if (fra->fr_off > off) +- break; +- frp = fra; +-@@ -929,21 +932,22 @@ +- +- pass: +- /* Update maximum data size */ +-- if (frag->fr_max < max) +-- frag->fr_max = max; +-+ if ((*frag)->fr_max < max) +-+ (*frag)->fr_max = max; +- +- /* This is the last segment */ +- if (!mff) +-- frag->fr_flags |= PFFRAG_SEENLAST; +-+ (*frag)->fr_flags |= PFFRAG_SEENLAST; +- +- /* Check if we are completely reassembled */ +-- if ((frag->fr_flags & PFFRAG_SEENLAST) && +-- LIST_FIRST(&frag->fr_cache)->fr_off == 0 && +-- LIST_FIRST(&frag->fr_cache)->fr_end == frag->fr_max) { +-+ if (((*frag)->fr_flags & PFFRAG_SEENLAST) && +-+ LIST_FIRST(&(*frag)->fr_cache)->fr_off == 0 && +-+ LIST_FIRST(&(*frag)->fr_cache)->fr_end == (*frag)->fr_max) { +- /* Remove from fragment queue */ +- DPFPRINTF(("fragcache[%d]: done 0-%d\n", h->ip_id, +-- frag->fr_max)); +-- pf_free_fragment(frag); +-+ (*frag)->fr_max)); +-+ pf_free_fragment(*frag); +-+ *frag = NULL; +- } +- +- return (m); +-@@ -952,8 +956,8 @@ +- *nomem = 1; +- +- /* Still need to pay attention to !IP_MF */ +-- if (!mff && frag) +-- frag->fr_flags |= PFFRAG_SEENLAST; +-+ if (!mff && *frag != NULL) +-+ (*frag)->fr_flags |= PFFRAG_SEENLAST; +- +- m_freem(m); +- return (NULL); +-@@ -961,15 +965,15 @@ +- drop_fragment: +- +- /* Still need to pay attention to !IP_MF */ +-- if (!mff && frag) +-- frag->fr_flags |= PFFRAG_SEENLAST; +-+ if (!mff && *frag != NULL) +-+ (*frag)->fr_flags |= PFFRAG_SEENLAST; +- +- if (drop) { +- /* This fragment has been deemed bad. Don't reass */ +-- if ((frag->fr_flags & PFFRAG_DROP) == 0) +-+ if (((*frag)->fr_flags & PFFRAG_DROP) == 0) +- DPFPRINTF(("fragcache[%d]: dropping overall fragment\n", +- h->ip_id)); +-- frag->fr_flags |= PFFRAG_DROP; +-+ (*frag)->fr_flags |= PFFRAG_DROP; +- } +- +- m_freem(m); +-@@ -1085,12 +1089,12 @@ +- +- /* Might return a completely reassembled mbuf, or NULL */ +- DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max)); +-- *m0 = m = pf_reassemble(m0, frag, frent, mff); +-+ *m0 = m = pf_reassemble(m0, &frag, frent, mff); +- +- if (m == NULL) +- return (PF_DROP); +- +-- if (frag && (frag->fr_flags & PFFRAG_DROP)) +-+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) +- goto drop; +- +- h = mtod(m, struct ip *); +-@@ -1119,7 +1123,7 @@ +- goto bad; +- } +- +-- *m0 = m = pf_fragcache(m0, h, frag, mff, +-+ *m0 = m = pf_fragcache(m0, h, &frag, mff, +- (r->rule_flag & PFRULE_FRAGDROP) ? 1 : 0, &nomem); +- if (m == NULL) { +- if (nomem) +-@@ -1135,7 +1139,7 @@ +- goto no_mem; +- m_tag_prepend(m, mtag); +- } +-- if (frag && (frag->fr_flags & PFFRAG_DROP)) +-+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) +- goto drop; +- goto fragment_pass; +- } +diff -ruN /usr/ports/security/pf/files/pf.conf.default pf/files/pf.conf.default +--- /usr/ports/security/pf/files/pf.conf.default Fri Jun 13 03:09:29 2003 ++++ pf/files/pf.conf.default Sat Sep 27 09:51:28 2003 +@@ -1,4 +1,4 @@ +-# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ ++# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ + # + # See pf.conf(5) and /usr/share/pf for syntax and examples. + # Required order: options, normalization, queueing, translation, filtering. +@@ -15,17 +15,19 @@ + #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } + + # Options: tune the behavior of pf, default values are given. +-#set timeout { interval 30, frag 10 } ++#set timeout { interval 10, frag 30 } + #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } + #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } + #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } + #set timeout { icmp.first 20, icmp.error 10 } + #set timeout { other.first 60, other.single 30, other.multiple 60 } ++#set timeout { adaptive.start 0, adaptive.end 0 } + #set limit { states 10000, frags 5000 } + #set loginterface none + #set optimization normal + #set block-policy drop + #set require-order yes ++#set fingerprints "/etc/pf.os" + + # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. + #scrub in all +diff -ruN /usr/ports/security/pf/files/pf.os.default pf/files/pf.os.default +--- /usr/ports/security/pf/files/pf.os.default Thu Jan 1 01:00:00 1970 ++++ pf/files/pf.os.default Sat Sep 27 09:50:08 2003 +@@ -0,0 +1,551 @@ ++# $OpenBSD: pf.os,v 1.10 2003/09/06 01:37:07 frantzen Exp $ ++# passive OS fingerprinting ++# ------------------------- ++# ++# SYN signatures. Those signatures work for SYN packets only (duh!). ++# ++# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> ++# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org> ++# ++# Permission to use, copy, modify, and distribute this software for any ++# purpose with or without fee is hereby granted, provided that the above ++# copyright notice and this permission notice appear in all copies. ++# ++# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++# ++# ++# This fingerprint database is adapted from Michal Zalewski's p0f passive ++# operating system package. ++# ++# ++# Each line in this file specifies a single fingerprint. Please read the ++# information below carefully before attempting to append any signatures ++# reported as UNKNOWN to this file to avoid mistakes. ++# ++# We use the following set metrics for fingerprinting: ++# ++# - Window size (WSS) - a highly OS dependent setting used for TCP/IP ++# performance control (max. amount of data to be sent without ACK). ++# Some systems use a fixed value for initial packets. On other ++# systems, it is a multiple of MSS or MTU (MSS+40). In some rare ++# cases, the value is just arbitrary. ++# ++# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number ++# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' ++# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the ++# value of nn is not fixed (unlikely), just copy the Snn or Tnn token ++# literally. If you know this device has a simple stack and a fixed ++# MTU, you can however multiply S value by MSS, or T value by MSS+40, ++# and put it instead of Snn or Tnn. ++# ++# If WSS otherwise looks like a fixed value (for example a multiple ++# of two), or if you can confirm the value is fixed, please quote ++# it literally. If there's no apparent pattern in WSS chosen, you ++# should consider wildcarding this value. ++# ++# - Overall packet size - a function of all IP and TCP options and bugs. ++# ++# NEW SIGNATURE: Copy this value literally. ++# ++# - Initial TTL - We check the actual TTL of a received packet. It can't ++# be higher than the initial TTL, and also shouldn't be dramatically ++# lower (maximum distance is defined as 40 hops). ++# ++# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. ++# You need to determine the initial TTL. The best way to do it is to ++# check the documentation for a remote system, or check its settings. ++# A fairly good method is to simply round the observed TTL up to ++# 32, 64, 128, or 255, but it should be noted that some obscure devices ++# might not use round TTLs (in particular, some shoddy appliances use ++# "original" initial TTL settings). If not sure, you can see how many ++# hops you're away from the remote party with traceroute or mtr. ++# ++# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU ++# discovery. Others do not bother. ++# ++# NEW SIGNATURE: Copy this value literally. ++# ++# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f ++# uses it to determine link type of the remote host. ++# ++# NEW SIGNATURE: Always wildcard this value, except for rare cases when ++# you have an appliance with a fixed value, know the system supports only ++# a very limited number of network interface types, or know the system ++# is using a value it pulled out of nowhere. Specific unique MSS ++# can be used to tell Google crawlbots from the rest of the population. ++# ++# - Window scaling (WSCALE) - this feature is used to scale WSS. ++# It extends the size of a TCP/IP window to 32 bits. Some modern ++# systems implement this feature. ++# ++# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set ++# to zero or other low value. There's usually no need to wildcard this ++# parameter. ++# ++# - Timestamp - some systems that implement timestamps set them to ++# zero in the initial SYN. This case is detected and handled appropriately. ++# ++# - Selective ACK permitted - a flag set by systems that implement ++# selective ACK functionality. ++# ++# - The sequence of TCP all options (MSS, window scaling, selective ACK ++# permitted, timestamp, NOP). Other than the options previously ++# discussed, p0f also checks for timestamp option (a silly ++# extension to broadcast your uptime ;-), NOP options (used for ++# header padding) and sackOK option (selective ACK feature). ++# ++# NEW SIGNATURE: Copy the sequence literally. ++# ++# To wildcard any value (except for initial TTL or TCP options), replace ++# it with '*'. You can also use a modulo operator to match any values ++# that divide by nnn - '%nnn'. ++# ++# Fingerprint entry format: ++# ++# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details ++# ++# wwww - window size (can be *, %nnn, Snn or Tnn). The special values ++# "S" and "T" which are a multiple of MSS or a multiple of MTU ++# respectively. ++# ttt - initial TTL ++# D - don't fragment bit (0 - not set, 1 - set) ++# ss - overall SYN packet size ++# OOO - option value and order specification (see below) ++# OS - OS genre (Linux, Solaris, Windows) ++# Version - OS Version (2.0.27 on x86, etc) ++# Subtype - OS subtype or patchlevel (SP3, lo0) ++# details - Generic OS details ++# ++# If OS genre starts with '*', p0f will not show distance, link type ++# and timestamp data. It is useful for userland TCP/IP stacks of ++# network scanners and so on, where many settings are randomized or ++# bogus. ++# ++# If OS genre starts with @, it denotes an approximate hit for a group ++# of operating systems (signature reporting still enabled in this case). ++# Use this feature at the end of this file to catch cases for which ++# you don't have a precise match, but can tell it's Windows or FreeBSD ++# or whatnot by looking at, say, flag layout alone. ++# ++# Option block description is a list of comma or space separated ++# options in the order they appear in the packet: ++# ++# N - NOP option ++# Wnnn - window scaling option, value nnn (or * or %nnn) ++# Mnnn - maximum segment size option, value nnn (or * or %nnn) ++# S - selective ACK OK ++# T - timestamp ++# T0 - timestamp with a zero value ++# ++# To denote no TCP options, use a single '.'. ++# ++# Please report any additions to this file, or any inaccuracies or ++# problems spotted, to the maintainers: lcamtuf@coredump.cx, ++# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet ++# capture of the relevant SYN packet(s) ++# ++# WARNING WARNING WARNING ++# ----------------------- ++# ++# Do not add a system X as OS Y just because NMAP says so. It is often ++# the case that X is a NAT firewall. While nmap is talking to the ++# device itself, p0f is fingerprinting the guy behind the firewall ++# instead. ++# ++# When in doubt, use common sense, don't add something that looks like ++# a completely different system as Linux or FreeBSD or LinkSys router. ++# Check DNS name, establish a connection to the remote host and look ++# at SYN+ACK - does it look similar? ++# ++# Some users tweak their TCP/IP settings - enable or disable RFC1323 ++# functionality, enable or disable timestamps or selective ACK, ++# disable PMTU discovery, change MTU and so on. Always compare a new rule ++# to other fingerprints for this system, and verify the system isn't ++# "customized" before adding it. It is OK to add signature variants ++# caused by a commonly used software (personal firewalls, security ++# packages, etc), but it makes no sense to try to add every single ++# possible /proc/sys/net/ipv4 tweak on Linux or so. ++# ++# KEEP IN MIND: Some packet firewalls configured to normalize outgoing ++# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, ++# normalize packets. Signatures will not correspond to the originating ++# system (and probably not quite to the firewall either). ++# ++# NOTE: Try to keep this file in some reasonable order, from most to ++# least likely systems. This will speed up operation. Also keep most ++# generic and broad rules near the end. ++# ++ ++########################## ++# Standard OS signatures # ++########################## ++ ++# ----------------- AIX --------------------- ++ ++# AIX is first because its signatures are close to NetBSD, MacOS X and ++# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... ++# This is a shoddy hack, though. ++ ++16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier ++ ++16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 ++16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 ++32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 ++32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 ++65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 ++65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 ++65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1 ++ ++# ----------------- Linux ------------------- ++ ++512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x ++16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x ++ ++# Endian snafu! Nelson says "ha-ha": ++2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac ++64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac ++ ++ ++S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot) ++ ++S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy) ++S3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer ++S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 ++S4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6 ++ ++S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 ++S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 ++ ++S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer ++S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 ++S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 ++ ++# Popular cluster config scripts disable timestamps and ++# selective ACK: ++S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster ++ ++# This needs to be investigated. On some systems, WSS ++# is selected as a multiple of MTU instead of MSS. I got ++# many submissions for this for many late versions of 2.4: ++T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon) ++ ++# This happens only over loopback, but let's make folks happy: ++32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local) ++S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local) ++ ++# Opera visitors: ++16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?) ++32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?) ++ ++# Some fairly common mods: ++S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps ++S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps ++ ++ ++# ----------------- FreeBSD ----------------- ++ ++16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1 ++16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1 ++16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1 ++16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 ++ ++1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 ++ ++57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323) ++57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8 ++ ++32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) ++32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) ++65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) ++65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) ++65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.9::FreeBSD 4.7-5.1 ++65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.7-5.1 ++ ++# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps) ++ ++# ----------------- NetBSD ------------------ ++ ++65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera) ++16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6 ++16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF) ++16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 ++65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF) ++ ++# ----------------- OpenBSD ----------------- ++ ++16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) ++16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4::OpenBSD 3.0-3.4 ++16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:no-df:OpenBSD 3.0-3.4 (scrub no-df) ++57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4::OpenBSD 3.3-3.4 ++57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4:no-df:OpenBSD 3.3-3.4 (scrub no-df) ++ ++65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:opera:OpenBSD 3.0-3.4 (Opera) ++ ++# ----------------- Solaris ----------------- ++ ++S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323 ++S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8 ++S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7 ++ ++S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7 ++S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1 ++S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9 ++S44:255:1:44:M*: Solaris:2.7::Solaris 7 ++ ++# ----------------- IRIX -------------------- ++ ++49152:64:0:44:M*: IRIX:6.4::IRIX 6.4 ++61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5 ++49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) ++49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) ++ ++61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21 ++49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21 ++ ++# ----------------- Tru64 ------------------- ++ ++32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 ++32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0 ++8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6) ++ ++# This looks awfully Linuxish :/ ++# S22:64:0:60:M*,S,T,N,W0: Tru64:5.0:a:Tru64 5.0a ++ ++61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) ++ ++ ++# ----------------- OpenVMS ----------------- ++ ++6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack) ++ ++# ----------------- MacOS ------------------- ++ ++16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP) ++16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP) ++32768:255:1:48:M*,W0,N: MacOS:9.1-9.2::MacOS 9.1/9.2 ++32768:64:0:60:M*,N,W0,N,N,T: MacOS:X:10.2:MacOS X 10.2 ++ ++# ----------------- Windows ----------------- ++ ++# Windows 95 - need more: ++ ++8192:32:1:44:M*: Windows:95::Windows 95 (low TTL) ++ ++# Windows 98 - plenty of silly signatures: ++S44:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) ++8192:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) ++ ++%8192:64:1:48:M*,N,N,S: Windows:98::Windows 98 (or newer XP/2000 with tweaked TTL) ++S4:64:1:48:M*,N,N,S: Windows:98::Windows 98 ++S6:64:1:48:M*,N,N,S: Windows:98::Windows 98 ++S12:64:1:48:M*,N,N,S: Windows:98::Windows 98 ++32767:64:1:48:M*,N,N,S: Windows:98::Windows 98 ++37300:64:1:48:M*,N,N,S: Windows:98::Windows 98 ++46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323) ++65535:64:1:44:M*: Windows:98:noSACK:Windows 98 (no sack) ++ ++S16:128:1:48:M*,N,N,S: Windows:98::Windows 98 ++S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 ++S26:128:1:48:M*,N,N,S: Windows:98::Windows 98 ++T30:128:1:48:M*,N,N,S: Windows:98::Windows 98 ++32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98 ++60352:128:1:48:M*,N,N,S: Windows:98::Windows 98 ++60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98 ++ ++# Windows NT 4.0 - need more: ++ ++64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a ++8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older) ++6144:128:1:52:M*,W0,N,S,N,N: Windows:NT:4.0:Windows NT 4.0 (RFC1323) ++ ++# Windows XP and 2000. Most of the signatures that were ++# either dubious or non-specific (no service pack data) ++# were deleted and replaced with generics at the end. ++ ++65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 ++%8192:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 ++S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 ++S6:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows XP SP1, 2000 SP4 ++S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP Pro SP1, 2000 SP3 ++ ++S6:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1, 2000 SP4 ++S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP Pro SP1, 2000 SP3 ++64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 ++32767:128:1:48:M1452,N,N,S: Windows:XP:SP1:Windows XP SP1 ++65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 ++%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 ++ ++# Odds, ends, mods: ++ ++S52:128:1:48:M1260,N,N,S: Windows:XP:Cisco:Windows XP/2000 via Cisco ++S52:128:1:48:M1260,N,N,S: Windows:2000:Cisco:Windows XP/2000 via Cisco ++ ++# HUNT DOWN: ++# *:128:1:48:M*,N,N,S:U:@Windows:XP (leak) (PLEASE REPORT) ++ ++# ----------------- HP/UX ------------------- ++ ++32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20 ++32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0 ++32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11 ++32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11 ++ ++# Whoa. Hardcore WSS. ++0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323) ++ ++ ++# ----------------- RiscOS ------------------ ++ ++# We don't yet support the ?12 TCP option ++#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36 ++ ++# ----------------- BSD/OS ------------------ ++ ++# Once again, power of two WSS is also shared by MacOS X with DF set ++8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF) ++8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2) ++ ++ ++# ---------------- NewtonOS ----------------- ++ ++4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 ++ ++# ---------------- NeXTSTEP ----------------- ++ ++S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3 ++ ++# ------------------ BeOS ------------------- ++ ++1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1 ++12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x ++ ++# ------------------ OS/400 ----------------- ++ ++8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5 ++8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5 ++4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032 ++ ++ ++# ------------------ ULTRIX ----------------- ++ ++16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5 ++ ++# ------------------- QNX ------------------- ++ ++S16:64:0:44:M512: QNX:::QNX demodisk ++ ++# ------------------ Novell ----------------- ++ ++16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0 ++6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11 ++ ++# ----------------- SCO ------------------ ++S17:64:1:44:M1460: SCO:Unixware:7.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06 ++S17:64:1:44:M1460: SCO:OpenServer:5.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06 ++S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1 ++ ++# ------------------- DOS ------------------- ++ ++2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05 ++ ++########################################### ++# Appliance / embedded / other signatures # ++########################################### ++ ++# ---------- Firewalls / routers ------------ ++ ++S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) ++S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) ++4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x ++60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7::Clavister firewall 7.x ++ ++# ------- Switches and other stuff ---------- ++ ++4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc ++S8:255:0:44:M*: Cisco:12008::Cisco 12008 ++60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch ++64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client ++ ++ ++# ---------- Caches and whatnots ------------ ++ ++S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache ++ ++32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x ++16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1 ++65535:64:0:64:M1460,N,N,S,N,W3,N,N,T: NetApp:5.3:1:NetApp 5.3.1 ++65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow ++8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1 ++ ++S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine ++ ++27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based) ++ ++65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler ++S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg ++ ++ ++16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?) ++ ++# ----------- Embedded systems -------------- ++ ++S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C ++S5:255:0:44:M536: PalmOS:3::PalmOS 3/4 ++S5:255:0:44:M536: PalmOS:4::PalmOS 3/4 ++S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5 ++2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera) ++ ++S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7 ++8192:255:0:44:M1460: SymbianOS:6048::SymbianOS 6048 (on Nokia 7650?) ++8192:255:0:44:M536: SymbianOS:::SymbianOS (on Nokia 9210?) ++ ++ ++# Perhaps S4? ++5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10 ++ ++32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002 ++ ++S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0 ++ ++4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0 ++ ++S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64 ++ ++ ++ ++#################### ++# Fancy signatures # ++#################### ++ ++1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1) ++2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2) ++3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3) ++4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4) ++ ++1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1) ++2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2) ++3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3) ++4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4) ++ ++##################################### ++# Generic signatures - just in case # ++##################################### ++ ++#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x ++#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x ++ ++*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) ++*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) ++*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323) ++*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323) ++*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+) ++*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000 ++*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000 ++ ++ +diff -ruN /usr/ports/security/pf/pkg-plist pf/pkg-plist +--- /usr/ports/security/pf/pkg-plist Fri Jun 13 03:09:29 2003 ++++ pf/pkg-plist Sat Sep 27 14:34:16 2003 +@@ -9,14 +9,26 @@ + sbin/pfctl + sbin/pflogd + sbin/pftcpdump +-sbin/pftop + + etc/rc.d/pf.sh.sample + etc/pf.conf.default ++etc/pf.os + + include/pf/net/pfvar.h + include/pf/net/if_pflog.h + include/pf/net/if_pfsync.h ++%%WITH_ALTQ%%include/pf/altq/altq.h ++%%WITH_ALTQ%%include/pf/altq/altq_cbq.h ++%%WITH_ALTQ%%include/pf/altq/altq_cdnr.h ++%%WITH_ALTQ%%include/pf/altq/altq_classq.h ++%%WITH_ALTQ%%include/pf/altq/altq_hfsc.h ++%%WITH_ALTQ%%include/pf/altq/altq_priq.h ++%%WITH_ALTQ%%include/pf/altq/altq_red.h ++%%WITH_ALTQ%%include/pf/altq/altq_rio.h ++%%WITH_ALTQ%%include/pf/altq/altq_rmclass.h ++%%WITH_ALTQ%%include/pf/altq/altq_rmclass_debug.h ++%%WITH_ALTQ%%include/pf/altq/altq_var.h ++%%WITH_ALTQ%%include/pf/altq/if_altq.h + + @dirrm modules + @dirrm include/pf/net diff --git a/security/pf/files/pf.conf.default b/security/pf/files/pf.conf.default index 58923c97852c..3f3500737758 100644 --- a/security/pf/files/pf.conf.default +++ b/security/pf/files/pf.conf.default @@ -1,4 +1,4 @@ -# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ +# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. @@ -15,17 +15,19 @@ #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. -#set timeout { interval 30, frag 10 } +#set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } +#set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes +#set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all diff --git a/security/pf/files/pf.os.default b/security/pf/files/pf.os.default new file mode 100644 index 000000000000..90b42eac57d6 --- /dev/null +++ b/security/pf/files/pf.os.default @@ -0,0 +1,551 @@ +# $OpenBSD: pf.os,v 1.10 2003/09/06 01:37:07 frantzen Exp $ +# passive OS fingerprinting +# ------------------------- +# +# SYN signatures. Those signatures work for SYN packets only (duh!). +# +# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> +# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# +# +# This fingerprint database is adapted from Michal Zalewski's p0f passive +# operating system package. +# +# +# Each line in this file specifies a single fingerprint. Please read the +# information below carefully before attempting to append any signatures +# reported as UNKNOWN to this file to avoid mistakes. +# +# We use the following set metrics for fingerprinting: +# +# - Window size (WSS) - a highly OS dependent setting used for TCP/IP +# performance control (max. amount of data to be sent without ACK). +# Some systems use a fixed value for initial packets. On other +# systems, it is a multiple of MSS or MTU (MSS+40). In some rare +# cases, the value is just arbitrary. +# +# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number +# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' +# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the +# value of nn is not fixed (unlikely), just copy the Snn or Tnn token +# literally. If you know this device has a simple stack and a fixed +# MTU, you can however multiply S value by MSS, or T value by MSS+40, +# and put it instead of Snn or Tnn. +# +# If WSS otherwise looks like a fixed value (for example a multiple +# of two), or if you can confirm the value is fixed, please quote +# it literally. If there's no apparent pattern in WSS chosen, you +# should consider wildcarding this value. +# +# - Overall packet size - a function of all IP and TCP options and bugs. +# +# NEW SIGNATURE: Copy this value literally. +# +# - Initial TTL - We check the actual TTL of a received packet. It can't +# be higher than the initial TTL, and also shouldn't be dramatically +# lower (maximum distance is defined as 40 hops). +# +# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. +# You need to determine the initial TTL. The best way to do it is to +# check the documentation for a remote system, or check its settings. +# A fairly good method is to simply round the observed TTL up to +# 32, 64, 128, or 255, but it should be noted that some obscure devices +# might not use round TTLs (in particular, some shoddy appliances use +# "original" initial TTL settings). If not sure, you can see how many +# hops you're away from the remote party with traceroute or mtr. +# +# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU +# discovery. Others do not bother. +# +# NEW SIGNATURE: Copy this value literally. +# +# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f +# uses it to determine link type of the remote host. +# +# NEW SIGNATURE: Always wildcard this value, except for rare cases when +# you have an appliance with a fixed value, know the system supports only +# a very limited number of network interface types, or know the system +# is using a value it pulled out of nowhere. Specific unique MSS +# can be used to tell Google crawlbots from the rest of the population. +# +# - Window scaling (WSCALE) - this feature is used to scale WSS. +# It extends the size of a TCP/IP window to 32 bits. Some modern +# systems implement this feature. +# +# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set +# to zero or other low value. There's usually no need to wildcard this +# parameter. +# +# - Timestamp - some systems that implement timestamps set them to +# zero in the initial SYN. This case is detected and handled appropriately. +# +# - Selective ACK permitted - a flag set by systems that implement +# selective ACK functionality. +# +# - The sequence of TCP all options (MSS, window scaling, selective ACK +# permitted, timestamp, NOP). Other than the options previously +# discussed, p0f also checks for timestamp option (a silly +# extension to broadcast your uptime ;-), NOP options (used for +# header padding) and sackOK option (selective ACK feature). +# +# NEW SIGNATURE: Copy the sequence literally. +# +# To wildcard any value (except for initial TTL or TCP options), replace +# it with '*'. You can also use a modulo operator to match any values +# that divide by nnn - '%nnn'. +# +# Fingerprint entry format: +# +# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details +# +# wwww - window size (can be *, %nnn, Snn or Tnn). The special values +# "S" and "T" which are a multiple of MSS or a multiple of MTU +# respectively. +# ttt - initial TTL +# D - don't fragment bit (0 - not set, 1 - set) +# ss - overall SYN packet size +# OOO - option value and order specification (see below) +# OS - OS genre (Linux, Solaris, Windows) +# Version - OS Version (2.0.27 on x86, etc) +# Subtype - OS subtype or patchlevel (SP3, lo0) +# details - Generic OS details +# +# If OS genre starts with '*', p0f will not show distance, link type +# and timestamp data. It is useful for userland TCP/IP stacks of +# network scanners and so on, where many settings are randomized or +# bogus. +# +# If OS genre starts with @, it denotes an approximate hit for a group +# of operating systems (signature reporting still enabled in this case). +# Use this feature at the end of this file to catch cases for which +# you don't have a precise match, but can tell it's Windows or FreeBSD +# or whatnot by looking at, say, flag layout alone. +# +# Option block description is a list of comma or space separated +# options in the order they appear in the packet: +# +# N - NOP option +# Wnnn - window scaling option, value nnn (or * or %nnn) +# Mnnn - maximum segment size option, value nnn (or * or %nnn) +# S - selective ACK OK +# T - timestamp +# T0 - timestamp with a zero value +# +# To denote no TCP options, use a single '.'. +# +# Please report any additions to this file, or any inaccuracies or +# problems spotted, to the maintainers: lcamtuf@coredump.cx, +# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet +# capture of the relevant SYN packet(s) +# +# WARNING WARNING WARNING +# ----------------------- +# +# Do not add a system X as OS Y just because NMAP says so. It is often +# the case that X is a NAT firewall. While nmap is talking to the +# device itself, p0f is fingerprinting the guy behind the firewall +# instead. +# +# When in doubt, use common sense, don't add something that looks like +# a completely different system as Linux or FreeBSD or LinkSys router. +# Check DNS name, establish a connection to the remote host and look +# at SYN+ACK - does it look similar? +# +# Some users tweak their TCP/IP settings - enable or disable RFC1323 +# functionality, enable or disable timestamps or selective ACK, +# disable PMTU discovery, change MTU and so on. Always compare a new rule +# to other fingerprints for this system, and verify the system isn't +# "customized" before adding it. It is OK to add signature variants +# caused by a commonly used software (personal firewalls, security +# packages, etc), but it makes no sense to try to add every single +# possible /proc/sys/net/ipv4 tweak on Linux or so. +# +# KEEP IN MIND: Some packet firewalls configured to normalize outgoing +# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, +# normalize packets. Signatures will not correspond to the originating +# system (and probably not quite to the firewall either). +# +# NOTE: Try to keep this file in some reasonable order, from most to +# least likely systems. This will speed up operation. Also keep most +# generic and broad rules near the end. +# + +########################## +# Standard OS signatures # +########################## + +# ----------------- AIX --------------------- + +# AIX is first because its signatures are close to NetBSD, MacOS X and +# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... +# This is a shoddy hack, though. + +16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier + +16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 +65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 +65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1 + +# ----------------- Linux ------------------- + +512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x +16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x + +# Endian snafu! Nelson says "ha-ha": +2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac +64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac + + +S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot) + +S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy) +S3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer +S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 +S4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6 + +S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 +S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 + +S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer +S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 +S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 + +# Popular cluster config scripts disable timestamps and +# selective ACK: +S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster + +# This needs to be investigated. On some systems, WSS +# is selected as a multiple of MTU instead of MSS. I got +# many submissions for this for many late versions of 2.4: +T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon) + +# This happens only over loopback, but let's make folks happy: +32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local) +S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local) + +# Opera visitors: +16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?) +32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?) + +# Some fairly common mods: +S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps +S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps + + +# ----------------- FreeBSD ----------------- + +16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1 +16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1 +16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1 +16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 + +1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 + +57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323) +57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8 + +32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) +32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) +65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) +65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) +65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.9::FreeBSD 4.7-5.1 +65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.7-5.1 + +# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps) + +# ----------------- NetBSD ------------------ + +65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera) +16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6 +16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF) +16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 +65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF) + +# ----------------- OpenBSD ----------------- + +16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) +16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4::OpenBSD 3.0-3.4 +16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:no-df:OpenBSD 3.0-3.4 (scrub no-df) +57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4::OpenBSD 3.3-3.4 +57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4:no-df:OpenBSD 3.3-3.4 (scrub no-df) + +65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:opera:OpenBSD 3.0-3.4 (Opera) + +# ----------------- Solaris ----------------- + +S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323 +S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8 +S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7 + +S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7 +S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1 +S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9 +S44:255:1:44:M*: Solaris:2.7::Solaris 7 + +# ----------------- IRIX -------------------- + +49152:64:0:44:M*: IRIX:6.4::IRIX 6.4 +61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5 +49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) +49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) + +61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21 +49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21 + +# ----------------- Tru64 ------------------- + +32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 +32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0 +8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6) + +# This looks awfully Linuxish :/ +# S22:64:0:60:M*,S,T,N,W0: Tru64:5.0:a:Tru64 5.0a + +61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) + + +# ----------------- OpenVMS ----------------- + +6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack) + +# ----------------- MacOS ------------------- + +16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP) +16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP) +32768:255:1:48:M*,W0,N: MacOS:9.1-9.2::MacOS 9.1/9.2 +32768:64:0:60:M*,N,W0,N,N,T: MacOS:X:10.2:MacOS X 10.2 + +# ----------------- Windows ----------------- + +# Windows 95 - need more: + +8192:32:1:44:M*: Windows:95::Windows 95 (low TTL) + +# Windows 98 - plenty of silly signatures: +S44:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) +8192:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) + +%8192:64:1:48:M*,N,N,S: Windows:98::Windows 98 (or newer XP/2000 with tweaked TTL) +S4:64:1:48:M*,N,N,S: Windows:98::Windows 98 +S6:64:1:48:M*,N,N,S: Windows:98::Windows 98 +S12:64:1:48:M*,N,N,S: Windows:98::Windows 98 +32767:64:1:48:M*,N,N,S: Windows:98::Windows 98 +37300:64:1:48:M*,N,N,S: Windows:98::Windows 98 +46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323) +65535:64:1:44:M*: Windows:98:noSACK:Windows 98 (no sack) + +S16:128:1:48:M*,N,N,S: Windows:98::Windows 98 +S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 +S26:128:1:48:M*,N,N,S: Windows:98::Windows 98 +T30:128:1:48:M*,N,N,S: Windows:98::Windows 98 +32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98 +60352:128:1:48:M*,N,N,S: Windows:98::Windows 98 +60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98 + +# Windows NT 4.0 - need more: + +64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a +8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older) +6144:128:1:52:M*,W0,N,S,N,N: Windows:NT:4.0:Windows NT 4.0 (RFC1323) + +# Windows XP and 2000. Most of the signatures that were +# either dubious or non-specific (no service pack data) +# were deleted and replaced with generics at the end. + +65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 +%8192:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 +S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 +S6:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows XP SP1, 2000 SP4 +S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP Pro SP1, 2000 SP3 + +S6:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1, 2000 SP4 +S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP Pro SP1, 2000 SP3 +64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 +32767:128:1:48:M1452,N,N,S: Windows:XP:SP1:Windows XP SP1 +65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 +%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 + +# Odds, ends, mods: + +S52:128:1:48:M1260,N,N,S: Windows:XP:Cisco:Windows XP/2000 via Cisco +S52:128:1:48:M1260,N,N,S: Windows:2000:Cisco:Windows XP/2000 via Cisco + +# HUNT DOWN: +# *:128:1:48:M*,N,N,S:U:@Windows:XP (leak) (PLEASE REPORT) + +# ----------------- HP/UX ------------------- + +32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20 +32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0 +32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11 +32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11 + +# Whoa. Hardcore WSS. +0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323) + + +# ----------------- RiscOS ------------------ + +# We don't yet support the ?12 TCP option +#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36 + +# ----------------- BSD/OS ------------------ + +# Once again, power of two WSS is also shared by MacOS X with DF set +8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF) +8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2) + + +# ---------------- NewtonOS ----------------- + +4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 + +# ---------------- NeXTSTEP ----------------- + +S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3 + +# ------------------ BeOS ------------------- + +1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1 +12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x + +# ------------------ OS/400 ----------------- + +8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5 +8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5 +4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032 + + +# ------------------ ULTRIX ----------------- + +16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5 + +# ------------------- QNX ------------------- + +S16:64:0:44:M512: QNX:::QNX demodisk + +# ------------------ Novell ----------------- + +16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0 +6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11 + +# ----------------- SCO ------------------ +S17:64:1:44:M1460: SCO:Unixware:7.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06 +S17:64:1:44:M1460: SCO:OpenServer:5.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06 +S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1 + +# ------------------- DOS ------------------- + +2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05 + +########################################### +# Appliance / embedded / other signatures # +########################################### + +# ---------- Firewalls / routers ------------ + +S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) +S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) +4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x +60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7::Clavister firewall 7.x + +# ------- Switches and other stuff ---------- + +4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc +S8:255:0:44:M*: Cisco:12008::Cisco 12008 +60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch +64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client + + +# ---------- Caches and whatnots ------------ + +S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache + +32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x +16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1 +65535:64:0:64:M1460,N,N,S,N,W3,N,N,T: NetApp:5.3:1:NetApp 5.3.1 +65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow +8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1 + +S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine + +27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based) + +65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler +S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg + + +16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?) + +# ----------- Embedded systems -------------- + +S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C +S5:255:0:44:M536: PalmOS:3::PalmOS 3/4 +S5:255:0:44:M536: PalmOS:4::PalmOS 3/4 +S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5 +2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera) + +S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7 +8192:255:0:44:M1460: SymbianOS:6048::SymbianOS 6048 (on Nokia 7650?) +8192:255:0:44:M536: SymbianOS:::SymbianOS (on Nokia 9210?) + + +# Perhaps S4? +5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10 + +32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002 + +S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0 + +4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0 + +S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64 + + + +#################### +# Fancy signatures # +#################### + +1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1) +2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2) +3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3) +4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4) + +1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1) +2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2) +3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3) +4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4) + +##################################### +# Generic signatures - just in case # +##################################### + +#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x +#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x + +*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) +*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323) +*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323) +*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+) +*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000 +*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000 + + diff --git a/security/pf/pkg-plist b/security/pf/pkg-plist index db2d874cbb01..1420ee78cb8f 100644 --- a/security/pf/pkg-plist +++ b/security/pf/pkg-plist @@ -9,14 +9,26 @@ modules/pfsync.ko sbin/pfctl sbin/pflogd sbin/pftcpdump -sbin/pftop etc/rc.d/pf.sh.sample etc/pf.conf.default +etc/pf.os include/pf/net/pfvar.h include/pf/net/if_pflog.h include/pf/net/if_pfsync.h +%%WITH_ALTQ%%include/pf/altq/altq.h +%%WITH_ALTQ%%include/pf/altq/altq_cbq.h +%%WITH_ALTQ%%include/pf/altq/altq_cdnr.h +%%WITH_ALTQ%%include/pf/altq/altq_classq.h +%%WITH_ALTQ%%include/pf/altq/altq_hfsc.h +%%WITH_ALTQ%%include/pf/altq/altq_priq.h +%%WITH_ALTQ%%include/pf/altq/altq_red.h +%%WITH_ALTQ%%include/pf/altq/altq_rio.h +%%WITH_ALTQ%%include/pf/altq/altq_rmclass.h +%%WITH_ALTQ%%include/pf/altq/altq_rmclass_debug.h +%%WITH_ALTQ%%include/pf/altq/altq_var.h +%%WITH_ALTQ%%include/pf/altq/if_altq.h @dirrm modules @dirrm include/pf/net |