From owner-freebsd-bugs@FreeBSD.ORG Fri Mar 13 05:34:25 2009 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46829106566C; Fri, 13 Mar 2009 05:34:25 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forwards5.yandex.ru (forwards5.yandex.ru [77.88.61.37]) by mx1.freebsd.org (Postfix) with ESMTP id B6BBF8FC22; Fri, 13 Mar 2009 05:34:24 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp17.yandex.ru (smtp17.yandex.ru [77.88.61.55]) by forwards5.yandex.ru (Yandex) with ESMTP id 87944AF761; Fri, 13 Mar 2009 08:12:54 +0300 (MSK) Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:15313 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S13287664AbZCMFMu (ORCPT + 2 others); Fri, 13 Mar 2009 08:12:50 +0300 X-Yandex-Spam: 1 X-Yandex-Front: smtp17 X-Yandex-TimeMark: 1236921170 X-BornDate: 1137963600 X-Yandex-Karma: 0 X-Yandex-KarmaStatus: 0 X-MsgDayCount: 3 X-Comment: RFC 2476 MSA function at smtp17.yandex.ru logged sender identity as: bu7cher Message-ID: <49B9EB58.9070808@yandex.ru> Date: Fri, 13 Mar 2009 08:12:56 +0300 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Christoph Weber-Fahr References: <200903120020.n2C0K3Tn089861@freefall.freebsd.org> In-Reply-To: <200903120020.n2C0K3Tn089861@freefall.freebsd.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Maxim Konovalov , freebsd-bugs@FreeBSD.org Subject: Re: misc/132553: ipfw doesnt understand ftp-data port X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2009 05:34:25 -0000 Christoph Weber-Fahr wrote: > The following reply was made to PR misc/132553; it has been noted by GNATS. > > From: Christoph Weber-Fahr > To: Maxim Konovalov > Cc: bug-followup@FreeBSD.org > Subject: Re: misc/132553: ipfw doesnt understand ftp-data port > Date: Wed, 11 Mar 2009 23:35:03 +0100 > > Hello, > > Maxim Konovalov wrote: > >> # ipfw add 1770 allow tcp from any to any ftp-data keep-state > >> > >> but now it produces > >> > >> ipfw: unrecognised option [-1] ftp-data > [...] > > $ ipfw -n add 1770 allow tcp from any to any ftp\\-data keep-state > > > > 01770 allow tcp from any to any dst-port 20 keep-state > > > > works for me. > > Two problems with that: > > 1. it is neither obvious nor documented that you need > to escape the minus. > > The manpage says you can use names from /etc/services. > No restrictions. The minus sign is not a shell token > either, so ipfw gets it as it is. Furthermore, ipfw > can handle minus signs on various parts of its syntax > tree, so its not a general problem. From ipfw(8): ports: {port | port-port}[,ports] For protocols which support port numbers (such as TCP and UDP), optional ports may be specified as one or more ports or port ranges, separated by commas but no spaces, and an optional not operator. The `-' notation specifies a range of ports (including boundaries). Service names (from /etc/services) may be used instead of numeric port values. The length of the port list is limited to 30 ports or ranges, though one can specify larger ranges by using an or-block in the options section of the rule. A backslash (`\') can be used to escape the dash (`-') character in a service name (from a shell, the backslash must be typed twice to avoid the shell itself interpreting it as an escape character). ipfw add count tcp from any ftp\\-data-ftp to any So, I think it is well documented. -- WBR, Andrey V. Elsukov