From owner-freebsd-ipfw Tue Jan 21 9:52: 1 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9ECD237B401 for ; Tue, 21 Jan 2003 09:52:00 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B50843F13 for ; Tue, 21 Jan 2003 09:52:00 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h0LHpxTO062011; Tue, 21 Jan 2003 09:51:59 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id h0LHpxE4062010; Tue, 21 Jan 2003 09:51:59 -0800 (PST) (envelope-from rizzo) Date: Tue, 21 Jan 2003 09:51:59 -0800 From: Luigi Rizzo To: Michael Sierchio Cc: "Simon L. Nielsen" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Sanity check in ipfw(8) Message-ID: <20030121095159.A61957@xorpc.icir.org> References: <20030121004353.GF351@nitro.dk> <20030120165940.A65713@xorpc.icir.org> <20030121012046.GG351@nitro.dk> <20030120173223.A83271@xorpc.icir.org> <20030121004353.GF351@nitro.dk> <3E2CE0FA.2080301@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3E2CE0FA.2080301@tenebras.com>; from kudzu@tenebras.com on Mon, Jan 20, 2003 at 09:56:10PM -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 20, 2003 at 09:56:10PM -0800, Michael Sierchio wrote: ... > > yes i honestly believe that it is better to avoid the userland code > > being too smart. E.g. ipfw accepts things such as > > > > allow ip from any to any 53 > > > > which matches both tcp and udp to port 53 -- ipfw1 did not accept > > this, and needed two rules for this very common thing. > > Shi'ite! Documentation? well it's in the ipfw manpage. I mention that checking for a non-existing field (e.g. port number in a protocol that does not have ports) will never match. The manpage describes the features, but it cannot possibly mention all the ways in which these features can be used. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message