Date: Mon, 15 Jul 2002 10:46:07 -0400 From: Zak Johnson <zakj@nox.cx> To: security@FreeBSD.ORG Subject: Re: ipfw and keep-state Message-ID: <20020715144607.GA45492@opiate.nox.cx> In-Reply-To: <3D32D849.E3D8F2BE@rt.ru> References: <3D32D849.E3D8F2BE@rt.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 15, 2002 at 06:12:25PM +0400, Dmitry S. Rzhavin wrote: > Or, in other words, I want to pre-auth some packet with rile 10 to > check it later. Then, I decide to drop it. > But ipfw creates dynamic rule "inet <-> ip1" and passes this > session. I think this is not good. Why does ipfw works this way? It sounds as though you're used to IPFilter, in which the last-matched rule wins. ipfw stops processing rules after the first match. See http://coombs.anu.edu.au/~avalon/ipfilfaq.html#III-2 . -Zak To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020715144607.GA45492>