From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 14 12:48:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F18B16A4CE; Wed, 14 Jan 2004 12:48:21 -0800 (PST) Received: from gw.pelleg.org (gw.pelleg.org [205.201.13.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADE9C43D41; Wed, 14 Jan 2004 12:47:56 -0800 (PST) (envelope-from daniel@pelleg.org) Received: from lank.here (lank.wburn [192.168.3.41]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "gw.pelleg.org", Issuer "Dan Pelleg" (verified OK)) by gw.pelleg.org (Postfix) with ESMTP id C49635A53; Wed, 14 Jan 2004 15:47:54 -0500 (EST) Received: by lank.here (Postfix, from userid 7675) id D4E74AFF; Wed, 14 Jan 2004 15:47:48 -0500 (EST) To: References: From: Dan Pelleg Date: Wed, 14 Jan 2004 15:47:48 -0500 In-Reply-To: (fbsd user's message of "Wed, 14 Jan 2004 11:06:41 -0500") Message-ID: User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.1 (Cuyahoga Valley, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: IPFW 'keep state' & 'limit' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 20:48:21 -0000 "fbsd_user" writes: > The FBSD 5.2 man IPFW does not say anything different that the 4.9 > man IPFW. > Are you saying the man doc in 5.2 is wrong? > > 5.2 is using the ipfw2 code for IPFIREWALL I believe. > > Documenting the fact that 'limit' performs the same function as > 'keep state' in additional to 'limit' stated purpose is very > important information. Also that 'limit' and 'keep state' can not be > coded together is another very important piece information that need > to be documented in the man IPFW data. > > Should this be submitted as an problem report? > > > > -----Original Message----- > From: Dan Pelleg [mailto:daniel+bsd@pelleg.org] > Sent: Wednesday, January 14, 2004 9:47 AM > To: fbsd_user@a1poweruser.com > Cc: freebsd-questions@FreeBSD. ORG > Subject: Re: IPFW 'keep state' & 'limit' > > "fbsd_user" writes: > >> Reading the man page on IPFW rule syntax, I get the impression > that >> the 'limit' option uses the stateful dynamic rules table. But it's >> unclear whether 'keep state' and limit can be used on the same > rule, >> or if the limit option performs the 'keep state' function in >> addition to the limit function. >> >> So as an example >> >> $cmd 00390 allow tcp from any to any 22 in via dc0 setup > keep-state >> limit src-addr 3 >> >> will this work? >> > > limit implies keep-state, and you should really specify one or the > other. If you specify both, ipfw won't complain, but ipfw2 will. So > it's > best to not do that. > > -- > > Dan Pelleg > > > Your rule, given to IPFW2 (on a 4.X system), yields: ipfw: only one of keep-state and limit is allowed I wouldn't say the man page hides the first fact; it is reasonably careful to say "keep-state or limit" in most places. It does, however, not mention that specifying both in the same rule is not accepted. In fact it says that "Zero or more" rule options are accepted, with both limit and keep-state listed as options (in the RULE OPTIONS section - this is on a man page from around 5.1). Given this might surprise people who move to 5.X and even lock them out, it might also be worth mentioning in one of migration guides. I suggest you bring this up to the doc@ list. -- Dan Pelleg