From owner-freebsd-ipfw Mon Jan 20 17:20:52 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B99937B401 for ; Mon, 20 Jan 2003 17:20:50 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED6FE43F3F for ; Mon, 20 Jan 2003 17:20:49 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 6A7B210BF8B; Tue, 21 Jan 2003 02:20:47 +0100 (CET) Date: Tue, 21 Jan 2003 02:20:47 +0100 From: "Simon L. Nielsen" To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Sanity check in ipfw(8) Message-ID: <20030121012046.GG351@nitro.dk> References: <20030121004353.GF351@nitro.dk> <20030120165940.A65713@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tvOENZuN7d6HfOWU" Content-Disposition: inline In-Reply-To: <20030120165940.A65713@xorpc.icir.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --tvOENZuN7d6HfOWU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.01.20 16:59:40 +0000, Luigi Rizzo wrote: > > I recently found a problem where ipfw2 would allow the user to create > > firewall rules that does not make sense like (notice udp and setup) : > here "not make sense" means "they will never match any packet". Yes - i should properly have written that. > Now, no matter which checks you implement on a single rule, you can > still generate sequences of rules that never match any traffic. E.g. Yes I know it is not possible to make it catch all eventualities. > No, i don't think it is useful to have extra sanity check in userland, > both for the above reason, and because these checks can be bypassed > using directly the kernel ABI. >=20 > There _are_ sanity checks in the kernel but these are only meant > to avoid crashing the box by pushing in random configurations. If > a rule matches no packets, tough -- it is not a problem of the firewall > per se and it does not cause the box to break. Ok - the extra check was only to make the user aware simple errors (that ipfw1 did not allow). If you don't think the checks should be there then I can live with that so the PR can be closed. --=20 Simon L. Nielsen --tvOENZuN7d6HfOWU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+LKBu8kocFXgPTRwRAru0AKC33mu6QDZVqvak5GF5qs9eXnmdwQCgl+Aw j3We+m4RkEDuIxejZPJQ9pI= =CYL5 -----END PGP SIGNATURE----- --tvOENZuN7d6HfOWU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message