Date: Fri, 28 Jun 1996 07:10:19 -0500 From: Alex Nash <alex@fa.tdktca.com> To: phk@freebsd.org Cc: nate@mt.sri.com, current@freebsd.org Subject: Re: IPFW bugs? (fwd) Message-ID: <31D3CBAB.136FEDE9@fa.tdktca.com> References: <Pine.BSI.3.91.960628054743.20070J-100000@Venus.mcs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Yes, (I just talk(1)'ed Nate). The curent implentation doesn't complain > about "over-specified" rules. The portnumber isn't used with "all" as > protocol. > > ipfw and the kernel should both complain about such a rule being set. Agreed, I'll fix it tonight if nobody else beats me to it. I recently added another such check to the kernel: 1.42 Tue Jun 25 0:22:20 1996 by alex CVS Tags: HEAD Diffs to 1.41 Allow fragment checking to work with specific protocols. Reviewed by: phk Reject the addition of rules that will never match (for example, 1.2.3.4:255.255.255.0). User level utilities specify the policy by either masking the IP address for the user (as ipfw(8) does) or rejecting the entry with an error. In either case, the kernel should not modify chain entries to make them work. Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?31D3CBAB.136FEDE9>