From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 12 15:50:04 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C80B1065674 for ; Mon, 12 Apr 2010 15:50:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F18DA8FC22 for ; Mon, 12 Apr 2010 15:50:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3CFo3HB088286 for ; Mon, 12 Apr 2010 15:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3CFo3Mc088283; Mon, 12 Apr 2010 15:50:03 GMT (envelope-from gnats) Date: Mon, 12 Apr 2010 15:50:03 GMT Message-Id: <201004121550.o3CFo3Mc088283@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Ian Smith Cc: Subject: Re: kern/132553: [ipfw] ipfw doesn't understand ftp-data port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ian Smith List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2010 15:50:04 -0000 The following reply was made to PR kern/132553; it has been noted by GNATS. From: Ian Smith To: bug-followup@FreeBSD.org Cc: cwf-ml@arcor.de Subject: Re: kern/132553: [ipfw] ipfw doesn't understand ftp-data port Date: Tue, 13 Apr 2010 01:42:36 +1000 (EST) Cristoph, the need to escape '-' characters in service names should indeed be obvious and has been very well documented for many years. ports: {port | port-port}[,ports] For protocols which support port numbers (such as TCP and UDP), optional ports may be specified as one or more ports or port ranges, separated by commas but no spaces, and an optional not operator. The `-' notation specifies a range of ports (including boundaries). Service names (from /etc/services) may be used instead of numeric port values. The length of the port list is limited to 30 ports or ranges, though one can specify larger ranges by using an or-block in the options section of the rule. A backslash (`\') can be used to escape the dash (`-') character in a service name (from a shell, the backslash must be typed twice to avoid the shell itself interpreting it as an escape character). ipfw add count tcp from any ftp\\-data-ftp to any That's pasted from ipfw(8) on 5.5-STABLE, because it was a) convenient, b) old enough and c) appears identically in the 9-CURRENT manual. In case still not obvious, without escaping '-' it will attempt parsing a range between two ports. 'ftp' is a valid port. 'data' is not, and -1 is a fair result; the error message seems not at all unreasonable. Actually, make it ~12 years: 2.2.6-RELEASE ipfw(8) had the same example line, as did some 4.x manuals I checked. Please help close solved PRs!