Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Apr 2010 15:50:03 GMT
From:      Ian Smith <smithi@nimnet.asn.au>
To:        freebsd-ipfw@FreeBSD.org
Subject:   Re: kern/132553: [ipfw] ipfw doesn't understand ftp-data port
Message-ID:  <201004121550.o3CFo3Mc088283@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR kern/132553; it has been noted by GNATS.

From: Ian Smith <smithi@nimnet.asn.au>
To: bug-followup@FreeBSD.org
Cc: cwf-ml@arcor.de
Subject: Re: kern/132553: [ipfw] ipfw doesn't understand ftp-data port
Date: Tue, 13 Apr 2010 01:42:36 +1000 (EST)

 Cristoph, the need to escape '-' characters in service names should 
 indeed be obvious and has been very well documented for many years.
 
      ports: {port | port-port}[,ports]
              For protocols which support port numbers (such as TCP and UDP),
              optional ports may be specified as one or more ports or port
              ranges, separated by commas but no spaces, and an optional not
              operator.  The `-' notation specifies a range of ports (including
              boundaries).
 
              Service names (from /etc/services) may be used instead of numeric
              port values.  The length of the port list is limited to 30 ports
              or ranges, though one can specify larger ranges by using an
              or-block in the options section of the rule.
 
              A backslash (`\') can be used to escape the dash (`-') character
              in a service name (from a shell, the backslash must be typed
              twice to avoid the shell itself interpreting it as an escape
              character).
 
                    ipfw add count tcp from any ftp\\-data-ftp to any
 
 That's pasted from ipfw(8) on 5.5-STABLE, because it was a) convenient, 
 b) old enough and c) appears identically in the 9-CURRENT manual.
 
 In case still not obvious, without escaping '-' it will attempt parsing 
 a range between two ports.  'ftp' is a valid port.  'data' is not, and 
 -1 is a fair result; the error message seems not at all unreasonable.
 
 Actually, make it ~12 years: 2.2.6-RELEASE ipfw(8) had the same example 
 line, as did some 4.x manuals I checked.  Please help close solved PRs!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201004121550.o3CFo3Mc088283>