From owner-freebsd-ipfw@FreeBSD.ORG  Wed Jan 14 08:06:44 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AC9D116A4CE; Wed, 14 Jan 2004 08:06:44 -0800 (PST)
Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id DB9C943D60; Wed, 14 Jan 2004 08:06:42 -0800 (PST)
	(envelope-from fbsd_user@a1poweruser.com)
Received: from barbish ([67.20.101.103]) by mta9.adelphia.net
          (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP
          id <20040114160642.VEED11313.mta9.adelphia.net@barbish>;
          Wed, 14 Jan 2004 11:06:42 -0500
From: "fbsd_user" <fbsd_user@a1poweruser.com>
To: "Dan Pelleg" <daniel+bsd@pelleg.org>
Date: Wed, 14 Jan 2004 11:06:41 -0500
Message-ID: <MIEPLLIBMLEEABPDBIEGOEFLFEAA.fbsd_user@a1poweruser.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-reply-to: <u2s4quya8p6.fsf@pelleg.org>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
cc: freebsd-ipfw@freebsd.org
cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Subject: RE: IPFW 'keep state' & 'limit'
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: fbsd_user@a1poweruser.com
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2004 16:06:44 -0000

The FBSD 5.2 man IPFW does not say anything different that the 4.9
man IPFW.
Are you saying the man doc in 5.2 is wrong?

5.2 is using the ipfw2 code for IPFIREWALL I believe.

Documenting the fact that 'limit' performs the same function as
'keep state' in additional to 'limit' stated purpose is very
important information. Also that 'limit' and 'keep state' can not be
coded together is another very important piece information that need
to be documented in the man IPFW data.

Should this be submitted as an problem report?



-----Original Message-----
From: Dan Pelleg [mailto:daniel+bsd@pelleg.org]
Sent: Wednesday, January 14, 2004 9:47 AM
To: fbsd_user@a1poweruser.com
Cc: freebsd-questions@FreeBSD. ORG
Subject: Re: IPFW 'keep state' & 'limit'

"fbsd_user" <fbsd_user@a1poweruser.com> writes:

> Reading the man page on IPFW rule syntax, I get the impression
that
> the 'limit' option uses the stateful dynamic rules table. But it's
> unclear whether 'keep state' and limit can be used on the same
rule,
> or if the limit option performs the 'keep state' function in
> addition to the limit function.
>
> So as an example
>
> $cmd 00390 allow tcp from any to any 22 in via dc0 setup
keep-state
> limit src-addr 3
>
> will this work?
>

limit implies keep-state, and you should really specify one or the
other. If you specify both, ipfw won't complain, but ipfw2 will. So
it's
best to not do that.

--

  Dan Pelleg