Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Jan 2004 08:20:04 -0800
From:      Luigi Rizzo <>
Subject:   semantics of 'not-applicable' options in ipfw ?
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
As the subject says... what is people's opinion on the
best semantics for 'not-applicable' options in ipfw rules ?

As an example, if i say (using ipfw2 syntax, for simplicity)

	100 count src-port 100
	200 count not src-port 100

and i receive a fragment, or an ICMP packet (which does not have port
information available), should it match rule 100, rule 200, none
or both ? The current implementation in ipfw2 is to use binary
logic, so the outcome of a 'not-applicable' option is FALSE,
and its negation is TRUE (so in the above case rule 200 will succeed).

Do other firewalls use ternary logic where not-applicable
options and their negation will both fail ?

(please do not complain on the example and the fact you could
insert a "{ proto tcp or proto udp }" block to make the
behaviour less ambiguous, my point is just to clarify and
specify what is the actual behaviour).


Want to link to this message? Use this URL: <>