Date: Mon, 15 Aug 2016 12:32:12 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: Ian Smith <smithi@nimnet.asn.au> Cc: "Andrey V. Elsukov" <ae@freebsd.org>, freebsd-ipfw@freebsd.org Subject: Re: Named states in ipfw (and old rulesets) Message-ID: <57B18C1C.1000807@FreeBSD.org> In-Reply-To: <20160815154037.P79687@sola.nimnet.asn.au> References: <1812167147.20160814202008@serebryakov.spb.ru> <1211733990.20160814202656@serebryakov.spb.ru> <2126139e-9c11-a55c-7573-8b4d3869bf87@FreeBSD.org> <516433114.20160815013243@serebryakov.spb.ru> <1174736256.20160815022812@serebryakov.spb.ru> <20160815154037.P79687@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gR8E3xoahAtW7GwAQ7NBsd55qkI45sMtj Content-Type: multipart/mixed; boundary="FwrKoVTVP8qFXDVql4h3BXDDDhbSP0Bk2" From: Lev Serebryakov <lev@FreeBSD.org> Reply-To: lev@FreeBSD.org To: Ian Smith <smithi@nimnet.asn.au> Cc: "Andrey V. Elsukov" <ae@freebsd.org>, freebsd-ipfw@freebsd.org Message-ID: <57B18C1C.1000807@FreeBSD.org> Subject: Re: Named states in ipfw (and old rulesets) References: <1812167147.20160814202008@serebryakov.spb.ru> <1211733990.20160814202656@serebryakov.spb.ru> <2126139e-9c11-a55c-7573-8b4d3869bf87@FreeBSD.org> <516433114.20160815013243@serebryakov.spb.ru> <1174736256.20160815022812@serebryakov.spb.ru> <20160815154037.P79687@sola.nimnet.asn.au> In-Reply-To: <20160815154037.P79687@sola.nimnet.asn.au> --FwrKoVTVP8qFXDVql4h3BXDDDhbSP0Bk2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 15.08.2016 9:11, Ian Smith wrote: > One thing I wondered about earlier but didn't ask is that the order of = > options is generally not relevant, so for example the commonly used: >=20 > ipfw add skipto $somewhere tcp from $a to $b setup keep-state >=20 > would currently be equally valid as: >=20 > ipfw add skipto $somewhere tcp from $a to $b keep-state setup >=20 > with possibly other options following? Both work now on -CURRENT as expected , but second one will show you two-line warning, that state name was changed to "default". > I think existing rulesets working out of the box is vital too; the last= =20 > thing needed on managed remote boxes is firewall breakage on upgrading.= Existing rulesets are not broken, but could give you non-intuitive warnings now :) --=20 // Lev Serebryakov AKA Black Lion --FwrKoVTVP8qFXDVql4h3BXDDDhbSP0Bk2-- --gR8E3xoahAtW7GwAQ7NBsd55qkI45sMtj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJXsYwpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePxJoP/Ayb8rFihYXbK5NXfqyrFLnH FUps37DcYkjv9kmQd1eY+r2R6MHLjWW1pSS7pgrb+VPtFUFC2ZWhpznuq9Iqo3n7 DZbu+/Gl5akeY0uGVm02hlu5IyHn9Jy5+hFikbyMMTvtVhXy+DaG2I4oz/V0KcAf bYlURujK4LIWjwzNrPG6s8YOWPQyRZUBuf3ourkTF15sOtNtpmwDLSVrtyS9IcS6 kj9YmKQwuntKvJ2Qka5ylDtvHfMtWkhb2OtRVcu24a3G2RwbwYgAVQZtJsvj6DXa D0ZrwzmVcxGTf2KsC9hIjh48wuk5sohhVeOJDUQnjAogzxLKVG+5JufoRtsUrz1e Fl+GPkOgOpN3lvrrk/puFwlN9EXgB032UNp+iyVc9o8kgT2oiuGEk8RG65K1joNe S6OpZhXvWfk/uxYc35iyUDi32QXmoeSnb/k3cHg99rNfGAWrFFcvH92wJE9nx4oS 7vfJL37sZlfKGNJ1faD+hcpy9uPQRQCK8bC9rKiMk7i+0/prdPiZnvuOEYDiWenU oqcAahr+eCRqncE+gEsSA3QwQg5Ibt3X+MG0orGfhjjkPhZtnQrqnA7Mjs2eD+Ei bBRscnwL8hcpKCunnzj0tmiJJLy5rlsVfrhEMgQjzXkfZUDg/LdVsH3NeYg+6zNT +1Cwm6QZQy3f/9hJnFvP =edDL -----END PGP SIGNATURE----- --gR8E3xoahAtW7GwAQ7NBsd55qkI45sMtj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57B18C1C.1000807>