Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Jan 2003 16:59:40 -0800
From:      Luigi Rizzo <>
To:        "Simon L. Nielsen" <>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Sanity check in ipfw(8)
Message-ID:  <>
In-Reply-To: <>; from on Tue, Jan 21, 2003 at 01:43:54AM +0100
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, Jan 21, 2003 at 01:43:54AM +0100, Simon L. Nielsen wrote:
> I recently found a problem where ipfw2 would allow the user to create
> firewall rules that does not make sense like (notice udp and setup) :

here "not make sense" means "they will never match any packet".
Now, no matter which checks you implement on a single rule, you can
still generate sequences of rules that never match any traffic. E.g.

        ipfw add 100 skipto 102 ip from not to any
        # you get here with srcip =
        ipfw add 101 skipto 102 ip from not to any

rule 101 will never match. So...

> Now for the point :-)... Is it interesting to have the extra sanity
> check in ipfw(8) ? If it is I will try to make a patch that actually

No, i don't think it is useful to have extra sanity check in userland,
both for the above reason, and because these checks can be bypassed
using directly the kernel ABI.

There _are_ sanity checks in the kernel but these are only meant
to avoid crashing the box by pushing in random configurations. If
a rule matches no packets, tough -- it is not a problem of the firewall
per se and it does not cause the box to break.


To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>