Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jan 2003 02:20:47 +0100
From:      "Simon L. Nielsen" <>
To:        Luigi Rizzo <>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Sanity check in ipfw(8)
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2003.01.20 16:59:40 +0000, Luigi Rizzo wrote:

> > I recently found a problem where ipfw2 would allow the user to create
> > firewall rules that does not make sense like (notice udp and setup) :
> here "not make sense" means "they will never match any packet".
Yes - i should properly have written that.

> Now, no matter which checks you implement on a single rule, you can
> still generate sequences of rules that never match any traffic. E.g.
Yes I know it is not possible to make it catch all eventualities.

> No, i don't think it is useful to have extra sanity check in userland,
> both for the above reason, and because these checks can be bypassed
> using directly the kernel ABI.
> There _are_ sanity checks in the kernel but these are only meant
> to avoid crashing the box by pushing in random configurations. If
> a rule matches no packets, tough -- it is not a problem of the firewall
> per se and it does not cause the box to break.
Ok - the extra check was only to make the user aware simple errors (that
ipfw1 did not allow). If you don't think the checks should be there then
I can live with that so the PR can be closed.

Simon L. Nielsen

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (FreeBSD)



To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>