Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jan 2003 02:20:47 +0100
From:      "Simon L. Nielsen" <simon@nitro.dk>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Sanity check in ipfw(8)
Message-ID:  <20030121012046.GG351@nitro.dk>
In-Reply-To: <20030120165940.A65713@xorpc.icir.org>
References:  <20030121004353.GF351@nitro.dk> <20030120165940.A65713@xorpc.icir.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--tvOENZuN7d6HfOWU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2003.01.20 16:59:40 +0000, Luigi Rizzo wrote:

> > I recently found a problem where ipfw2 would allow the user to create
> > firewall rules that does not make sense like (notice udp and setup) :
> here "not make sense" means "they will never match any packet".
Yes - i should properly have written that.

> Now, no matter which checks you implement on a single rule, you can
> still generate sequences of rules that never match any traffic. E.g.
Yes I know it is not possible to make it catch all eventualities.

> No, i don't think it is useful to have extra sanity check in userland,
> both for the above reason, and because these checks can be bypassed
> using directly the kernel ABI.
>=20
> There _are_ sanity checks in the kernel but these are only meant
> to avoid crashing the box by pushing in random configurations. If
> a rule matches no packets, tough -- it is not a problem of the firewall
> per se and it does not cause the box to break.
Ok - the extra check was only to make the user aware simple errors (that
ipfw1 did not allow). If you don't think the checks should be there then
I can live with that so the PR can be closed.

--=20
Simon L. Nielsen

--tvOENZuN7d6HfOWU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+LKBu8kocFXgPTRwRAru0AKC33mu6QDZVqvak5GF5qs9eXnmdwQCgl+Aw
j3We+m4RkEDuIxejZPJQ9pI=
=CYL5
-----END PGP SIGNATURE-----

--tvOENZuN7d6HfOWU--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030121012046.GG351>