Date: Tue, 21 Jan 2003 09:51:59 -0800 From: Luigi Rizzo <rizzo@icir.org> To: Michael Sierchio <kudzu@tenebras.com> Cc: "Simon L. Nielsen" <simon@nitro.dk>, freebsd-ipfw@FreeBSD.ORG Subject: Re: Sanity check in ipfw(8) Message-ID: <20030121095159.A61957@xorpc.icir.org> In-Reply-To: <3E2CE0FA.2080301@tenebras.com>; from kudzu@tenebras.com on Mon, Jan 20, 2003 at 09:56:10PM -0800 References: <20030121004353.GF351@nitro.dk> <20030120165940.A65713@xorpc.icir.org> <20030121012046.GG351@nitro.dk> <20030120173223.A83271@xorpc.icir.org> <20030121004353.GF351@nitro.dk> <3E2CE0FA.2080301@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 20, 2003 at 09:56:10PM -0800, Michael Sierchio wrote: ... > > yes i honestly believe that it is better to avoid the userland code > > being too smart. E.g. ipfw accepts things such as > > > > allow ip from any to any 53 > > > > which matches both tcp and udp to port 53 -- ipfw1 did not accept > > this, and needed two rules for this very common thing. > > Shi'ite! Documentation? well it's in the ipfw manpage. I mention that checking for a non-existing field (e.g. port number in a protocol that does not have ports) will never match. The manpage describes the features, but it cannot possibly mention all the ways in which these features can be used. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121095159.A61957>