From owner-freebsd-ipfw  Mon Jan 20 17:32:25 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5320B37B405
	for <freebsd-ipfw@FreeBSD.ORG>; Mon, 20 Jan 2003 17:32:24 -0800 (PST)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E775443F13
	for <freebsd-ipfw@FreeBSD.ORG>; Mon, 20 Jan 2003 17:32:23 -0800 (PST)
	(envelope-from rizzo@xorpc.icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
	by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h0L1WNTO084359;
	Mon, 20 Jan 2003 17:32:23 -0800 (PST)
	(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
	by xorpc.icir.org (8.12.3/8.12.3/Submit) id h0L1WN1C084358;
	Mon, 20 Jan 2003 17:32:23 -0800 (PST)
	(envelope-from rizzo)
Date: Mon, 20 Jan 2003 17:32:23 -0800
From: Luigi Rizzo <rizzo@icir.org>
To: "Simon L. Nielsen" <simon@nitro.dk>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Sanity check in ipfw(8)
Message-ID: <20030120173223.A83271@xorpc.icir.org>
References: <20030121004353.GF351@nitro.dk> <20030120165940.A65713@xorpc.icir.org> <20030121012046.GG351@nitro.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20030121012046.GG351@nitro.dk>; from simon@nitro.dk on Tue, Jan 21, 2003 at 02:20:47AM +0100
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

On Tue, Jan 21, 2003 at 02:20:47AM +0100, Simon L. Nielsen wrote:
...
> Ok - the extra check was only to make the user aware simple errors (that
> ipfw1 did not allow). If you don't think the checks should be there then
> I can live with that so the PR can be closed.

yes i honestly believe that it is better to avoid the userland code
being too smart. E.g. ipfw accepts things such as

	allow ip from any to any 53

which matches both tcp and udp to port 53 -- ipfw1 did not accept
this, and needed two rules for this very common thing.

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message