From owner-freebsd-net@FreeBSD.ORG Sun Apr 15 22:00:52 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 85C6E16A46D for ; Sun, 15 Apr 2007 22:00:52 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.freebsd.org (Postfix) with ESMTP id 5D3E413C4DA for ; Sun, 15 Apr 2007 22:00:52 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.13.6) with ESMTP id l3FM0oM7039588; Sun, 15 Apr 2007 15:00:50 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id l3FM0oUE039587; Sun, 15 Apr 2007 15:00:50 -0700 (PDT) (envelope-from rizzo) Date: Sun, 15 Apr 2007 15:00:50 -0700 From: Luigi Rizzo To: Ivan Voras Message-ID: <20070415150050.C39338@xorpc.icir.org> References: <20070415144922.A39338@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from ivoras@fer.hr on Sun, Apr 15, 2007 at 11:53:15PM +0200 Cc: freebsd-net@freebsd.org Subject: Re: ipfw, keep-state and limit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Apr 2007 22:00:52 -0000 On Sun, Apr 15, 2007 at 11:53:15PM +0200, Ivan Voras wrote: > Luigi Rizzo wrote: > > > if i remember well (the implementation dates back to 2001 or so) > > you just need to use "limit", as it implicitly installs > > a dynamic state entry (same as keep-state). > > Thanks, I'll try it tomorrow. If it works, may I suggest a change: make > the error message say "keep-state is redundant with limits" and proceed > like only "limits" exists? it certainly makes sense to change the error message and explain better what is wrong. However i really don't like the idea of accepting a wrong ipfw rule, because it encourages lazy programming practices. cheers luigi