From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 11:20:26 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49C3416A41F for ; Wed, 3 Aug 2005 11:20:26 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A4C743D45 for ; Wed, 3 Aug 2005 11:20:25 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] (nbr.matik.com.br [200.152.82.190]) by msrv.matik.com.br (8.13.1/8.13.1) with ESMTP id j73BKPCi037843 for ; Wed, 3 Aug 2005 08:20:25 -0300 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik To: freebsd-ipfw@freebsd.org Date: Wed, 3 Aug 2005 08:20:17 -0300 User-Agent: KMail/1.8.1 References: <200508021746.j72Hk6Wq006760@lurza.secnetix.de> <200508022151.45925.asstec@matik.com.br> <20050803021151.B80694@xorpc.icir.org> In-Reply-To: <20050803021151.B80694@xorpc.icir.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200508030820.18304.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: Another bug in IPFW@ ...? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2005 11:20:26 -0000 On Wednesday 03 August 2005 06:11, Luigi Rizzo wrote: > there are internally generated packets which do not have > a rcvif (which is what really 'recv' means); > and any packet in the input path does not have an output-if > (which is wht really 'xmit' means). > well, means that any rule using IF here is not catching anything and you get them as with src-ip and dst-ip only, unless you really can say "not recv any" or isn't this "not in"? nb# ipfw add pass proto ip not in 65500 allow ip from any to any out practically correct? or only logical? anyway, looking at the initial rule and what you said a msg before: # ipfw add pass ip from $A to $N out not recv any xmit xl0 00900 allow ip from $A to $N out xmit xl0 "out xmit IF" isn't this kind of unecessary double-check and ipfw should not accept it? what match first here, ou or xmit? And look what I get: nb# ipfw add pass proto ip src-ip $A dst-ip $N out not in xmit dc0 65500 allow ip from any to any src-ip $A dst-ip $N out out xmit dc0 Hans A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br