Date: Mon, 16 Apr 2007 16:14:08 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org, Ivan Voras <ivoras@fer.hr> Subject: Re: ipfw, keep-state and limit Message-ID: <Pine.BSF.3.96.1070416155524.372A-100000@gaia.nimnet.asn.au> In-Reply-To: <20070415150050.C39338@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 15 Apr 2007, Luigi Rizzo wrote: > On Sun, Apr 15, 2007 at 11:53:15PM +0200, Ivan Voras wrote: > > Luigi Rizzo wrote: > > > > > if i remember well (the implementation dates back to 2001 or so) > > > you just need to use "limit", as it implicitly installs > > > a dynamic state entry (same as keep-state). > > > > Thanks, I'll try it tomorrow. If it works, may I suggest a change: make > > the error message say "keep-state is redundant with limits" and proceed > > like only "limits" exists? > > it certainly makes sense to change the error message and > explain better what is wrong. > However i really don't like the idea of accepting a wrong ipfw rule, > because it encourages lazy programming practices. Agree about not 'correcting' invalid rules. ipfw(8) adequately implies (to me, anyway), in several places and most particularly in the STATEFUL FIREWALL section, that keep-state and limit are mutually exclusive, though I guess this could be stated a bit more explicitly in the RULE OPTIONS (MATCH PATTERNS) section for both keep-state and limit. Cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1070416155524.372A-100000>