From owner-freebsd-net@FreeBSD.ORG  Mon Apr 16 06:14:31 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7FAD016A403
	for <freebsd-net@freebsd.org>; Mon, 16 Apr 2007 06:14:31 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id 39CB913C43E
	for <freebsd-net@freebsd.org>; Mon, 16 Apr 2007 06:14:29 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id QAA01015;
	Mon, 16 Apr 2007 16:14:09 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Mon, 16 Apr 2007 16:14:08 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Luigi Rizzo <rizzo@icir.org>
In-Reply-To: <20070415150050.C39338@xorpc.icir.org>
Message-ID: <Pine.BSF.3.96.1070416155524.372A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-net@freebsd.org, Ivan Voras <ivoras@fer.hr>
Subject: Re: ipfw, keep-state and limit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2007 06:14:31 -0000

On Sun, 15 Apr 2007, Luigi Rizzo wrote:
 > On Sun, Apr 15, 2007 at 11:53:15PM +0200, Ivan Voras wrote:
 > > Luigi Rizzo wrote:
 > > 
 > > > if i remember well (the implementation dates back to 2001 or so)
 > > > you just need to use "limit", as it implicitly installs
 > > > a dynamic state entry (same as keep-state).
 > > 
 > > Thanks, I'll try it tomorrow. If it works, may I suggest a change: make
 > > the error message say "keep-state is redundant with limits" and proceed
 > > like only "limits" exists?
 > 
 > it certainly makes sense to change the error message and
 > explain better what is wrong.
 > However i really don't like the idea of accepting a wrong ipfw rule,
 > because it encourages lazy programming practices.

Agree about not 'correcting' invalid rules.  ipfw(8) adequately implies
(to me, anyway), in several places and most particularly in the STATEFUL
FIREWALL section, that keep-state and limit are mutually exclusive,
though I guess this could be stated a bit more explicitly in the RULE
OPTIONS (MATCH PATTERNS) section for both keep-state and limit. 

Cheers, Ian