From owner-freebsd-pf@FreeBSD.ORG Tue Apr 17 16:32:36 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 87CE7106564A; Tue, 17 Apr 2012 16:32:36 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 0AE868FC12; Tue, 17 Apr 2012 16:32:36 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id C806E25D39FD; Tue, 17 Apr 2012 16:32:34 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id D11AABE50B2; Tue, 17 Apr 2012 16:32:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 6VQx3HbanZCj; Tue, 17 Apr 2012 16:32:32 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id BC40BBE50B0; Tue, 17 Apr 2012 16:32:32 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <20120417094825.GC99119@glebius.int.ru> Date: Tue, 17 Apr 2012 16:32:31 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <5CA2DD90-145C-44F2-AD66-2DBCE8989C2A@lists.zabbadoz.net> References: <201204151200.q3FC0LT5085161@freefall.freebsd.org> <20120416185949.GC92286@FreeBSD.org> <20120417081406.GA93887@glebius.int.ru> <20120417084608.GA99119@glebius.int.ru> <20120417094825.GC99119@glebius.int.ru> To: Gleb Smirnoff X-Mailer: Apple Mail (2.1084) Cc: Ermal Lu?i , freebsd-pf@FreeBSD.org Subject: Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2012 16:32:36 -0000 On 17. Apr 2012, at 09:48 , Gleb Smirnoff wrote: > Replying on only on paragrapg, everything else agreed. >=20 > On Tue, Apr 17, 2012 at 11:33:27AM +0200, Ermal Lu?i wrote: > E> The only problem i might see is when running more than one firewall > E> together but still there are other issues when you do that at = pfil(9) > E> level. >=20 > Well, playing with two firewalls was never safe and clear, there = always > be edge cases in such setups. A lot of people have used ipfw to filter L2 MAC addresses etc and pf for = everything else in the past. So certainly is not an edge case. --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!