From owner-freebsd-ipfw Mon Jan 20 16:59:47 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DAE937B401 for ; Mon, 20 Jan 2003 16:59:46 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0F7443F13 for ; Mon, 20 Jan 2003 16:59:45 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h0L0xeTO072941; Mon, 20 Jan 2003 16:59:40 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id h0L0xeho072940; Mon, 20 Jan 2003 16:59:40 -0800 (PST) (envelope-from rizzo) Date: Mon, 20 Jan 2003 16:59:40 -0800 From: Luigi Rizzo To: "Simon L. Nielsen" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Sanity check in ipfw(8) Message-ID: <20030120165940.A65713@xorpc.icir.org> References: <20030121004353.GF351@nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030121004353.GF351@nitro.dk>; from simon@nitro.dk on Tue, Jan 21, 2003 at 01:43:54AM +0100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jan 21, 2003 at 01:43:54AM +0100, Simon L. Nielsen wrote: ... > I recently found a problem where ipfw2 would allow the user to create > firewall rules that does not make sense like (notice udp and setup) : here "not make sense" means "they will never match any packet". Now, no matter which checks you implement on a single rule, you can still generate sequences of rules that never match any traffic. E.g. ipfw add 100 skipto 102 ip from not 1.2.3.4 to any # you get here with srcip = 1.2.3.4 ipfw add 101 skipto 102 ip from not 1.2.3.4 to any rule 101 will never match. So... > Now for the point :-)... Is it interesting to have the extra sanity > check in ipfw(8) ? If it is I will try to make a patch that actually No, i don't think it is useful to have extra sanity check in userland, both for the above reason, and because these checks can be bypassed using directly the kernel ABI. There _are_ sanity checks in the kernel but these are only meant to avoid crashing the box by pushing in random configurations. If a rule matches no packets, tough -- it is not a problem of the firewall per se and it does not cause the box to break. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message