From owner-freebsd-pf@FreeBSD.ORG  Tue Apr 17 16:33:36 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8A434106566B;
	Tue, 17 Apr 2012 16:33:36 +0000 (UTC)
	(envelope-from glebius@FreeBSD.org)
Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117])
	by mx1.freebsd.org (Postfix) with ESMTP id 011DF8FC0C;
	Tue, 17 Apr 2012 16:33:35 +0000 (UTC)
Received: from cell.glebius.int.ru (localhost [127.0.0.1])
	by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q3HGXYku003275;
	Tue, 17 Apr 2012 20:33:34 +0400 (MSK)
	(envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
	by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q3HGXYrp003274;
	Tue, 17 Apr 2012 20:33:34 +0400 (MSK)
	(envelope-from glebius@FreeBSD.org)
X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to
	glebius@FreeBSD.org using -f
Date: Tue, 17 Apr 2012 20:33:34 +0400
From: Gleb Smirnoff <glebius@FreeBSD.org>
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Message-ID: <20120417163334.GB2140@glebius.int.ru>
References: <201204151200.q3FC0LT5085161@freefall.freebsd.org>
	<20120416185949.GC92286@FreeBSD.org>
	<CAPBZQG2Tjg36GNCBetRZ20FhQnL1sK9i_-oQDDb97bcb4N=sLA@mail.gmail.com>
	<20120417081406.GA93887@glebius.int.ru>
	<CAPBZQG2gF8GSx6eE4jkFuOf29c-jB09Gz6=+kbpXprN8XiEE4w@mail.gmail.com>
	<20120417084608.GA99119@glebius.int.ru>
	<CAPBZQG0ujzB+7xTFpvhjRVbrtBEeABXHeKDx-WjbSOaAWX0-sA@mail.gmail.com>
	<20120417094825.GC99119@glebius.int.ru>
	<5CA2DD90-145C-44F2-AD66-2DBCE8989C2A@lists.zabbadoz.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <5CA2DD90-145C-44F2-AD66-2DBCE8989C2A@lists.zabbadoz.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Ermal Lu?i <eri@FreeBSD.org>, freebsd-pf@FreeBSD.org
Subject: Re: kern/164402: [pf] pf crashes with a particular set of rules when
 first matching packet arrives
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2012 16:33:36 -0000

On Tue, Apr 17, 2012 at 04:32:31PM +0000, Bjoern A. Zeeb wrote:
B> > On Tue, Apr 17, 2012 at 11:33:27AM +0200, Ermal Lu?i wrote:
B> > E> The only problem i might see is when running more than one firewall
B> > E> together but still there are other issues when you do that at pfil(9)
B> > E> level.
B> > 
B> > Well, playing with two firewalls was never safe and clear, there always
B> > be edge cases in such setups.
B> 
B> A lot of people have used ipfw to filter L2 MAC addresses etc and pf for everything else in the past.  So certainly is not an edge case.

Enabling two firewalls isn't an edge case, but when two firewalls enabled
there are numerouse possibilities to do evil misconfigurations.

-- 
Totus tuus, Glebius.