From owner-freebsd-pf@FreeBSD.ORG Tue Apr 17 19:19:51 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A59D71065741; Tue, 17 Apr 2012 19:19:51 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 42DC28FC1B; Tue, 17 Apr 2012 19:19:51 +0000 (UTC) Received: by yhgm50 with SMTP id m50so3955085yhg.13 for ; Tue, 17 Apr 2012 12:19:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GLKSktxCmuDmZLBiVPtydRYjM2UJVZRQFLjqClgmm5Y=; b=AYiiA4uPkDDpJNyp5iGjozZr0wmUDSiyDghtdr3hcCfNElAQ+lC4R7Yyem/AXH1evT PcJNbXZtDMhXE23spVPEo/GgkvLLZRY7pa2A0eRymke+TPm0tAZK/gz3mbvYw/cx5LSP BicF8y6/swL3hDphFuLMM6sLxGO/fUhg8CnbInWP+ZLw0iS+1i7JgZH9tUH2E3cYHG26 f99C5RlR4/wOyktAeLtvEM7zWnSwOuwV05hMhMbu0Q1NJype3c+EnZgBHo1HCYceWoH/ SraQUxYsBAo/RpAI7gKJhh//+mlt8r+WsxIx1rS2sbNQYe99+EtIPnJbWLKR05ZImw4S 1xXQ== MIME-Version: 1.0 Received: by 10.50.237.65 with SMTP id va1mr10672406igc.17.1334690390501; Tue, 17 Apr 2012 12:19:50 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.243.65 with HTTP; Tue, 17 Apr 2012 12:19:50 -0700 (PDT) In-Reply-To: <5CA2DD90-145C-44F2-AD66-2DBCE8989C2A@lists.zabbadoz.net> References: <201204151200.q3FC0LT5085161@freefall.freebsd.org> <20120416185949.GC92286@FreeBSD.org> <20120417081406.GA93887@glebius.int.ru> <20120417084608.GA99119@glebius.int.ru> <20120417094825.GC99119@glebius.int.ru> <5CA2DD90-145C-44F2-AD66-2DBCE8989C2A@lists.zabbadoz.net> Date: Tue, 17 Apr 2012 21:19:50 +0200 X-Google-Sender-Auth: CEl3MB0sTFOxJje5R0_h5LAOn_g Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: "Bjoern A. Zeeb" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2012 19:19:51 -0000 On Tue, Apr 17, 2012 at 6:32 PM, Bjoern A. Zeeb wrote: > > On 17. Apr 2012, at 09:48 , Gleb Smirnoff wrote: > >> =A0Replying on only on paragrapg, everything else agreed. >> >> On Tue, Apr 17, 2012 at 11:33:27AM +0200, Ermal Lu?i wrote: >> E> The only problem i might see is when running more than one firewall >> E> together but still there are other issues when you do that at pfil(9) >> E> level. >> >> Well, playing with two firewalls was never safe and clear, there always >> be edge cases in such setups. > > A lot of people have used ipfw to filter L2 MAC addresses etc and pf for = everything else in the past. =A0So certainly is not an edge case. I know that since pfSense uses that extenively. But this does not break this case. It only affects packets going back at ip level. with ipfw you cannot filter L2 MAC on pfil(9) level AFAIR. > > -- > Bjoern A. Zeeb =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 You have to have visions! > =A0 It does not matter how good you are. It matters what good you do! > --=20 Ermal