From owner-freebsd-questions@FreeBSD.ORG  Tue Feb 12 11:51:40 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8395516A420
	for <freebsd-questions@FreeBSD.org>;
	Tue, 12 Feb 2008 11:51:40 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143])
	by mx1.freebsd.org (Postfix) with ESMTP id 94C5C13C45D
	for <freebsd-questions@FreeBSD.org>;
	Tue, 12 Feb 2008 11:51:38 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from localhost (smithi@localhost)
	by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id WAA12354;
	Tue, 12 Feb 2008 22:51:34 +1100 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Tue, 12 Feb 2008 22:51:33 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Giorgos Keramidas <keramida@FreeBSD.org>
In-Reply-To: <20080212080343.8EE7C16A505@hub.freebsd.org>
Message-ID: <Pine.BSF.3.96.1080212221347.28396A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-questions@FreeBSD.org
Subject: Re: Error in the Handbook
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2008 11:51:40 -0000

On Tue, 12 Feb 2008 00:58:33 +0200 Giorgos Keramidas <keramida@FreeBSD.org> wrote:
 > On 2008-02-11 21:01, Peter Rosa <prosa@pro.sk> wrote:
 > > Hi,
 > > 
 > > there is an error in the handbook, section 28.6.5.7 An Example NAT and 
 > > Stateful Ruleset.
 > > 
 > > On the bottom are two examples, 1st with command:
 > > $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
 > > 
 > > and second with command
 > > $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
 > > 
 > > Both commands should look ".... in via $pif setup keep-state limit ...."
 > 
 > This is probably true.  Can you file a `problem report', so this isn't
 > get lost in the noise of mailing lists?  If not, I can do it and take
 > care of checking the section, fixing the text, and getting it committed.

This is unfortunately[1] false :)  keep-state and limit are both forms
of specifying dynamic rules.  limit implies keep-state, which is the
unlimited form.  Does it hurt to add keep-state to limit?  Let's try: 

paqi# ipfw add 30000 allow tcp from any to me 80 in via dc0 setup limit src-addr 1
30000 allow tcp from any to me dst-port 80 in via dc0 setup limit src-addr 1
paqi# ipfw add 30001 allow tcp from any to me 80 in via dc0 setup keep-state limit src-addr 1
ipfw: only one of keep-state and limit is allowed

 > Thank you for carefully reading the text, and most of all for taking the
 > time to report this.

[1] Not at all wishing to discourage anyone from reviewing and patching
docs, but it's best to prove the theory before firing up send-pr .. 

cheers, Ian