Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 3 Aug 2005 08:20:17 -0300
From:      AT Matik <asstec@matik.com.br>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: Another bug in IPFW@ ...?
Message-ID:  <200508030820.18304.asstec@matik.com.br>
In-Reply-To: <20050803021151.B80694@xorpc.icir.org>
References:  <200508021746.j72Hk6Wq006760@lurza.secnetix.de> <200508022151.45925.asstec@matik.com.br> <20050803021151.B80694@xorpc.icir.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 03 August 2005 06:11, Luigi Rizzo wrote: 

> there are internally generated packets which do not have
> a rcvif (which is what really 'recv' means);
> and any packet in the input path does not have an output-if
> (which is wht really 'xmit' means).
>

well, means that any rule using IF here is not catching anything and 
you get them as with src-ip and dst-ip only, unless you really can 
say "not recv any" or isn't this "not in"?

nb# ipfw add pass proto ip not in
65500 allow ip from any to any out

practically correct? or only logical?

anyway, looking at the initial rule and what you said a msg before:

# ipfw add pass ip from $A to $N out not recv any xmit xl0
00900 allow ip from $A to $N out xmit xl0

"out xmit IF" isn't this kind of unecessary double-check and ipfw 
should not accept it? what match first here, ou or xmit? And look 
what I get:

nb# ipfw add pass proto ip src-ip $A dst-ip $N out not in xmit dc0
65500 allow ip from any to any src-ip $A dst-ip $N out out xmit dc0



Hans







A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik  https://datacenter.matik.com.br



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508030820.18304.asstec>