Date: Wed, 3 Aug 2005 08:20:17 -0300 From: AT Matik <asstec@matik.com.br> To: freebsd-ipfw@freebsd.org Subject: Re: Another bug in IPFW@ ...? Message-ID: <200508030820.18304.asstec@matik.com.br> In-Reply-To: <20050803021151.B80694@xorpc.icir.org> References: <200508021746.j72Hk6Wq006760@lurza.secnetix.de> <200508022151.45925.asstec@matik.com.br> <20050803021151.B80694@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 03 August 2005 06:11, Luigi Rizzo wrote: > there are internally generated packets which do not have > a rcvif (which is what really 'recv' means); > and any packet in the input path does not have an output-if > (which is wht really 'xmit' means). > well, means that any rule using IF here is not catching anything and you get them as with src-ip and dst-ip only, unless you really can say "not recv any" or isn't this "not in"? nb# ipfw add pass proto ip not in 65500 allow ip from any to any out practically correct? or only logical? anyway, looking at the initial rule and what you said a msg before: # ipfw add pass ip from $A to $N out not recv any xmit xl0 00900 allow ip from $A to $N out xmit xl0 "out xmit IF" isn't this kind of unecessary double-check and ipfw should not accept it? what match first here, ou or xmit? And look what I get: nb# ipfw add pass proto ip src-ip $A dst-ip $N out not in xmit dc0 65500 allow ip from any to any src-ip $A dst-ip $N out out xmit dc0 Hans A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508030820.18304.asstec>