ipfw, keep-state and limit
Ian Smith
smithi at nimnet.asn.au
Mon Apr 16 06:14:31 UTC 2007
On Sun, 15 Apr 2007, Luigi Rizzo wrote:
> On Sun, Apr 15, 2007 at 11:53:15PM +0200, Ivan Voras wrote:
> > Luigi Rizzo wrote:
> >
> > > if i remember well (the implementation dates back to 2001 or so)
> > > you just need to use "limit", as it implicitly installs
> > > a dynamic state entry (same as keep-state).
> >
> > Thanks, I'll try it tomorrow. If it works, may I suggest a change: make
> > the error message say "keep-state is redundant with limits" and proceed
> > like only "limits" exists?
>
> it certainly makes sense to change the error message and
> explain better what is wrong.
> However i really don't like the idea of accepting a wrong ipfw rule,
> because it encourages lazy programming practices.
Agree about not 'correcting' invalid rules. ipfw(8) adequately implies
(to me, anyway), in several places and most particularly in the STATEFUL
FIREWALL section, that keep-state and limit are mutually exclusive,
though I guess this could be stated a bit more explicitly in the RULE
OPTIONS (MATCH PATTERNS) section for both keep-state and limit.
Cheers, Ian
More information about the freebsd-net
mailing list