Hello Freebsd-ipfw, I've tried new build of 12-CURRENT (with new ipfw feature of named states), with OLD ruleset and I'm disappointed by user experience.
Old ruleset contains a lot "keep-state" and "check-state" statements and all this "Ambiguous state names" noise is, really, noise. It looks ridiculous sometimes: 00000 deny ip from any to any src-ip table(bans) // And it should not be banned 13040 allow ip from any to any src-ip 216.66.80.26 proto ipv6 // IPv6 tunneling through this interface 13050 nat 2 ip from any to any // De-NAT Line 155: Ambiguous state name '//', 'default' used instead. : No error: 0 00000 check-state default 13070 skipto 30000 ip from any to any // Allowed local services - common block What does this error about "//" means? Previous and next rules doesn't contain state-related tokens. Looks like, errors are out-of-sync from commands, and all this ": No error: 0" -- WTF? Also, all this "default" in "ipfw show" output is just noise, when here are ONLY default state. Now I think that this syntax of named rules is not good enough to work with old rulesets. I think, something like keep-state(name) or keep-state :name could be much better. In first case, all this '(name)' part must be optional, of course. A ton of useless errors (warnings?) in case of "old-style" ruleset looks very ugly, IMHO. -- Best regards, Lev mailto:[email protected]
pgpbFCH30fl9W.pgp
Description: PGP signature
