* Patrick Lamaiziere <patf...@davenulle.org> [2012-01-03 19:00]: > Well because for me 80:82 is (80, 81, 82) and 82:80 the same > items and so the same range.
but it is NOT the same. I'd claim your expectations is strange ;) > So what is the meaning for PF of the range 82:80? If this is a non > sense, an error from pfctl would be cool. it isn't nonsense, it just can't match. that is not an error, strictly speaking. it comes down to basic unix philosophy. the system doesn't assume it is more clever than its operator. it does exactly what you tell it to do, no more, no less. > > port 82 >< 80 defines a range that can't match, and it doesn't. as in, > > all is good. when you mean 80 >< 82 you ought to write 80 >< 82 and > > not 82 >< 80. > > Sure, but when using service name it's easy to make a mistake. In fact > I've found this strange behavior while translating a Cisco acl : > > permit tcp any any range ftp ftp-data > > Translated to "port ftp:ftp-data", which if I understand well does not > mean anything for PF. right. pilot error. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
