Re: IPFW 'keep state' 'limit'
fbsd_user [EMAIL PROTECTED] writes: Reading the man page on IPFW rule syntax, I get the impression that the 'limit' option uses the stateful dynamic rules table. But it's unclear whether 'keep state' and limit can be used on the same rule, or if the limit option performs the 'keep state' function in addition to the limit function. So as an example $cmd 00390 allow tcp from any to any 22 in via dc0 setup keep-state limit src-addr 3 will this work? limit implies keep-state, and you should really specify one or the other. If you specify both, ipfw won't complain, but ipfw2 will. So it's best to not do that. -- Dan Pelleg ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW 'keep state' 'limit'
The FBSD 5.2 man IPFW does not say anything different that the 4.9 man IPFW. Are you saying the man doc in 5.2 is wrong? 5.2 is using the ipfw2 code for IPFIREWALL I believe. Documenting the fact that 'limit' performs the same function as 'keep state' in additional to 'limit' stated purpose is very important information. Also that 'limit' and 'keep state' can not be coded together is another very important piece information that need to be documented in the man IPFW data. Should this be submitted as an problem report? -Original Message- From: Dan Pelleg [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 9:47 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ORG Subject: Re: IPFW 'keep state' 'limit' fbsd_user [EMAIL PROTECTED] writes: Reading the man page on IPFW rule syntax, I get the impression that the 'limit' option uses the stateful dynamic rules table. But it's unclear whether 'keep state' and limit can be used on the same rule, or if the limit option performs the 'keep state' function in addition to the limit function. So as an example $cmd 00390 allow tcp from any to any 22 in via dc0 setup keep-state limit src-addr 3 will this work? limit implies keep-state, and you should really specify one or the other. If you specify both, ipfw won't complain, but ipfw2 will. So it's best to not do that. -- Dan Pelleg ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFW 'keep state' 'limit'
--- fbsd_user [EMAIL PROTECTED] wrote: The FBSD 5.2 man IPFW does not say anything different that the 4.9 man IPFW. Are you saying the man doc in 5.2 is wrong? 5.2 is using the ipfw2 code for IPFIREWALL I believe. Documenting the fact that 'limit' performs the same function as 'keep state' in additional to 'limit' stated purpose is very important information. Also that 'limit' and 'keep state' can not be coded together is another very important piece information that need to be documented in the man IPFW data. Should this be submitted as an problem report? Snippits from IPFW(8) on FBSD 5.2 ---[begin snip]--- STATEFUL FIREWALL Stateful operation is a way for the firewall to dynamically create rules for specific flows when packets that match a given pattern are detected. Support for stateful operation comes through the check-state, keep-state and limit options of rules. [snip]- Dynamic rules will be checked at the first check-state, keep-state or limit occurrence, and the action performed upon a match will be the same as in the parent rule. ---[end snip--- There is also an occurence farther down under the EXAMPLES area in the DYNAMIC RULES area which doesn't mention the limit option. ---[begin snip}--- Dynamic rules are checked when encountering the first check-state or keep-state rule. ---[end snip] Granted it doesn't say anything about them not working if used together but, since it does say that they both create dynamic rules, it looks to be intuitively implied that they wouldn't be used together. __ Do you Yahoo!? Yahoo! Hotjobs: Enter the Signing Bonus Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW 'keep state' 'limit'
fbsd_user [EMAIL PROTECTED] writes: The FBSD 5.2 man IPFW does not say anything different that the 4.9 man IPFW. Are you saying the man doc in 5.2 is wrong? 5.2 is using the ipfw2 code for IPFIREWALL I believe. Documenting the fact that 'limit' performs the same function as 'keep state' in additional to 'limit' stated purpose is very important information. Also that 'limit' and 'keep state' can not be coded together is another very important piece information that need to be documented in the man IPFW data. Should this be submitted as an problem report? -Original Message- From: Dan Pelleg [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 9:47 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ORG Subject: Re: IPFW 'keep state' 'limit' fbsd_user [EMAIL PROTECTED] writes: Reading the man page on IPFW rule syntax, I get the impression that the 'limit' option uses the stateful dynamic rules table. But it's unclear whether 'keep state' and limit can be used on the same rule, or if the limit option performs the 'keep state' function in addition to the limit function. So as an example $cmd 00390 allow tcp from any to any 22 in via dc0 setup keep-state limit src-addr 3 will this work? limit implies keep-state, and you should really specify one or the other. If you specify both, ipfw won't complain, but ipfw2 will. So it's best to not do that. -- Dan Pelleg Your rule, given to IPFW2 (on a 4.X system), yields: ipfw: only one of keep-state and limit is allowed I wouldn't say the man page hides the first fact; it is reasonably careful to say keep-state or limit in most places. It does, however, not mention that specifying both in the same rule is not accepted. In fact it says that Zero or more rule options are accepted, with both limit and keep-state listed as options (in the RULE OPTIONS section - this is on a man page from around 5.1). Given this might surprise people who move to 5.X and even lock them out, it might also be worth mentioning in one of migration guides. I suggest you bring this up to the doc@ list. -- Dan Pelleg ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
