IPFW 'keep state' & 'limit'
fbsd_user at a1poweruser.com
Wed Jan 14 08:06:44 PST 2004
The FBSD 5.2 man IPFW does not say anything different that the 4.9
Are you saying the man doc in 5.2 is wrong?
5.2 is using the ipfw2 code for IPFIREWALL I believe.
Documenting the fact that 'limit' performs the same function as
'keep state' in additional to 'limit' stated purpose is very
important information. Also that 'limit' and 'keep state' can not be
coded together is another very important piece information that need
to be documented in the man IPFW data.
Should this be submitted as an problem report?
From: Dan Pelleg [mailto:daniel+bsd at pelleg.org]
Sent: Wednesday, January 14, 2004 9:47 AM
To: fbsd_user at a1poweruser.com
Cc: freebsd-questions at FreeBSD. ORG
Subject: Re: IPFW 'keep state' & 'limit'
"fbsd_user" <fbsd_user at a1poweruser.com> writes:
> Reading the man page on IPFW rule syntax, I get the impression
> the 'limit' option uses the stateful dynamic rules table. But it's
> unclear whether 'keep state' and limit can be used on the same
> or if the limit option performs the 'keep state' function in
> addition to the limit function.
> So as an example
> $cmd 00390 allow tcp from any to any 22 in via dc0 setup
> limit src-addr 3
> will this work?
limit implies keep-state, and you should really specify one or the
other. If you specify both, ipfw won't complain, but ipfw2 will. So
best to not do that.
More information about the freebsd-questions