ipfw "bug" - recv any = not recv any
Jeff Kletsky
jeff+freebsd at wagsky.com
Tue Jul 29 14:38:16 UTC 2008
> In practice, both "recv any" and "not recv any" appear to be "no-op"
> phrases.
>
[...]
> In my opinion, the following would be "ideal"
>
> 1) "recv any" -- matches packets that have been received by the host
> through one of its interfaces
> 2) "not recv any" -- does not match packets that have been received by
> the host through one of its interfaces
>
> Unfortunately, implementing (1) would likely break a lot of people's
> rule sets
>
> (2), however, I can't immediately see being used without expecting that
> it would fail to match packets that were received by the current host,
> so its implementation would be a bit "safer" for the community
>
Julian Elishcher suggested:
> how does "not recv *" (appropriatly escaped for your shell) do?
This does appear to "work as desired" -- suggesting documentation clarification rather than functionality change
My apologies for not posting to the ipfw list.
Jeff
More information about the freebsd-security
mailing list