misc/132553: ipfw doesnt understand ftp-data port

Andrey V. Elsukov bu7cher at yandex.ru
Thu Mar 12 22:34:25 PDT 2009 

Christoph Weber-Fahr wrote:
> The following reply was made to PR misc/132553; it has been noted by GNATS.
> 
> From: Christoph Weber-Fahr <cwf-ml at arcor.de>
> To: Maxim Konovalov <maxim at macomnet.ru>
> Cc: bug-followup at FreeBSD.org
> Subject: Re: misc/132553: ipfw doesnt understand ftp-data port 
> Date: Wed, 11 Mar 2009 23:35:03 +0100
> 
>  Hello,
>  
>  Maxim Konovalov <maxim at macomnet.ru> wrote:
>  >> # ipfw add 1770 allow tcp from any to any ftp-data keep-state
>  >>
>  >> but now it produces
>  >>
>  >>  ipfw: unrecognised option [-1] ftp-data
>  [...]
>  > $ ipfw -n add 1770 allow tcp from any to any ftp\\-data keep-state
>  > 
>  > 01770 allow tcp from any to any dst-port 20 keep-state
>  > 
>  > works for me.
>  
>  Two problems with that:
>  
>  1. it is neither obvious nor documented that you need
>      to escape the minus.
>  
>  The manpage says you can use names from /etc/services.
>  No restrictions.  The minus sign is not a shell token
>  either, so ipfw gets it as it is. Furthermore, ipfw
>  can handle minus signs on various parts of its syntax
>  tree, so its not a general problem.

 From ipfw(8):

      ports: {port | port-port}[,ports]
              For protocols which support port numbers (such as TCP and UDP),
              optional ports may be specified as one or more ports or port
              ranges, separated by commas but no spaces, and an optional not
              operator.  The `-' notation specifies a range of ports (including
              boundaries).

              Service names (from /etc/services) may be used instead of numeric
              port values.  The length of the port list is limited to 30 ports
              or ranges, though one can specify larger ranges by using an
              or-block in the options section of the rule.

              A backslash (`\') can be used to escape the dash (`-') character
              in a service name (from a shell, the backslash must be typed
              twice to avoid the shell itself interpreting it as an escape
              character).

                    ipfw add count tcp from any ftp\\-data-ftp to any

So, I think it is well documented.

-- 
WBR, Andrey V. Elsukov

More information about the freebsd-bugs mailing list