Another bug in IPFW@ ...?
AT Matik
asstec at matik.com.br
Wed Aug 3 11:20:26 GMT 2005
On Wednesday 03 August 2005 06:11, Luigi Rizzo wrote:
> there are internally generated packets which do not have
> a rcvif (which is what really 'recv' means);
> and any packet in the input path does not have an output-if
> (which is wht really 'xmit' means).
>
well, means that any rule using IF here is not catching anything and
you get them as with src-ip and dst-ip only, unless you really can
say "not recv any" or isn't this "not in"?
nb# ipfw add pass proto ip not in
65500 allow ip from any to any out
practically correct? or only logical?
anyway, looking at the initial rule and what you said a msg before:
# ipfw add pass ip from $A to $N out not recv any xmit xl0
00900 allow ip from $A to $N out xmit xl0
"out xmit IF" isn't this kind of unecessary double-check and ipfw
should not accept it? what match first here, ou or xmit? And look
what I get:
nb# ipfw add pass proto ip src-ip $A dst-ip $N out not in xmit dc0
65500 allow ip from any to any src-ip $A dst-ip $N out out xmit dc0
Hans
A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
More information about the freebsd-ipfw
mailing list