Error in the Handbook
Ian Smith
smithi at nimnet.asn.au
Tue Feb 12 11:51:40 UTC 2008
On Tue, 12 Feb 2008 00:58:33 +0200 Giorgos Keramidas <keramida at FreeBSD.org> wrote:
> On 2008-02-11 21:01, Peter Rosa <prosa at pro.sk> wrote:
> > Hi,
> >
> > there is an error in the handbook, section 28.6.5.7 An Example NAT and
> > Stateful Ruleset.
> >
> > On the bottom are two examples, 1st with command:
> > $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
> >
> > and second with command
> > $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> >
> > Both commands should look ".... in via $pif setup keep-state limit ...."
>
> This is probably true. Can you file a `problem report', so this isn't
> get lost in the noise of mailing lists? If not, I can do it and take
> care of checking the section, fixing the text, and getting it committed.
This is unfortunately[1] false :) keep-state and limit are both forms
of specifying dynamic rules. limit implies keep-state, which is the
unlimited form. Does it hurt to add keep-state to limit? Let's try:
paqi# ipfw add 30000 allow tcp from any to me 80 in via dc0 setup limit src-addr 1
30000 allow tcp from any to me dst-port 80 in via dc0 setup limit src-addr 1
paqi# ipfw add 30001 allow tcp from any to me 80 in via dc0 setup keep-state limit src-addr 1
ipfw: only one of keep-state and limit is allowed
> Thank you for carefully reading the text, and most of all for taking the
> time to report this.
[1] Not at all wishing to discourage anyone from reviewing and patching
docs, but it's best to prove the theory before firing up send-pr ..
cheers, Ian
More information about the freebsd-questions
mailing list