In which case would an ipfw ruleset like this:
00100 114872026 40487887607 allow ip from any to any via lo0
00200 00 deny ip from any to 127.0.0.0/8
00300 00 deny ip from 127.0.0.0/8 to any
00600 1585 112576 deny ip from table(0) to me
01000
On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
> In which case would an ipfw ruleset like this:
>
> 00100 114872026 40487887607 allow ip from any to any via lo0
> 00200 00 deny ip from any to 127.0.0.0/8
> 00300 00 deny ip from 127.0.0.0/8 to a
Erik Trulsson wrote:
On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
In which case would an ipfw ruleset like this:
00100 114872026 40487887607 allow ip from any to any via lo0
00200 00 deny ip from any to 127.0.0.0/8
00300 00 deny ip from 12
Ivan Voras wrote:
In which case would an ipfw ruleset like this:
00100 114872026 40487887607 allow ip from any to any via lo0
00200 00 deny ip from any to 127.0.0.0/8
00300 00 deny ip from 127.0.0.0/8 to any
00600 1585 112576 deny ip from table
Ivan Voras wrote:
Erik Trulsson wrote:
On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
In which case would an ipfw ruleset like this:
00100 114872026 40487887607 allow ip from any to any via lo0
00200 00 deny ip from any to 127.0.0.0/8
00300 0
On Thu, 3 Apr 2008, Julian Elischer wrote:
> Ivan Voras wrote:
> > Erik Trulsson wrote:
> >> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
> >>> In which case would an ipfw ruleset like this:
> >>>
> >>> 00100 114872026 40487887607 allow ip from any to any via lo0
> >>> 00200
Ian Smith wrote:
On Thu, 3 Apr 2008, Julian Elischer wrote:
> Ivan Voras wrote:
> > Erik Trulsson wrote:
> >> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
> >>> In which case would an ipfw ruleset like this:
> >>>
> >>> 00100 114872026 40487887607 allow ip from any to any vi
Julian Elischer wrote:
> Ivan Voras wrote:
>> Not according to the ipfw(8) manual:
>>
>> """
>> These dynamic rules, which have a limited lifetime, are checked
>> at the
>> first occurrence of a check-state, keep-state or limit rule, and
>> are typ-
>> ically used to open the firewa
Julian Elischer wrote:
> Ivan Voras wrote:
>> In which case would an ipfw ruleset like this:
>>
>> 00100 114872026 40487887607 allow ip from any to any via lo0
>> 00200 00 deny ip from any to 127.0.0.0/8
>> 00300 00 deny ip from 127.0.0.0/8 to any
>> 00600
On Thu, 3 Apr 2008, Julian Elischer wrote:
> Ian Smith wrote:
> > On Thu, 3 Apr 2008, Julian Elischer wrote:
> > > Ivan Voras wrote:
> > > > Erik Trulsson wrote:
> > > >> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
> > > >>> In which case would an ipfw ruleset like this:
Ian Smith wrote:
On Thu, 3 Apr 2008, Julian Elischer wrote:
> Not that I have known... keep-state does not (and never has) include
> an implicit check-state.
Sorry (and surprised!) to have to differ, but you MADE me read the code!
yep you are right..
boy is that ever a broken feature..
ther
Ian Smith wrote:
That's pretty well described under keep-state and elsewhere. Good ol'
ipfw(8) has yet to let me down, and like Ivan I recall keep-state rules
(albeit only for UDP) without any check-state working just fine.
Not that any of that helps solve Ivan's problem ..
Thanks for verify
Ivan Voras wrote:
Ian Smith wrote:
That's pretty well described under keep-state and elsewhere. Good ol'
ipfw(8) has yet to let me down, and like Ivan I recall keep-state rules
(albeit only for UDP) without any check-state working just fine.
Not that any of that helps solve Ivan's problem ..
On Fri, 4 Apr 2008, Julian Elischer wrote:
> Ian Smith wrote:
> > On Thu, 3 Apr 2008, Julian Elischer wrote:
> >
> > > Not that I have known... keep-state does not (and never has) include
> > > an implicit check-state.
> >
> > Sorry (and surprised!) to have to differ, but you MADE me read
Ian Smith wrote:
I don't see why you think it's broken? Apart from obvious efficiency of
having a check-state rule earlier, to get on with matching this packet
against existing dynamic rules without wading through intervening rules,
state is still only checked once; like it says, the O_PROBE_S
15 matches
Mail list logo
