Import IP Filter v3.1.7 into FreeBSD tree

1 files changed, 41 insertions, 0 deletions

diff --git a/contrib/ipfilter/IMPORTANT b/contrib/ipfilter/IMPORTANT
new file mode 100644
index 0000000..00272f2
--- /dev/null
+++ b/contrib/ipfilter/IMPORTANT
@@ -0,0 +1,41 @@
+		****************************************
+			     IMPORTANT NOTICE
+		****************************************
+1)
+
+If you're using this software and have a rule which ends like this:
+
+flags S
+
+(for TCP), then to make it totally effective, you need to change it to appear
+as follows:
+
+flags S/SA
+
+The problem is that the old code would compare all the TCP flags against the
+rule (which just has "S") to see if that matched exactly.  It is very possible
+for this to not be the case and in these cases, the rule would fail to match
+a 'valid' TCP SYN packet.
+
+Why does it need to be "S/SA" and not "S/S" ?
+
+"S/S" will match the SYN-ACK as well the SYN.
+
+By defalt, "flags S" will now be converted to "flags S/AUPRFS".
+
+If you have any queries regarding this, see the examples and ipf(4).
+If you still have a query or suggestion, please email me.
+
+
+2)
+
+If a filter rule used, in combination port comparisons and the flags
+keywords, a "short" TCP packet, if not explicitly blocked high up in
+the list of packets, would actually get matched even though it would
+otherwise not have been (due to the ports not).  This behaviour has
+subsequently been fixed.
+
+
+Darren
+darrenr@cyber.com.au
+		****************************************