diff options
author | darrenr <darrenr@FreeBSD.org> | 2001-07-28 11:59:33 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2001-07-28 11:59:33 +0000 |
commit | c51cd1facc817411a340278e6e0b901d53f11cc5 (patch) | |
tree | 503d2119100a8bd3735c0bda1607f3a64ed1ad33 /contrib/ipfilter/IMPORTANT | |
parent | c32397cc6efcbaabe335e3ec33e4a4dd78df29c7 (diff) | |
download | FreeBSD-src-c51cd1facc817411a340278e6e0b901d53f11cc5.zip FreeBSD-src-c51cd1facc817411a340278e6e0b901d53f11cc5.tar.gz |
Import IPFilter version 3.4.20
Diffstat (limited to 'contrib/ipfilter/IMPORTANT')
-rw-r--r-- | contrib/ipfilter/IMPORTANT | 35 |
1 files changed, 0 insertions, 35 deletions
diff --git a/contrib/ipfilter/IMPORTANT b/contrib/ipfilter/IMPORTANT index de2cc85..0ef7a3d 100644 --- a/contrib/ipfilter/IMPORTANT +++ b/contrib/ipfilter/IMPORTANT @@ -3,41 +3,6 @@ **************************************** 1) -If you're using this software and have a rule which ends like this: - -flags S - -(for TCP), then to make it totally effective, you need to change it to appear -as follows: - -flags S/SA - -The problem is that the old code would compare all the TCP flags against the -rule (which just has "S") to see if that matched exactly. It is very possible -for this to not be the case and in these cases, the rule would fail to match -a 'valid' TCP SYN packet. - -Why does it need to be "S/SA" and not "S/S" ? - -"S/S" will match the SYN-ACK as well the SYN. - -By defalt, "flags S" will now be converted to "flags S/AUPRFS". - -If you have any queries regarding this, see the examples and ipf(4). -If you still have a query or suggestion, please email me. - - -2) - -If a filter rule used, in combination port comparisons and the flags -keywords, a "short" TCP packet, if not explicitly blocked high up in -the list of packets, would actually get matched even though it would -otherwise not have been (due to the ports not). This behaviour has -subsequently been fixed. - - -3) - If you have BOTH GNU make and the normal make shipped with your system, DO NOT use the GNU make to build this package. |