From nobody@FreeBSD.org  Wed Mar 11 17:57:30 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 883AF106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 11 Mar 2009 17:57:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 76DF68FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 11 Mar 2009 17:57:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n2BHvTAA086550
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 11 Mar 2009 17:57:29 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n2BHvT6A086549;
	Wed, 11 Mar 2009 17:57:29 GMT
	(envelope-from nobody)
Message-Id: <200903111757.n2BHvT6A086549@www.freebsd.org>
Date: Wed, 11 Mar 2009 17:57:29 GMT
From: Chistoph Weber-Fahr <cwf-ml@arcor.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw doesnt understand ftp-data port
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         132553
>Category:       kern
>Synopsis:       [ipfw] ipfw doesn't understand ftp-data port
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 11 18:00:04 UTC 2009
>Closed-Date:    Fri Dec 10 05:45:58 UTC 2010
>Last-Modified:  Fri Dec 10 05:45:58 UTC 2010
>Originator:     Chistoph Weber-Fahr
>Release:        6.4-p3
>Organization:
Arcor AG
>Environment:
FreeBSD nxcon.whatever 6.4-RELEASE-p3 FreeBSD 6.4-RELEASE-p3 #1: Wed Mar  4 21:36:49 CET 2009     wefa@nxcon.whatever:/usr/obj/usr/src/sys/SMP  i386

>Description:
this ipfw clause should work and did work on older systems:

# ipfw add 1770 allow tcp from any to any ftp-data keep-state

but now it produces

 ipfw: unrecognised option [-1] ftp-data

this is regardless of the addresses used - you could also use any addresses or networks instead of "any".

ftp-data is in /etc/services as always:

# grep ftp-data /etc/services
ftp-data         20/tcp    #File Transfer [Default Data]
ftp-data         20/udp    #File Transfer [Default Data]




>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: Chistoph Weber-Fahr <cwf-ml@arcor.de>
Cc: bug-followup@freebsd.org
Subject: Re: misc/132553: ipfw doesnt understand ftp-data port
Date: Wed, 11 Mar 2009 21:04:09 +0300 (MSK)

 $ ipfw -n add 1770 allow tcp from any to any ftp\\-data keep-state
 
 01770 allow tcp from any to any dst-port 20 keep-state
 
 works for me.
 
 -- 
 Maxim Konovalov

From: Christoph Weber-Fahr <cwf-ml@arcor.de>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@FreeBSD.org
Subject: Re: misc/132553: ipfw doesnt understand ftp-data port 
Date: Wed, 11 Mar 2009 23:35:03 +0100

 Hello,
 
 Two problems with that:
 
 1. it is neither obvious nor documented that you need
     to escape the minus.
 
 The manpage says you can use names from /etc/services.
 No restrictions.  The minus sign is not a shell token
 either, so ipfw gets it as it is. Furthermore, ipfw
 can handle minus signs on various parts of its syntax
 tree, so its not a general problem.
 
 So there is no reason for the plain user to escape that.
 
 Actually, even though it might be obvious to you, I have no
 clue why actually escaping is necessary now when it wasn't
 needed before.
 
 2. it breaks compatibility with older firewall scripts.
 
 I ran against that when migrating a larger firewall rule
 set from freebsd 4.x to 6.x. That line worked quite
 nicely in freebsd 4.x. (don't know about 5.x)
 
 So I suggest fixing it, or, at least, document the problem
 in the man page.
 
 Regards
 
 Christoph Weber-Fahr
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Mar 12 06:22:56 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=132553 

From: Ian Smith <smithi@nimnet.asn.au>
To: bug-followup@FreeBSD.org
Cc: cwf-ml@arcor.de
Subject: Re: kern/132553: [ipfw] ipfw doesn't understand ftp-data port
Date: Tue, 13 Apr 2010 01:42:36 +1000 (EST)

 Cristoph, the need to escape '-' characters in service names should 
 indeed be obvious and has been very well documented for many years.
 
      ports: {port | port-port}[,ports]
              For protocols which support port numbers (such as TCP and UDP),
              optional ports may be specified as one or more ports or port
              ranges, separated by commas but no spaces, and an optional not
              operator.  The `-' notation specifies a range of ports (including
              boundaries).
 
              Service names (from /etc/services) may be used instead of numeric
              port values.  The length of the port list is limited to 30 ports
              or ranges, though one can specify larger ranges by using an
              or-block in the options section of the rule.
 
              A backslash (`\') can be used to escape the dash (`-') character
              in a service name (from a shell, the backslash must be typed
              twice to avoid the shell itself interpreting it as an escape
              character).
 
                    ipfw add count tcp from any ftp\\-data-ftp to any
 
 That's pasted from ipfw(8) on 5.5-STABLE, because it was a) convenient, 
 b) old enough and c) appears identically in the 9-CURRENT manual.
 
 In case still not obvious, without escaping '-' it will attempt parsing 
 a range between two ports.  'ftp' is a valid port.  'data' is not, and 
 -1 is a fair result; the error message seems not at all unreasonable.
 
 Actually, make it ~12 years: 2.2.6-RELEASE ipfw(8) had the same example 
 line, as did some 4.x manuals I checked.  Please help close solved PRs!

From: Christoph Weber-Fahr <cwf-ml@arcor.de>
To: bug-followup@FreeBSD.org, cwf-ml@arcor.de
Cc:  
Subject: Re: kern/132553: [ipfw] ipfw doesn't understand ftp-data port
Date: Thu, 24 Jun 2010 04:16:29 +0200

 Hello,
 
 this PR should indeed be closed.
 I have no system left to even check the original case, and
 the documentation of this (less fortunate) syntax quirk
 is there in more current systems.
 
 Regards
 
 Christoph Weber-Fahr
 
State-Changed-From-To: open->closed 
State-Changed-By: ae 
State-Changed-When: Fri Dec 10 05:45:24 UTC 2010 
State-Changed-Why:  
Per submitter request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=132553 
>Unformatted:
