[ previous ] [ next ] [ threads ]
 
 From:  "M. G. (Michael) de Bruin" <mg dot debruin at buum dot nl>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall dash announce at lists dot m0n0 dot ch, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Fixed pb24 available
 Date:  Sun, 11 Jan 2004 23:31:01 +0100
Manuel,

I think a compliment is more than in place here. Withing 6 HOURS of the 
problem being mentioned, you have tested and released a fixed version. 
Hell, none of the commercial vendors I know and have worked with, are 
that fast. I sure hope to be using m0n0wall both at home and at work for 
many more years and think you have made what will be my "Product of the 
year 2003"!

Regards,

Michael de Bruin, A very happy m0n0wall user

ps I still run pb22 btw, didn't fell the need to upgrade :)

Manuel Kasper wrote:

> pb24r585, which fixes a bug related to the import of ipfilter 3.4.33pre2 
> into m0n0wall that manifested itself in problems with the DNS forwarder 
> when at least one optional interface was enabled, has been uploaded.
> 
> *** EVERYBODY WHO ALREADY RUNS pb24r584 IS STRONGLY URGED TO UPGRADE! ***
> 
> The problem was due to ipfilter 3.4.33pre2 aborting processing of the 
> ruleset when a duplicate rule was encountered, instead of just skipping 
> it and continuing as before. Even with the filter rule generator fixed 
> not to generate any duplicate default rules anymore, there is still the 
> possibility for a user to add duplicate rules via the webGUI (and thus 
> completely screwing up the ruleset). These may be hard to detect by the 
> webGUI code (take for example a rule with an alias that resolves to a 
> non-conflicting IP address when the rule is added, but the alias is 
> changed later on to create a duplicate rule - or simply a user-defined 
> rule that conflicts with an automatically generated one). As such, if 
> further ipfilter versions retain this behavior, they will be modified 
> for use in m0n0wall. As for now, we're back to ipfilter 3.4.31 (as in 
> pb23). I personally believe that it is very stupid to abort processing a 
> filter ruleset because of a problem with one single rule, and then fail 
> with only a part of the ruleset installed (instead of failing by 
> completely blocking everything).
> 
> Sorry for the inconvenience. Blame it on ipfilter. ;)
> 
> - Manuel
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>