Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Apr 1996 10:20:05 +0100
From:      "Frank ten Wolde" <franky@pinewood.nl>
To:        current@FreeBSD.ORG
Subject:   [Q] Semantics of 'established' in ipfw tcp
Message-ID:  <9604011020.ZM20909@pwood1.pinewood.nl>
next in thread | raw e-mail | index | archive | help 
Hello,

I would like to know other people's reactions to the current semantics of
the 'established' keyword for TCP connections in the 2.2-960323-SNAPSHOT
implementation of the ipfw in the kernel. 

Currently 'established' means (according to the manpage *and* some
experimentation): 

    established      Matches packets that do not have the SYN bit set.
                     TCP packets only.

Should this not be:

    established      Matches packets that do have the ACK bit set.
                     TCP packets only.

(To my knowledge this is the way conventional packet filters interpret
 'established'.)

Or put it in another way...  Consider the TCP three way handshake:

	#  packet direction     TCP flags       matched by rule
	----------------------------------------------------------------
	1. client --> server:   SYN             'setup'
	2. server --> client:   SYN+ACK	        NO RULE
	3. client --> server:   ACK             'established'
	   other packets:       ACK             'established'
	
There is no way to specifically specify the second packet (with SYN *and*
ACK on).  For example, if I wanted to allow outgoing telnet sessions I
need a rule:

	accept tcp from <internalnet> 1024-65535 to any 23 out
	accept tcp from any 23 to <internalnet> 1024-65535 in  'ACK-set'

That is, I *do* allow incoming packets to ports >=1024, but I do *not*
allow new TCP conenctions to these ports... (See also Building Internet
Firewalls, page 240.)

The problem is in the 'ACK-set' keyword, which is *not* available at this
moment...

Your opinions please... :-)

-Frank
P.S. The established and setup filtering is not yet implemented in ipfw...

-- 
----------------------------------------------------------------------
F.W. ten Wolde (PA3FMT)                       Pinewood Automation B.V.
E-mail: franky@pinewood.nl                    Kluyverweg 2a
Phone: +31-15 2682543                         2629 HT  Delft

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9604011020.ZM20909>