From owner-freebsd-net@FreeBSD.ORG Mon Mar 24 17:24:34 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 680BD1065671 for ; Mon, 24 Mar 2008 17:24:34 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.180]) by mx1.freebsd.org (Postfix) with ESMTP id 1F2DE8FC21 for ; Mon, 24 Mar 2008 17:24:34 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so3439674waf.3 for ; Mon, 24 Mar 2008 10:24:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=mKW+853S/9Vv5He/4fPrRNT3zKlYK245TSi4CjTTBWU=; b=YORNVaxtqe+3j3eiyvBdoNqYOcGZAbCWVEgSE9AlAtkjwYxwPjOavARRbm6+VuqxRL4O1JFfqMYfsI+/vvqSCclLGI1s+LoNd2W37HuEl3bS6Mx1DohbeKuTlz1P0BKSe6Gi/xMeIrs8XeuVAXiqCuy3HJcTk5/llGnu39e/eE8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kTsU6UXm242ARCjrBWVoXFDKldmI9TgU2GmXyDHletNVxiM+oogBlsyMy8EZ0i2SeUfLDYuJvTsNp0qd2HRbObM9jYZ6XlyOtuWAuVNv/44PiC9/MHZyRpvQFEsmvcfuaycdaaZjg0rmWn++ztpxx/a5lOpA2GSIASfcRNWqS2M= Received: by 10.114.132.5 with SMTP id f5mr5753338wad.125.1206377788664; Mon, 24 Mar 2008 09:56:28 -0700 (PDT) Received: by 10.114.155.19 with HTTP; Mon, 24 Mar 2008 09:56:28 -0700 (PDT) Message-ID: Date: Mon, 24 Mar 2008 09:56:28 -0700 From: "Freddie Cash" To: net@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200803191334.54510.fjwcash@gmail.com> <47E17BF9.1030403@elischer.org> <200803191355.54288.fjwcash@gmail.com> Cc: Subject: Re: "established" on { tcp or udp } rules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2008 17:24:34 -0000 On Thu, Mar 20, 2008 at 2:03 AM, Vadim Goncharov wrote: > This is behaviour of ipfw2 - options are independently ANDed. Thus, man page > explicitly says: > > established > Matches TCP packets that have the RST or ACK bits set. > > So, it is obvious that udp packet will not match and thus entire rule will not > match. Yeah, it's just weird that it lets you write a rule that will never match. I'll have to fire up FreeBSD 4.11 (and possibly earlier with just ipfw1) in a VM and check things there. I'm sure back in the 4.x days that ipfw would error out if you wrote a UDP rule with TCP options at the end, as that is what got me in the habit of writing separate UDP and TCP rules. Now that I found the { udp or tcp } syntax, I was rewriting some rules on a test firewall and noticed that it would accept TCP option even if udp was listed. -- Freddie Cash fjwcash@gmail.com