From owner-freebsd-current Mon Apr 1 01:21:05 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA11061 for current-outgoing; Mon, 1 Apr 1996 01:21:05 -0800 (PST) Received: from gw.pinewood.nl (gw.pinewood.nl [192.31.139.9]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id BAA11054 for ; Mon, 1 Apr 1996 01:20:56 -0800 (PST) Received: (from smap@localhost) by gw.pinewood.nl (8.6.12/8.6.12) id LAA19850 for ; Mon, 1 Apr 1996 11:20:13 +0200 Received: from pwood1.pinewood.nl(192.168.1.10) by gw.pinewood.nl via smap (V1.3) id sma019848; Mon Apr 1 11:20:07 1996 Received: (from franky@localhost) by pwood1.pinewood.nl (8.7.3/8.6.12) id KAA20911; Mon, 1 Apr 1996 10:20:06 +0100 (MET) From: "Frank ten Wolde" Message-Id: <9604011020.ZM20909@pwood1.pinewood.nl> Date: Mon, 1 Apr 1996 10:20:05 +0100 X-Face: 'BsFf8'k.q?J#?|$D*,)/?sRB{woUK&9\5K{ERmT;VTSyNLBb?muLf>b:Pt&VTDw8YCaC]6 C!MRSMr5UNjZLa]fi? X-Mailer: Z-Mail (3.2.1 10oct95) To: current@FreeBSD.ORG Subject: [Q] Semantics of 'established' in ipfw tcp Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hello, I would like to know other people's reactions to the current semantics of the 'established' keyword for TCP connections in the 2.2-960323-SNAPSHOT implementation of the ipfw in the kernel. Currently 'established' means (according to the manpage *and* some experimentation): established Matches packets that do not have the SYN bit set. TCP packets only. Should this not be: established Matches packets that do have the ACK bit set. TCP packets only. (To my knowledge this is the way conventional packet filters interpret 'established'.) Or put it in another way... Consider the TCP three way handshake: # packet direction TCP flags matched by rule ---------------------------------------------------------------- 1. client --> server: SYN 'setup' 2. server --> client: SYN+ACK NO RULE 3. client --> server: ACK 'established' other packets: ACK 'established' There is no way to specifically specify the second packet (with SYN *and* ACK on). For example, if I wanted to allow outgoing telnet sessions I need a rule: accept tcp from 1024-65535 to any 23 out accept tcp from any 23 to 1024-65535 in 'ACK-set' That is, I *do* allow incoming packets to ports >=1024, but I do *not* allow new TCP conenctions to these ports... (See also Building Internet Firewalls, page 240.) The problem is in the 'ACK-set' keyword, which is *not* available at this moment... Your opinions please... :-) -Frank P.S. The established and setup filtering is not yet implemented in ipfw... -- ---------------------------------------------------------------------- F.W. ten Wolde (PA3FMT) Pinewood Automation B.V. E-mail: franky@pinewood.nl Kluyverweg 2a Phone: +31-15 2682543 2629 HT Delft