From owner-freebsd-net  Sun Jan 12 17:44:48 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B689D37B401
	for <freebsd-net@FreeBSD.ORG>; Sun, 12 Jan 2003 17:44:46 -0800 (PST)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 065E743F1E
	for <freebsd-net@FreeBSD.ORG>; Sun, 12 Jan 2003 17:44:46 -0800 (PST)
	(envelope-from billf@elvis.mu.org)
Received: by elvis.mu.org (Postfix, from userid 1098)
	id B1BBDAE211; Sun, 12 Jan 2003 17:44:37 -0800 (PST)
Date: Sun, 12 Jan 2003 17:44:37 -0800
From: Bill Fumerola <billf@mu.org>
To: Luigi Rizzo <rizzo@icir.org>
Cc: Josh Brooks <user@mail.econolodgetulsa.com>,
	freebsd-net@FreeBSD.ORG
Subject: Re: ipfw rules - SYN w/o MSS, and ACK with 0 sequence number
Message-ID: <20030113014437.GI35166@elvis.mu.org>
References: <20030111163433.S78856-100000@mail.econolodgetulsa.com> <20030112101128.C10609@xorpc.icir.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030112101128.C10609@xorpc.icir.org>
User-Agent: Mutt/1.4i
X-Operating-System: FreeBSD 4.7-MUORG-20021112 i386
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Sun, Jan 12, 2003 at 10:11:28AM -0800, Luigi Rizzo wrote:

> On Sat, Jan 11, 2003 at 04:40:53PM -0800, Josh Brooks wrote:
> ...
> > Second, it turns out that the default stream.c has ACK numbers of zero on
> > every packet.  So although I realize that since ipfw is stateless I cannot
> > put in the _real_ fix (with ipfilter):
> 
> ipfw has been stateful since early 2000, so you can implement
> exactly the same thing mentioned below in ipfw as well. Read the ipfw
> manpage for details

also, ipfw can match packets by ack#. i've used this as criteria for a
dummynet pipe rule in the past.

-- 
- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message