From owner-freebsd-net@freebsd.org  Wed May 11 19:51:13 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54873B3757F
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Wed, 11 May 2016 19:51:13 +0000 (UTC)
 (envelope-from zclaudio@bsd.com.br)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com
 [IPv6:2607:f8b0:4001:c06::229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 23689134F
 for <freebsd-net@freebsd.org>; Wed, 11 May 2016 19:51:13 +0000 (UTC)
 (envelope-from zclaudio@bsd.com.br)
Received: by mail-io0-x229.google.com with SMTP id 190so68434936iow.1
 for <freebsd-net@freebsd.org>; Wed, 11 May 2016 12:51:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsd.com.br; s=capeta;
 h=mime-version:date:message-id:subject:from:to;
 bh=4OYPJGiwusX1/A/fW6jYqe8CRmGZt6erOeIzJDM0Ugo=;
 b=X9kSb9pZibRzYsUjhH6QmITQvqyzim/yrNcnp3uiiemJC/BDBA48djvTJ1gOUYuLWn
 Gjf4OrquxzrHY9JXyTudteaBsTuHDPftBa82RAwJiCyPosJZm7GTTzZLr1W6nhtRCsb7
 +Uup3PPf0HeKtHeK3CwoiiDEEkfJu4KNKpyN4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:date:message-id:subject:from:to;
 bh=4OYPJGiwusX1/A/fW6jYqe8CRmGZt6erOeIzJDM0Ugo=;
 b=SLrhHuJdVam0+22eB580bYnMoaJ+/5KI5Wn125UXLhJD0C0dZsmiPTHfVCr6xzIw9y
 Q7Li0tVZ1hFs4NUu6r+ALmiiHJ212GjKruuG4NomJDRp7iDbI/CJWqCHefZ1PnmEpSxg
 lsvPwzt+Fda+rnjSCFkTJ8mFNCCY1Ic181+gduGAvmT/ObLMOp/OXzZhoGzoJzZHjve4
 r2DFj31CvAIjO0+cM9oG7xJX5LTBA9avRimf3ZDIKe2MnpYr0altO3uFlS0HhoypcX8o
 cXrSTlNjtG0yW+MejAB0SwYt6M4Df0lOgB6tB9uMgnzCrbW+hcjQxVwR6OgMXZ3ynXqv
 fmBA==
X-Gm-Message-State: AOPr4FWjOWBLw91raFnEVVe9zRLGb9xQ8EyNOSj469WfzalzQkVU4twAXAWoyxIAGGBq9PrA5PTI4zmLuf+KNA==
MIME-Version: 1.0
X-Received: by 10.36.83.20 with SMTP id n20mr3921338itb.61.1462996272521; Wed,
 11 May 2016 12:51:12 -0700 (PDT)
Received: by 10.107.29.16 with HTTP; Wed, 11 May 2016 12:51:12 -0700 (PDT)
Date: Wed, 11 May 2016 16:51:12 -0300
Message-ID: <CAEGk6G4-UAakazhomzmSDDvc2aDtS4kMb+9hj60=6a2DiXuE2Q@mail.gmail.com>
Subject: ipfw tcpack won't match a given ack #
From: Ze Claudio Pastore <zclaudio@bsd.com.br>
To: freebsd-net <freebsd-net@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.22
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2016 19:51:13 -0000

Hello,

This rule:

1      0         0 deny log logamount 1000 tcp from any to 100.100.224.66
tcpack 2

Won't match this attack pattern below.

Is tcpack supposed to match it? FreeBSD 10.2-STABLE #0 r292035M

Can I try to match it with some other tool? I tried pf but looks like it
won't filter (look into) this kind of information.

Thank you.

16:20:47.583871 IP 200.200.67.221.51352 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.584022 IP 200.200.67.221.51354 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.584324 IP 200.200.67.221.51353 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.584475 IP 200.200.67.221.51364 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.584718 IP 200.200.67.221.51353 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.584868 IP 200.200.67.221.51355 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.585169 IP 200.200.67.221.51353 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.585557 IP 200.200.67.221.51355 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.585623 IP 200.200.67.221.51351 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.585801 IP 200.200.67.221.51351 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.586081 IP 200.200.67.221.51351 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.586226 IP 200.200.67.221.51354 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.586649 IP 200.200.67.221.51351 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.586652 IP 200.200.67.221.51355 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.587124 IP 200.200.67.221.51355 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0

16:20:47.587129 IP 200.200.67.221.51351 > 100.100.224.66.80: Flags [.],

ack 2, win 0, length 0