From owner-freebsd-current  Mon Apr  1 08:39:51 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id IAA04035
          for current-outgoing; Mon, 1 Apr 1996 08:39:51 -0800 (PST)
Received: from tfs.com (tfs.com [140.145.250.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA04030
          for <current@FreeBSD.ORG>; Mon, 1 Apr 1996 08:39:47 -0800 (PST)
Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP
	id m0u3mdc-0003voC; Mon, 1 Apr 96 08:39 PST
Received: from localhost.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.6.12/8.6.12) with SMTP id OAA15822; Mon, 1 Apr 1996 14:41:24 GMT
X-Authentication-Warning: critter.tfs.com: Host localhost.tfs.com didn't use HELO protocol
To: "Frank ten Wolde" <franky@pinewood.nl>
cc: current@FreeBSD.ORG
Subject: Re: [Q] Semantics of 'established' in ipfw tcp 
In-reply-to: Your message of "Mon, 01 Apr 1996 10:20:05 +0100."
             <9604011020.ZM20909@pwood1.pinewood.nl> 
Date: Mon, 01 Apr 1996 14:41:23 +0000
Message-ID: <15820.828369683@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


Now I have had more time to read your email, I have more comments:

First of all, "setup" and "established" are just shortform for "tcpflags foo"
for various values of "foo", so you can have it anyway you want, even if
you disagree with the semantics of those two keywords.

> Currently 'established' means (according to the manpage *and* some
> experimentation): 
> 
>     established      Matches packets that do not have the SYN bit set.
>                      TCP packets only.
> 
> Should this not be:
> 
>     established      Matches packets that do have the ACK bit set.
>                      TCP packets only.


I added the "establised" keyword as I remembered it to be used
from memory, it is very possible I got it wrong.

> Or put it in another way...  Consider the TCP three way handshake:
> 
> 	#  packet direction     TCP flags       matched by rule
> 	----------------------------------------------------------------
> 	1. client --> server:   SYN             'setup'
> 	2. server --> client:   SYN+ACK	        NO RULE
> 	3. client --> server:   ACK             'established'
> 	   other packets:       ACK             'established'

My own prefered way is
	allow tcp something or other setup
	allow tcp somebody else setup
	deny  tcp all setup
	allow tcp all

In this context the "established" keyword isn't needed.

> There is no way to specifically specify the second packet (with SYN *and*
> ACK on).  For example, if I wanted to allow outgoing telnet sessions I
> need a rule:
> [...]
> The problem is in the 'ACK-set' keyword, which is *not* available at this
> moment...

Yes it is, you can use the "tcpflags foo" for that.

> P.S. The established and setup filtering is not yet implemented in ipfw...
What ???  Could you explain this to me ?

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.