From owner-freebsd-net@FreeBSD.ORG Tue Mar 25 19:26:37 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A353A1065670 for ; Tue, 25 Mar 2008 19:26:37 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 3BEDE8FC1E for ; Tue, 25 Mar 2008 19:26:36 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JeEn5-00063w-2U for freebsd-net@freebsd.org; Tue, 25 Mar 2008 19:26:35 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 25 Mar 2008 19:26:35 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 25 Mar 2008 19:26:35 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Vadim Goncharov Date: Tue, 25 Mar 2008 19:26:26 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 40 Message-ID: References: <200803191334.54510.fjwcash@gmail.com> <47E17BF9.1030403@elischer.org> <200803191355.54288.fjwcash@gmail.com> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: Freddie Cash User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Re: "established" on { tcp or udp } rules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2008 19:26:37 -0000 Hi Freddie Cash! On Mon, 24 Mar 2008 09:56:28 -0700; Freddie Cash wrote about 'Re: "established" on { tcp or udp } rules': >> This is behaviour of ipfw2 - options are independently ANDed. Thus, man page >> explicitly says: >> >> established >> Matches TCP packets that have the RST or ACK bits set. >> >> So, it is obvious that udp packet will not match and thus entire rule will not >> match. > Yeah, it's just weird that it lets you write a rule that will never match. It's not. I don't want a compiler standing in my way. > I'll have to fire up FreeBSD 4.11 (and possibly earlier with just > ipfw1) in a VM and check things there. I'm sure back in the 4.x days > that ipfw would error out if you wrote a UDP rule with TCP options at > the end, as that is what got me in the habit of writing separate UDP > and TCP rules. > Now that I found the { udp or tcp } syntax, I was rewriting some rules > on a test firewall and noticed that it would accept TCP option even if > udp was listed. In 4.11 days and ipfw1 you were limited in what you could check at once, so that check/complain was ok. New ipfw2 syntax allows to write perfectly valid rules with tcp/udp mixed in: ipfw add allow { proto udp or established } out That's an optimized short-catcher in the beginning of ruleset. Machine is hard to teach to properly recognize whether that rule is valid mix or not, so it just must not comlain. Of course, then it is user responsibilty to check. As always, Unix assumes you know what you do - if you rm a file, you can't undelete it. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]