From owner-freebsd-net@FreeBSD.ORG Wed Mar 19 20:56:37 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BD91106567E for ; Wed, 19 Mar 2008 20:56:37 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outA.internet-mail-service.net (outA.internet-mail-service.net [216.240.47.224]) by mx1.freebsd.org (Postfix) with ESMTP id 5F7B58FC22 for ; Wed, 19 Mar 2008 20:56:37 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Wed, 19 Mar 2008 13:56:46 -0700 Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 5E0982D6014; Wed, 19 Mar 2008 13:56:36 -0700 (PDT) Message-ID: <47E17E03.8040304@elischer.org> Date: Wed, 19 Mar 2008 13:56:35 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213) MIME-Version: 1.0 To: Freddie Cash References: <200803191334.54510.fjwcash@gmail.com> <200803191343.45516.fjwcash@gmail.com> <200803191347.28329.fjwcash@gmail.com> In-Reply-To: <200803191347.28329.fjwcash@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: "established" on { tcp or udp } rules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2008 20:56:37 -0000 Freddie Cash wrote: > On March 19, 2008 01:43 pm Freddie Cash wrote: >> On March 19, 2008 01:34 pm Freddie Cash wrote: >>> Just curious if the following rule will work correctly. It is >>> accepted by the ipfw command. In the process of working out a test >>> for it, but thought I'd ask here as well, just to be sure. >>> >>> ipfw add { tcp or udp } from me to any 53 out xmit fxp0 >>> ipfw add { tcp or udp } from any 53 to me in recv fxp0 >>> established >>> >>> Will the UDP packets go through correctly, even though "established" >>> has no meaning for UDP streams, and the ipfw command will barf if you >>> use it with just "ipfw add udp" rules? >> Hmm, from the looks of things, it doesn't work. Even though it >> specifies both tcp and udp, the rule only matches tcp packets from an >> established connection. >> >> Perhaps a warning or error should be given when you try to use TCP >> options on rules that aren't TCP-specific? >> >> Or am I missing something here? > > Guess I should probably have included a test case. From "ipfw show" > output: > 00100 3 162 allow { tcp or udp } from me to any dst-port 53 out xmit fxp0 > > 00110 0 0 allow { tcp or udp } from any 53 to me in recv fxp0 > established > > 00120 3 409 allow { tcp or udp } from any 53 to me in recv fxp0 > > > Without a "deny ip from any to any" rule instead of the last rule, UDP DNS > requests fail. > "count log" is the best thing to do test cases..