From owner-freebsd-net@FreeBSD.ORG Wed Mar 19 20:56:47 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A709C1065685 for ; Wed, 19 Mar 2008 20:56:47 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from smtp.sd73.bc.ca (smtp.sd73.bc.ca [142.24.13.140]) by mx1.freebsd.org (Postfix) with ESMTP id 74EB58FC27 for ; Wed, 19 Mar 2008 20:56:47 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from localhost (localhost [127.0.0.1]) by localhost.sd73.bc.ca (Postfix) with ESMTP id F31291A000B23 for ; Wed, 19 Mar 2008 13:56:46 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at smtp.sd73.bc.ca Received: from smtp.sd73.bc.ca ([127.0.0.1]) by localhost (smtp.sd73.bc.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id EWypm7K7Fv+E for ; Wed, 19 Mar 2008 13:56:46 -0700 (PDT) Received: from coal.local (s10.sbo [192.168.0.10]) by smtp.sd73.bc.ca (Postfix) with ESMTP id A28171A000B1B for ; Wed, 19 Mar 2008 13:56:46 -0700 (PDT) Resent-From: Freddie Cash Resent-To: freebsd-net@freebsd.org Resent-Date: Wed, 19 Mar 2008 13:56:46 -0700 Resent-Message-ID: <200803191356.46842.fjwcash@gmail.com> From: Freddie Cash Organization: School District 73 To: Julian Elischer Date: Wed, 19 Mar 2008 13:55:53 -0700 User-Agent: KMail/1.9.7 References: <200803191334.54510.fjwcash@gmail.com> <47E17BF9.1030403@elischer.org> In-Reply-To: <47E17BF9.1030403@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200803191355.54288.fjwcash@gmail.com> X-Length: 2561 X-UID: 43558 Cc: Subject: Re: "established" on { tcp or udp } rules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2008 20:56:47 -0000 On March 19, 2008 01:47 pm you wrote: > Freddie Cash wrote: > > Just curious if the following rule will work correctly. It is > > accepted by the ipfw command. In the process of working out a test > > for it, but thought I'd ask here as well, just to be sure. > > > > ipfw add { tcp or udp } from me to any 53 out xmit fxp0 > > ipfw add { tcp or udp } from any 53 to me in recv fxp0 > > established > > > > Will the UDP packets go through correctly, even though "established" > > has no meaning for UDP streams, and the ipfw command will barf if you > > use it with just "ipfw add udp" rules? > > well, an action to do would be good.. D'oh, typo in the e-mail. The rules are allow: ipfw add allow { tcp or udp } from me to any 53 out xmit fxp0 ipfw add allow { tcp or udp } from any 53 to me in recv fxp0 established > as for the question of whether UDP ... established evaluates to true > or false, I would guess false but you'll have to test. See my follow-up e-mail. It appears that UDP packets don't match due to the established keyword. It appears that: ipfw add allow tcp from any to me in recv fxp0 established and ipfw add allow { tcp or udp } from any to me in recv fxp0 established are functionally the same. Perhaps a warning should be emitted when one tries to add the rule? Hrm, it seems something is different with ipfw on 6.3. One can add: ipfw add allow udp from any to any established without any errors or warnings, but it will never match any packets. I'm sure back in the 4.x days when I started using ipfw that it would error out with something along the lines of "TCP options can't be used with UDP rules". -- Freddie Cash fjwcash@gmail.com