From owner-freebsd-pf@FreeBSD.ORG  Wed Feb 28 19:48:40 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 35F5B16A404
	for <freebsd-pf@freebsd.org>; Wed, 28 Feb 2007 19:48:40 +0000 (UTC)
	(envelope-from dudu.meyer@gmail.com)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185])
	by mx1.freebsd.org (Postfix) with ESMTP id BF79313C428
	for <freebsd-pf@freebsd.org>; Wed, 28 Feb 2007 19:48:39 +0000 (UTC)
	(envelope-from dudu.meyer@gmail.com)
Received: by nf-out-0910.google.com with SMTP id k27so640238nfc
	for <freebsd-pf@freebsd.org>; Wed, 28 Feb 2007 11:48:38 -0800 (PST)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=YCVAedFbPIQL+JQkoD9Xb9WEdoYwbUZp6ippE/yJI+3itk7wTxIaWNysU5yFE6WKLww9xaxdexRFpRtQ18RHLyNithn4fZ+kXUg9W3aW7SLupRAzgw5hDlrblWYSDnjHAwCkE5m2oac/gzggkzwTcCHNFmGagOr8vT1jofk/sVQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=P4Nv0kMxUl2CpGEdtQUZ52yNlYwsUDcvcqRCfjcF8lVMJZCwMd0hAXWPagskYbKsDN1vON6fOU5ovL5n2u6m3Sa0opXp2wDWo9i3cwFI2wHiTO3VE0Nn8T1sBeimtN/ASRahdCk0MyV7oF2meed3HZN5SS9xS3l/0kpptuhrIr0=
Received: by 10.82.135.13 with SMTP id i13mr329932bud.1172692117892;
	Wed, 28 Feb 2007 11:48:37 -0800 (PST)
Received: by 10.82.151.16 with HTTP; Wed, 28 Feb 2007 11:48:37 -0800 (PST)
Message-ID: <d3ea75b30702281148q41a585c7s7ec1f4d3361be554@mail.gmail.com>
Date: Wed, 28 Feb 2007 16:48:37 -0300
From: "Eduardo Meyer" <dudu.meyer@gmail.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <Pine.NEB.4.64.0702281336230.1764@glacier.reedmedia.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <d3ea75b30702281111q1160f097oc07e135e4d4d52c3@mail.gmail.com>
	<Pine.NEB.4.64.0702281336230.1764@glacier.reedmedia.net>
Subject: Re: flags tcp and abscence of flag
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2007 19:48:40 -0000

On 2/28/07, Jeremy C. Reed <reed@reedmedia.net> wrote:
> On Wed, 28 Feb 2007, Eduardo Meyer wrote:
>
> > I need write a PF rule that does what this IPFW rule do:
> >
> > deny log tcp from any to any tcpflags fin,!syn,!rst,!ack in
> >
> > Someone told me to do this:
> >
> > block drop log in quick from any to any flags F/SRA
>
> This means: look at the SYN, RST, ACK flags but only match if the SYN flag
> is set.
>
> I think you want:
>
>         flags F/FSRA
>
> So it will also inspect for the FIN flag.

Translating to human lang, what I want is "look everywhere and match
only packets with fin set but syn, rst and ack unset.

How can I do the "unset" evaluation?

-- 
===========
Eduardo Meyer
pessoal: dudu.meyer@gmail.com
profissional: ddm.farmaciap@saude.gov.br