From owner-freebsd-ipfw@freebsd.org Wed Jun 6 18:14:02 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B077FDD0D5 for ; Wed, 6 Jun 2018 18:14:02 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 096937FF04 for ; Wed, 6 Jun 2018 18:14:02 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id q4-v6so24026277wmq.1 for ; Wed, 06 Jun 2018 11:14:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-language:thread-index; bh=arCqwCt0TKmTLkSKOLJK52kv2ydq3CwdNniqjqveBfg=; b=Ce3iGnP6UtE174roEAdiwD5hovKFxdh2wUMzp9MHicQ60P7pQfmp+aAiFi8KB+oFcl k9KszE1T+ZiTwLFQUeblKTKzZs5GNITbk52GkJIaG/h9Rm5zMAZu9E6UtZoBgHxeMTbQ SWyliyOLmqoALnwu+4C94S7my9lfYu+/KKTaIfcVteaAk1lgc1MbRWSAR6/mTkPv3uj3 a9lk6ZbsCjenuEDhmzG1uPTV3Ae+7ezxItL38G2gvSO5fOKvGU5VU+W9+hPWemYlOUNi x6O/RWK6J+ezCZdQfRMbofxxxS9QO6+h2tAKZzD3yfPnfYm40EDoq5G4o9ci76sCqM9q W5Rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-language:thread-index; bh=arCqwCt0TKmTLkSKOLJK52kv2ydq3CwdNniqjqveBfg=; b=MQgnV/IFkFSnw5flDchhUWn4wpDytoSqkgLr/H44/jpssfGC0yOFD6FhJad5qLS52O rjGnccmkzMiOem732fJ1zqf77N+CCzhsjYvf3jGk3CXyPkslR3Fp8lgIqF+Nmwp8QzIL 6BvWT2ejzsOONH2WFN/rcXOYVQXqNK/FsEcxlIAVIr7kfZOlz5JAGdvDBTwKIUma/d2J U3mzNtZ1rlWBcO2f7vitZKTse9JOD4201DSUEwKCfpMAbVlM3GsnlLlqsUU9XXLxJFxw ea7U/t+RGDT5y87zVZKBtuPEg/FjePfdugDEtSHCc/2EsS2geeMAPD/iXTBTD7Gdqc7M rXxw== X-Gm-Message-State: APt69E2XhuCWukGhKbO1nW8Xfwh0/V1nyM0eVy4+8HyG/ugeetHchAGQ s06TMo1rbIXvXGcos5dFXf8= X-Google-Smtp-Source: ADUXVKIL5KmoEIlj5HwnWby6otxvDyHUdUZIS937O8psgShN3p6I5b2MWyLHfv6P5fknYDRoOKXFKQ== X-Received: by 2002:aa7:d44f:: with SMTP id q15-v6mr4914750edr.170.1528308840665; Wed, 06 Jun 2018 11:14:00 -0700 (PDT) Received: from DriesPC (94-224-232-102.access.telenet.be. [94.224.232.102]) by smtp.gmail.com with ESMTPSA id m42-v6sm7265820edc.94.2018.06.06.11.13.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Jun 2018 11:13:59 -0700 (PDT) From: "Dries Michiels" To: "'Freddie Cash'" Cc: References: <001001d3fdbc$d804d270$880e7750$@gmail.com> In-Reply-To: Subject: RE: Matching rules on ip4/ip6 with udp/tcp Date: Wed, 6 Jun 2018 20:13:59 +0200 Message-ID: <001901d3fdc2$2446d160$6cd47420$@gmail.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Content-Language: nl-be Thread-Index: AQGOWVsjV7Skhqdcp2bbp+c8ZmdWUgJ2qjK9pMsay2A= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2018 18:14:02 -0000 Tried out the variations you mentioned and they work just great.=20 =20 Thank you! Dries =20 =20 From: Freddie Cash =20 Sent: woensdag 6 juni 2018 20:01 To: Dries Michiels Cc: freebsd-ipfw@freebsd.org Subject: Re: Matching rules on ip4/ip6 with udp/tcp =20 On Wed, Jun 6, 2018 at 10:36 AM, Dries Michiels = > wrote: Is there are way to match packets specifying both network generation ip4 = or ip6 together with the protocol such as tcp or udp? Currently the following rules are possible (examples): ipfw add 1 allow udp from any to me 22 in recv em0 ipfw add 1 allow ip4 from any to me 22 in recv em0 The following rule is not possible (example): ipfw add 1 allow ip4 udp from any to me 22 in recv em0 Is there a workaround for this or some reason why this hasn't been implemented?=20 Or do I simply not have the rule syntax right. =20 =E2=80=8BOne of the following pairs should do what you want, although = the man page is a little hard to parse on some of it, so they may not = actually work:=E2=80=8B =20 =E2=80=8Bipfw add 1 allow from any to me in recv em0 proto ip4 dst-port = 22=E2=80=8B =E2=80=8Bipfw add 1 allow from any to me in recv em0 proto ip6 dst-port = 22=E2=80=8B =20 =E2=80=8Bipfw add 1 allow udp from any to me in recv em0 proto ip4 = dst-port 22 =E2=80=8Bipfw add 1 allow udp from any to me in recv em0 proto ip6 = dst-port 22 =20 Basically, there's a giant section in the man page about the "options" = section of the rule (what goes after the interface). You can do just = about anything within that section, including a lot of what could be = done in the "protocol" and "source address" and "destination address" = sections. =E2=80=8B--=20 Freddie Cash fjwcash@gmail.com =20