From owner-freebsd-net Tue Nov 26 11:20:13 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3628A37B401 for ; Tue, 26 Nov 2002 11:20:11 -0800 (PST) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A0D543EC2 for ; Tue, 26 Nov 2002 11:20:10 -0800 (PST) (envelope-from julian@elischer.org) Received: from InterJet.elischer.org (12-232-168-4.client.attbi.com[12.232.168.4]) by rwcrmhc52.attbi.com (rwcrmhc52) with ESMTP id <20021126192009052004rg0je>; Tue, 26 Nov 2002 19:20:10 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id LAA52798; Tue, 26 Nov 2002 11:17:57 -0800 (PST) Date: Tue, 26 Nov 2002 11:17:56 -0800 (PST) From: Julian Elischer To: Don Bowman Cc: "'freebsd-net@freebsd.org'" Subject: Re: IPFW question with options and fwd rule In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 26 Nov 2002, Don Bowman wrote: > > If I create a rule to 'fwd' packets with a particular TCP option > set (or IP option) to a specific local port, and then I accept > on that port, will subsequent packets without that option work? > > ie, I have this: > > 100 fwd localhost,9000 tcp from any to any 1234 tcpoptions ts recv interface > > SYN (TCP option SACK=1), Dest port=5555, Dest ip = random-host > SYN/ACK > ACK (no TCP options) > > will the first SYN reach me? (yes I think, even though the IP is not mine > and well, no, because 5555 != 1234 :-) but, assuming that your rule said 5555, then it would only reach you if it has the ts option set. to be forwarded a packet must match teh rule.. subsequent packewts must ALSO match the rule. you could use dynamic rules to match subsequent packets I think, but I've never used them. > the dest port is not me, the ipfw fwd magic takes care). > Will the ACK from the client reach me? (the dest ip is not me, so will the > stack discard, or will the already created PCB take care of this?) > > I'd like to carry on a normal TCP conversation, but select the local port > that terminates it based on a TCP option. The destination IP will be > somewhere > else (its a transparent proxy application). > > Thanks in advance. > > --don (don@sandvine.com www.sandvine.com) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message