From owner-freebsd-ipfw@FreeBSD.ORG  Sat Oct  4 11:06:54 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 07D8D16A4BF
	for <freebsd-ipfw@freebsd.org>; Sat,  4 Oct 2003 11:06:54 -0700 (PDT)
Received: from out004.verizon.net (out004pub.verizon.net [206.46.170.142])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2FD374400E
	for <freebsd-ipfw@freebsd.org>; Sat,  4 Oct 2003 11:06:52 -0700 (PDT)
	(envelope-from cswiger@mac.com)
Received: from mac.com ([68.237.14.199]) by out004.verizon.net
          (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP
          id <20031004180651.VYLL25700.out004.verizon.net@mac.com>;
          Sat, 4 Oct 2003 13:06:51 -0500
Message-ID: <3F7F0C3A.7070403@mac.com>
Date: Sat, 04 Oct 2003 14:06:50 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.5) Gecko/20030925
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl>
References: <006b01c38a90$dea3b420$6ba55982@gog> <3F7EFDFA.4060703@fork.pl>
	<007d01c38a9e$73883cc0$6ba55982@gog>
In-Reply-To: <007d01c38a9e$73883cc0$6ba55982@gog>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Authentication-Info: Submitted using SMTP AUTH at out004.verizon.net from
	[68.237.14.199] at Sat, 4 Oct 2003 13:06:51 -0500
cc: freebsd-ipfw@freebsd.org
Subject: Re: When to use setup keyword?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Oct 2003 18:06:54 -0000

Roderick van Domburg wrote:
[ ... ]
> I know, but HTTP/1.1 does allow for ``threaded sessions'', so to speak. What
> I don't know without glancing at any RFC's is whether HTTP/1.1 clients open
> multiple sockets on port 80 or several sockets in the dynamic range.

Clients using HTTP/1.1 multiplex several requests over a single TCP connection 
to port 80 on the web server.

> Hence my question: which services require the setup keyword and which don't?

None of them do, in one sense-- you can write a valid and useful firewall 
ruleset without ever using the 'setup' keyword.

If you know what you are doing, you might want to distinguish between 'setup' 
versus 'established' connections for logging purposes or fine-grained control. 
In order to do that, you need to understand TCP/IP well enough to know something 
about the SYN and ACK bits, the three-way handshake used for TCP connection 
setup, and so forth.

-- 
-Chuck