From owner-freebsd-hackers Wed Jun 28 05:42:31 1995 Return-Path: hackers-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id FAB04956 for hackers-outgoing; Wed, 28 Jun 1995 05:42:31 -0700 Received: from ns.tar.com (icon-seaman.inc.net [204.95.160.61]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id FAB04950 for ; Wed, 28 Jun 1995 05:42:29 -0700 Received: from spro.tar.com (spro.tar.com [204.95.187.10]) by ns.tar.com (8.6.11/8.6.11) with SMTP id HAA00903; Wed, 28 Jun 1995 07:36:47 -0500 Message-Id: <199506281236.HAA00903@ns.tar.com> Date: Wed, 28 Jun 95 07:36:46 CDT From: lists@tar.com (Richard Seaman, Jr) Reply-To: lists@tar.com (Richard Seaman, Jr) To: guido@gvr.win.tue.nl Cc: hackers@freebsd.org X-Mailer: Richard Seaman's PMMail v1.1 Subject: Re: ipfw code Sender: hackers-owner@freebsd.org Precedence: bulk On Tue, 27 Jun 1995 19:13:54 +0200 (MET DST) you wrote: >Currently, th ip_fw code has an option to block on packets with the >SYN falg set. I think this is useless as it basically blocks all tcp >traffic. Agreed. Or more precisely, it blocks ALL SYN traffic, which prevents a TCP connection from being set up. So yes, as a practical matter blocking syn and blocking tcp have the same practical effect for this implementation. >What should be implemented is a way to block those packages >with the ACK bit set. This is usefull for allowing conections only >from one host to another and not the other way around. >Can we agree on the SYN code replace by the ACK code? I'm not sure I follow this. If the goal is to prevent inbound TCP connection requests, I would think the filter should block TCP packets with the SYN bit set and the ACK bit clear, but allow those in which both the SYN bit and ACK bit are both set? I would think the goal of blocking on syn is to prevent inbound connections but allow outbound connections? Dick Richard Seaman, Jr. dick@tar.com 5182 North Maple Lane Dick@Seaman.Chenequa.WI.US Chenequa, WI 53058 voice: 414-367-5450 fax: 414-367-5852