From owner-freebsd-pf@FreeBSD.ORG Sat Dec 12 13:58:23 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79411106566C for ; Sat, 12 Dec 2009 13:58:23 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from alf.aws-net.org.ua (unknown [IPv6:2001:15c0:6605:1:20e:cff:feb1:7f05]) by mx1.freebsd.org (Postfix) with ESMTP id 0E96F8FC08 for ; Sat, 12 Dec 2009 13:58:22 +0000 (UTC) Received: from [192.168.32.1] (aws.aws-net.org.ua [192.168.32.1]) by alf.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id nBCDwD9P068280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 12 Dec 2009 15:58:19 +0200 (EET) (envelope-from artem@aws-net.org.ua) Message-ID: <4B23A179.9070004@aws-net.org.ua> Date: Sat, 12 Dec 2009 15:58:17 +0200 From: Artyom Viklenko Organization: Art&Co. User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Holger Rauch References: <20091211115900.GC31375@heitec.de> In-Reply-To: <20091211115900.GC31375@heitec.de> Content-Type: text/plain; charset=KOI8-U; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.95.3 at alf.aws-net.org.ua X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Transition from IPFW: PF flags for IPFW "setup" and "established" keywords X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 13:58:23 -0000 Holger Rauch пишет: > Hi to everybody, > > what are the correct combinations of flags for the IPFW "setup" and > "established" keywords? PF's equivalent of IPFW's "setup" is 'flags S/SA'. Also, you have to include 'keep state' in the same rule (for FreeBSD versions up to 6.4, in 7.x and 8.x - it's a default behavior). If connection is established, PF create state and match thraffic "internally" whithout special dedicated rules. E.g., pass in on fxp0 inet proto tcp from any to any port 80 flags S/SA keep state will pass TCP traffic to port 80 if it starts as it should beginning from the firts packet with only SYN-bit set of two bits SYN and ACK. State will be created for this flow if rest packets will follow usual three-way handshake. After this all packets in this flow will pass automatically untill connection will be closed (packets with FIN bits seen by PF) or timed out. Something like this. :) -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org