From owner-freebsd-questions@freebsd.org Thu Nov 16 19:30:11 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6718ADE6C89 for ; Thu, 16 Nov 2017 19:30:11 +0000 (UTC) (envelope-from javocado@gmail.com) Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 20CFD670B1 for ; Thu, 16 Nov 2017 19:30:11 +0000 (UTC) (envelope-from javocado@gmail.com) Received: by mail-vk0-x22f.google.com with SMTP id h82so77794vkf.7 for ; Thu, 16 Nov 2017 11:30:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=krQpAQSbUWBGeOP8RnP4gxbbN9RPGl7epJaCHLh7xbE=; b=l7VecRRX94nv4DWNvUWfGA8/AZgNdtXQrywDWvOduk7WFyPaY+QMmLRrOsDiOoqJ67 9nCyVY+FGLspSWhGQUfaCoPmW3qTQFBK/kI+iEXqyVmxCtJn8VYC+5iAdyAthqsppL2V rPe7EAHbS/Lf3A4DsfjpRQ5t8xZsew27YMu7TfAf5ef1nIAb3vKKIRA34NX0sfiAuewS /Eq9EfYAf+TxcCuSCz9fX0Bfdt484cjlhu3s++m5ks80GTcCGQBj12hQSRAo3TAIUbeN CNlx+YpP3tpFcSSYGCCZngeWgqNPziB3iZuT/yD8PN+p7kr9P7BbkKdCjCovdFNrrmUb Wv6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=krQpAQSbUWBGeOP8RnP4gxbbN9RPGl7epJaCHLh7xbE=; b=gK0FBvd0+2cMtrD9Y13Dz2GBinpNatBe2MlZC+jLfIniH8mqBgFCLJMgtIzbQwPTrn brIdlgPRoW2cKCN9pTPKXdv6TfpEWLHaKGkZFtlCCknbn18aOD82pTAFDDsJ+vaeNHse YMjZOud6Q8FLdkGAW3y9SaF8PBqufT3pEHQ8S8m1Fi4PeeUMZUke7FgpVuw+vxe9hhzE fKwveOzoaB47/4P236ihImD2+vVGJ4gXHEdLrLrDUN4DBFRVIxutwwkc/84aHoCRo3K6 UHXyvMZQZKCIlM6w6wwyrjO23ecc+heOwPkJShT+q5JhTmUkQW3m0kfjGynUjqrm5scS dieg== X-Gm-Message-State: AJaThX5k8AxSQZoditePpQj9hZX0mdJLlSg0Et6MMDixeEUkHxikFg3+ eH271KcGDny7to3L1We7r0Cf6y2prT5eZbUW813DMA== X-Google-Smtp-Source: AGs4zMa65dXNOmRIxhRbZEG3HcSfmfcfVUC0s6ZYw7q5bDya2dzhKr2RW79lC6+ak0cWVwB+4NvhOG1DZawwMCkebUk= X-Received: by 10.176.69.162 with SMTP id u31mr2518441uau.149.1510860610024; Thu, 16 Nov 2017 11:30:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.48.198 with HTTP; Thu, 16 Nov 2017 11:30:09 -0800 (PST) From: javocado Date: Thu, 16 Nov 2017 11:30:09 -0800 Message-ID: Subject: ipfw setup keyword - with and without ... To: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2017 19:30:11 -0000 Here are two simple rulesets: Code: 10 allow tcp from any to any established 20 allow tcp from any to any 22 65535 deny ip from any to any OR: Code: 10 allow tcp from any to any established 20 allow tcp from any to any 22 setup 65535 deny ip from any to any The difference is that the second ruleset has 'setup' modifying the rule that lets in the traffic we want. >From what I can tell, in actual day to day use, these two rulesets behave identically. Am I correct: I *think* the difference between these is that the second ruleset (with 'setup') is slightly stricter because TCP *fragments* that are not part of any connection would be allowed through the first ruleset, but would be blocked by the second ruleset. Because only a TCP fragment would be *neither* part of connection setup *nor* part of an established connection. Is that correct ?