Date: Wed, 19 Mar 2008 13:56:35 -0700
From: Julian Elischer <julian@elischer.org>
To: Freddie Cash <fjwcash@gmail.com>
Cc: freebsd-net@freebsd.org
Subject: Re: "established" on { tcp or udp } rules
Message-ID: <47E17E03.8040304@elischer.org>
In-Reply-To: <200803191347.28329.fjwcash@gmail.com>
References: <200803191334.54510.fjwcash@gmail.com> <200803191343.45516.fjwcash@gmail.com> <200803191347.28329.fjwcash@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Freddie Cash wrote:
> On March 19, 2008 01:43 pm Freddie Cash wrote:
>> On March 19, 2008 01:34 pm Freddie Cash wrote:
>>> Just curious if the following rule will work correctly. It is
>>> accepted by the ipfw command. In the process of working out a test
>>> for it, but thought I'd ask here as well, just to be sure.
>>>
>>> ipfw add { tcp or udp } from me to any 53 out xmit fxp0
>>> ipfw add { tcp or udp } from any 53 to me in recv fxp0
>>> established
>>>
>>> Will the UDP packets go through correctly, even though "established"
>>> has no meaning for UDP streams, and the ipfw command will barf if you
>>> use it with just "ipfw add udp" rules?
>> Hmm, from the looks of things, it doesn't work. Even though it
>> specifies both tcp and udp, the rule only matches tcp packets from an
>> established connection.
>>
>> Perhaps a warning or error should be given when you try to use TCP
>> options on rules that aren't TCP-specific?
>>
>> Or am I missing something here?
>
> Guess I should probably have included a test case. From "ipfw show"
> output:
> 00100 3 162 allow { tcp or udp } from me to any dst-port 53 out xmit fxp0
>
> 00110 0 0 allow { tcp or udp } from any 53 to me in recv fxp0
> established
>
> 00120 3 409 allow { tcp or udp } from any 53 to me in recv fxp0
>
>
> Without a "deny ip from any to any" rule instead of the last rule, UDP DNS
> requests fail.
>
"count log" is the best thing to do test cases..
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47E17E03.8040304>