Date: Wed, 19 Mar 2008 14:03:43 -0700
From: Freddie Cash <fjwcash@gmail.com>
To: freebsd-net@freebsd.org
Subject: Re: "established" on { tcp or udp } rules
Message-ID: <200803191403.44012.fjwcash@gmail.com>
In-Reply-To: <47E17E03.8040304@elischer.org>
References: <200803191334.54510.fjwcash@gmail.com> <200803191347.28329.fjwcash@gmail.com> <47E17E03.8040304@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On March 19, 2008 01:56 pm you wrote:
> Freddie Cash wrote:
> > On March 19, 2008 01:43 pm Freddie Cash wrote:
> >> On March 19, 2008 01:34 pm Freddie Cash wrote:
> >>> Just curious if the following rule will work correctly. It is
> >>> accepted by the ipfw command. In the process of working out a test
> >>> for it, but thought I'd ask here as well, just to be sure.
> >>>
> >>> ipfw add { tcp or udp } from me to any 53 out xmit fxp0
> >>> ipfw add { tcp or udp } from any 53 to me in recv fxp0
> >>> established
> >>>
> >>> Will the UDP packets go through correctly, even though
> >>> "established" has no meaning for UDP streams, and the ipfw command
> >>> will barf if you use it with just "ipfw add udp" rules?
> >>
> >> Hmm, from the looks of things, it doesn't work. Even though it
> >> specifies both tcp and udp, the rule only matches tcp packets from
> >> an established connection.
> >>
> >> Perhaps a warning or error should be given when you try to use TCP
> >> options on rules that aren't TCP-specific?
> >>
> >> Or am I missing something here?
> >
> > Guess I should probably have included a test case. From "ipfw show"
> > output:
> > 00100 3 162 allow { tcp or udp } from me to any dst-port 53 out xmit
> > fxp0
> >
> > 00110 0 0 allow { tcp or udp } from any 53 to me in recv fxp0
> > established
> >
> > 00120 3 409 allow { tcp or udp } from any 53 to me in recv fxp0
> >
> >
> > Without a "deny ip from any to any" rule instead of the last rule,
> > UDP DNS requests fail.
>
> "count log" is the best thing to do test cases..
[fcash@nexus ~]$ sudo ipfw add 50 count log \{ tcp or udp \} from me to
any 53 out xmit fxp0
00050 count log logamount 5000 { tcp or udp } from me to any dst-port 53
out xmit fxp0
[fcash@nexus ~]$ sudo ipfw add 60 count log \{ tcp or udp \} from any 53
to me in recv fxp0 established
00060 count log logamount 5000 { tcp or udp } from any 53 to me in recv
fxp0 established
[fcash@nexus ~]$ sudo ipfw add 70 count log \{ tcp or udp \} from any 53
to me in recv fxp0
00070 count log logamount 5000 { tcp or udp } from any 53 to me in recv
fxp0
[fcash@nexus ~]$ sudo ipfw zero 50 60 70
Entry 50 cleared.
Entry 60 cleared.
Entry 70 cleared.
[fcash@nexus ~]$ host ocis.net
ocis.net has address 209.52.173.1
ocis.net mail is handled by 5 mx1.securelinks.net.
[fcash@nexus ~]$ tail /var/log/security
Mar 19 13:59:04 nexus last message repeated 4 times
Mar 19 13:59:10 nexus kernel: ipfw: Entry 50 cleared.
Mar 19 13:59:10 nexus kernel: ipfw: Entry 60 cleared.
Mar 19 13:59:10 nexus kernel: ipfw: Entry 70 cleared.
Mar 19 13:59:13 nexus kernel: ipfw: 50 Count UDP me:59050 172.24.13.171:53
out via fxp0
Mar 19 13:59:13 nexus kernel: ipfw: 70 Count UDP 172.24.13.171:53 me:59050
in via fxp0
Mar 19 13:59:13 nexus kernel: ipfw: 50 Count UDP me:64581 172.24.13.171:53
out via fxp0
Mar 19 13:59:13 nexus kernel: ipfw: 70 Count UDP 172.24.13.171:53 me:64581
in via fxp0
Mar 19 13:59:13 nexus kernel: ipfw: 50 Count UDP me:62570 172.24.13.171:53
out via fxp0
Mar 19 13:59:13 nexus kernel: ipfw: 70 Count UDP 172.24.13.171:53 me:62570
in via fxp0
Rule 60, with the established keyword, is never touched by the UDP
packets.
--
Freddie Cash
fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803191403.44012.fjwcash>