Date: Mon, 24 Mar 2008 09:56:28 -0700
From: "Freddie Cash" <fjwcash@gmail.com>
To: net@freebsd.org
Subject: Re: "established" on { tcp or udp } rules
Message-ID: <b269bc570803240956o27c08f95mb05210bf739f5fed@mail.gmail.com>
In-Reply-To: <slrnfu4a3h.1b5e.vadim_nuclight@hostel.avtf.net>
References: <200803191334.54510.fjwcash@gmail.com> <47E17BF9.1030403@elischer.org> <200803191355.54288.fjwcash@gmail.com> <slrnfu4a3h.1b5e.vadim_nuclight@hostel.avtf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 20, 2008 at 2:03 AM, Vadim Goncharov <vadim_nuclight@mail.ru> wrote:
> This is behaviour of ipfw2 - options are independently ANDed. Thus, man page
> explicitly says:
>
> established
> Matches TCP packets that have the RST or ACK bits set.
>
> So, it is obvious that udp packet will not match and thus entire rule will not
> match.
Yeah, it's just weird that it lets you write a rule that will never match.
I'll have to fire up FreeBSD 4.11 (and possibly earlier with just
ipfw1) in a VM and check things there. I'm sure back in the 4.x days
that ipfw would error out if you wrote a UDP rule with TCP options at
the end, as that is what got me in the habit of writing separate UDP
and TCP rules.
Now that I found the { udp or tcp } syntax, I was rewriting some rules
on a test firewall and noticed that it would accept TCP option even if
udp was listed.
--
Freddie Cash
fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b269bc570803240956o27c08f95mb05210bf739f5fed>