Date: Thu, 20 Mar 2008 09:03:45 +0000 (UTC)
From: Vadim Goncharov <vadim_nuclight@mail.ru>
To: freebsd-net@freebsd.org
Subject: Re: "established" on { tcp or udp } rules
Message-ID: <slrnfu4a3h.1b5e.vadim_nuclight@hostel.avtf.net>
References: <200803191334.54510.fjwcash@gmail.com> <47E17BF9.1030403@elischer.org> <200803191355.54288.fjwcash@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Freddie Cash!
On Wed, 19 Mar 2008 13:55:53 -0700; Freddie Cash wrote about 'Re: "established" on { tcp or udp } rules':
> ipfw add allow { tcp or udp } from me to any 53 out xmit fxp0
> ipfw add allow { tcp or udp } from any 53 to me in recv fxp0
> established
>> as for the question of whether UDP ... established evaluates to true
>> or false, I would guess false but you'll have to test.
> See my follow-up e-mail. It appears that UDP packets don't match due to
> the established keyword.
> It appears that:
> ipfw add allow tcp from any to me in recv fxp0 established
> and
> ipfw add allow { tcp or udp } from any to me in recv fxp0 established
> are functionally the same. Perhaps a warning should be emitted when one
> tries to add the rule?
> Hrm, it seems something is different with ipfw on 6.3. One can add:
> ipfw add allow udp from any to any established
> without any errors or warnings, but it will never match any packets. I'm
> sure back in the 4.x days when I started using ipfw that it would error
> out with something along the lines of "TCP options can't be used with UDP
> rules".
This is behaviour of ipfw2 - options are independently ANDed. Thus, man page
explicitly says:
established
Matches TCP packets that have the RST or ACK bits set.
So, it is obvious that udp packet will not match and thus entire rule will not
match.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?slrnfu4a3h.1b5e.vadim_nuclight>