Date: Mon, 1 Apr 1996 10:20:05 +0100 From: "Frank ten Wolde" <franky@pinewood.nl> To: current@FreeBSD.ORG Subject: [Q] Semantics of 'established' in ipfw tcp Message-ID: <9604011020.ZM20909@pwood1.pinewood.nl>
next in thread | raw e-mail | index | archive | help
Hello, I would like to know other people's reactions to the current semantics of the 'established' keyword for TCP connections in the 2.2-960323-SNAPSHOT implementation of the ipfw in the kernel. Currently 'established' means (according to the manpage *and* some experimentation): established Matches packets that do not have the SYN bit set. TCP packets only. Should this not be: established Matches packets that do have the ACK bit set. TCP packets only. (To my knowledge this is the way conventional packet filters interpret 'established'.) Or put it in another way... Consider the TCP three way handshake: # packet direction TCP flags matched by rule ---------------------------------------------------------------- 1. client --> server: SYN 'setup' 2. server --> client: SYN+ACK NO RULE 3. client --> server: ACK 'established' other packets: ACK 'established' There is no way to specifically specify the second packet (with SYN *and* ACK on). For example, if I wanted to allow outgoing telnet sessions I need a rule: accept tcp from <internalnet> 1024-65535 to any 23 out accept tcp from any 23 to <internalnet> 1024-65535 in 'ACK-set' That is, I *do* allow incoming packets to ports >=1024, but I do *not* allow new TCP conenctions to these ports... (See also Building Internet Firewalls, page 240.) The problem is in the 'ACK-set' keyword, which is *not* available at this moment... Your opinions please... :-) -Frank P.S. The established and setup filtering is not yet implemented in ipfw... -- ---------------------------------------------------------------------- F.W. ten Wolde (PA3FMT) Pinewood Automation B.V. E-mail: franky@pinewood.nl Kluyverweg 2a Phone: +31-15 2682543 2629 HT Delft
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9604011020.ZM20909>