From owner-freebsd-net@FreeBSD.ORG Thu Mar 20 09:03:55 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4B821065671 for ; Thu, 20 Mar 2008 09:03:55 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 655578FC36 for ; Thu, 20 Mar 2008 09:03:55 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JcGgj-00013f-4R for freebsd-net@freebsd.org; Thu, 20 Mar 2008 09:03:53 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 20 Mar 2008 09:03:53 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 20 Mar 2008 09:03:53 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Vadim Goncharov Date: Thu, 20 Mar 2008 09:03:45 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 46 Message-ID: References: <200803191334.54510.fjwcash@gmail.com> <47E17BF9.1030403@elischer.org> <200803191355.54288.fjwcash@gmail.com> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: Freddie Cash User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Re: "established" on { tcp or udp } rules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2008 09:03:55 -0000 Hi Freddie Cash! On Wed, 19 Mar 2008 13:55:53 -0700; Freddie Cash wrote about 'Re: "established" on { tcp or udp } rules': > ipfw add allow { tcp or udp } from me to any 53 out xmit fxp0 > ipfw add allow { tcp or udp } from any 53 to me in recv fxp0 > established >> as for the question of whether UDP ... established evaluates to true >> or false, I would guess false but you'll have to test. > See my follow-up e-mail. It appears that UDP packets don't match due to > the established keyword. > It appears that: > ipfw add allow tcp from any to me in recv fxp0 established > and > ipfw add allow { tcp or udp } from any to me in recv fxp0 established > are functionally the same. Perhaps a warning should be emitted when one > tries to add the rule? > Hrm, it seems something is different with ipfw on 6.3. One can add: > ipfw add allow udp from any to any established > without any errors or warnings, but it will never match any packets. I'm > sure back in the 4.x days when I started using ipfw that it would error > out with something along the lines of "TCP options can't be used with UDP > rules". This is behaviour of ipfw2 - options are independently ANDed. Thus, man page explicitly says: established Matches TCP packets that have the RST or ACK bits set. So, it is obvious that udp packet will not match and thus entire rule will not match. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]