Date: Sat, 12 Dec 2009 15:58:17 +0200 From: Artyom Viklenko <artem@aws-net.org.ua> To: Holger Rauch <holger.rauch@empic.de> Cc: freebsd-pf@freebsd.org Subject: Re: Transition from IPFW: PF flags for IPFW "setup" and "established" keywords Message-ID: <4B23A179.9070004@aws-net.org.ua> In-Reply-To: <20091211115900.GC31375@heitec.de> References: <20091211115900.GC31375@heitec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Holger Rauch пишет:
> Hi to everybody,
>
> what are the correct combinations of flags for the IPFW "setup" and
> "established" keywords?
PF's equivalent of IPFW's "setup" is 'flags S/SA'.
Also, you have to include 'keep state' in the same rule
(for FreeBSD versions up to 6.4, in 7.x and 8.x - it's
a default behavior).
If connection is established, PF create state and match
thraffic "internally" whithout special dedicated rules.
E.g.,
pass in on fxp0 inet proto tcp from any to any port 80 flags S/SA keep state
will pass TCP traffic to port 80 if it starts as it should
beginning from the firts packet with only SYN-bit set
of two bits SYN and ACK. State will be created for this
flow if rest packets will follow usual three-way handshake.
After this all packets in this flow will pass automatically
untill connection will be closed (packets with FIN bits seen
by PF) or timed out.
Something like this. :)
--
Sincerely yours,
Artyom Viklenko.
-------------------------------------------------------
artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve - http://www.freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B23A179.9070004>