Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 01 Apr 1996 14:41:23 +0000
From:      Poul-Henning Kamp <phk@critter.tfs.com>
To:        "Frank ten Wolde" <franky@pinewood.nl>
Cc:        current@FreeBSD.ORG
Subject:   Re: [Q] Semantics of 'established' in ipfw tcp 
Message-ID:  <15820.828369683@critter.tfs.com>
In-Reply-To: Your message of "Mon, 01 Apr 1996 10:20:05 %2B0100." <9604011020.ZM20909@pwood1.pinewood.nl> 

next in thread | previous in thread | raw e-mail | index | archive | help

Now I have had more time to read your email, I have more comments:

First of all, "setup" and "established" are just shortform for "tcpflags foo"
for various values of "foo", so you can have it anyway you want, even if
you disagree with the semantics of those two keywords.

> Currently 'established' means (according to the manpage *and* some
> experimentation): 
> 
>     established      Matches packets that do not have the SYN bit set.
>                      TCP packets only.
> 
> Should this not be:
> 
>     established      Matches packets that do have the ACK bit set.
>                      TCP packets only.


I added the "establised" keyword as I remembered it to be used
from memory, it is very possible I got it wrong.

> Or put it in another way...  Consider the TCP three way handshake:
> 
> 	#  packet direction     TCP flags       matched by rule
> 	----------------------------------------------------------------
> 	1. client --> server:   SYN             'setup'
> 	2. server --> client:   SYN+ACK	        NO RULE
> 	3. client --> server:   ACK             'established'
> 	   other packets:       ACK             'established'

My own prefered way is
	allow tcp something or other setup
	allow tcp somebody else setup
	deny  tcp all setup
	allow tcp all

In this context the "established" keyword isn't needed.

> There is no way to specifically specify the second packet (with SYN *and*
> ACK on).  For example, if I wanted to allow outgoing telnet sessions I
> need a rule:
> [...]
> The problem is in the 'ACK-set' keyword, which is *not* available at this
> moment...

Yes it is, you can use the "tcpflags foo" for that.

> P.S. The established and setup filtering is not yet implemented in ipfw...
What ???  Could you explain this to me ?

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15820.828369683>