Date: Wed, 19 Mar 2008 13:47:28 -0700
From: Freddie Cash <fjwcash@gmail.com>
To: freebsd-net@freebsd.org
Subject: Re: "established" on { tcp or udp } rules
Message-ID: <200803191347.28329.fjwcash@gmail.com>
In-Reply-To: <200803191343.45516.fjwcash@gmail.com>
References: <200803191334.54510.fjwcash@gmail.com> <200803191343.45516.fjwcash@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On March 19, 2008 01:43 pm Freddie Cash wrote:
> On March 19, 2008 01:34 pm Freddie Cash wrote:
> > Just curious if the following rule will work correctly. It is
> > accepted by the ipfw command. In the process of working out a test
> > for it, but thought I'd ask here as well, just to be sure.
> >
> > ipfw add { tcp or udp } from me to any 53 out xmit fxp0
> > ipfw add { tcp or udp } from any 53 to me in recv fxp0
> > established
> >
> > Will the UDP packets go through correctly, even though "established"
> > has no meaning for UDP streams, and the ipfw command will barf if you
> > use it with just "ipfw add udp" rules?
>
> Hmm, from the looks of things, it doesn't work. Even though it
> specifies both tcp and udp, the rule only matches tcp packets from an
> established connection.
>
> Perhaps a warning or error should be given when you try to use TCP
> options on rules that aren't TCP-specific?
>
> Or am I missing something here?
Guess I should probably have included a test case. From "ipfw show"
output:
00100 3 162 allow { tcp or udp } from me to any dst-port 53 out xmit fxp0
00110 0 0 allow { tcp or udp } from any 53 to me in recv fxp0
established
00120 3 409 allow { tcp or udp } from any 53 to me in recv fxp0
Without a "deny ip from any to any" rule instead of the last rule, UDP DNS
requests fail.
--
Freddie Cash
fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803191347.28329.fjwcash>