Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Mar 2008 13:55:53 -0700
From:      Freddie Cash <fjwcash@gmail.com>
To:        Julian Elischer <julian@elischer.org>
Subject:   Re: "established" on { tcp or udp } rules
Message-ID:  <200803191355.54288.fjwcash@gmail.com>
Resent-Message-ID: <200803191356.46842.fjwcash@gmail.com>
In-Reply-To: <47E17BF9.1030403@elischer.org>
References:  <200803191334.54510.fjwcash@gmail.com> <47E17BF9.1030403@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On March 19, 2008 01:47 pm you wrote:
> Freddie Cash wrote:
> > Just curious if the following rule will work correctly.  It is
> > accepted by the ipfw command.  In the process of working out a test
> > for it, but thought I'd ask here as well, just to be sure.
> >
> > ipfw add { tcp or udp } from me     to any 53 out xmit fxp0
> > ipfw add { tcp or udp } from any 53 to me     in  recv fxp0
> > established
> >
> > Will the UDP packets go through correctly, even though "established"
> > has no meaning for UDP streams, and the ipfw command will barf if you
> > use it with just "ipfw add udp" rules?
>
> well, an action to do would be good..

D'oh, typo in the e-mail.  The rules are allow:

ipfw add allow { tcp or udp } from me     to any 53 out xmit fxp0

ipfw add allow { tcp or udp } from any 53 to me     in  recv fxp0 
established

>   as for the question of whether UDP ... established evaluates to true
> or false, I would guess false but you'll have to test.

See my follow-up e-mail.  It appears that UDP packets don't match due to 
the established keyword.

It appears that:
ipfw add allow tcp from any to me in recv fxp0 established

and

ipfw add allow { tcp or udp } from any to me in recv fxp0 established

are functionally the same.  Perhaps a warning should be emitted when one 
tries to add the rule?

Hrm, it seems something is different with ipfw on 6.3.  One can add:

ipfw add allow udp from any to any established

without any errors or warnings, but it will never match any packets.  I'm 
sure back in the 4.x days when I started using ipfw that it would error 
out with something along the lines of "TCP options can't be used with UDP 
rules".

-- 
Freddie Cash
fjwcash@gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803191355.54288.fjwcash>