"established" on { tcp or udp } rules
Freddie Cash
fjwcash at gmail.com
Mon Mar 24 10:24:34 PDT 2008
On Thu, Mar 20, 2008 at 2:03 AM, Vadim Goncharov <vadim_nuclight at mail.ru> wrote:
> This is behaviour of ipfw2 - options are independently ANDed. Thus, man page
> explicitly says:
>
> established
> Matches TCP packets that have the RST or ACK bits set.
>
> So, it is obvious that udp packet will not match and thus entire rule will not
> match.
Yeah, it's just weird that it lets you write a rule that will never match.
I'll have to fire up FreeBSD 4.11 (and possibly earlier with just
ipfw1) in a VM and check things there. I'm sure back in the 4.x days
that ipfw would error out if you wrote a UDP rule with TCP options at
the end, as that is what got me in the habit of writing separate UDP
and TCP rules.
Now that I found the { udp or tcp } syntax, I was rewriting some rules
on a test firewall and noticed that it would accept TCP option even if
udp was listed.
--
Freddie Cash
fjwcash at gmail.com
More information about the freebsd-net
mailing list