"established" on { tcp or udp } rules

[Vadim Goncharov]

Hi Freddie Cash! 

On Mon, 24 Mar 2008 09:56:28 -0700; Freddie Cash wrote about 'Re: "established" on { tcp or udp } rules':

>>  This is behaviour of ipfw2 - options are independently ANDed. Thus, man page
>>  explicitly says:
>>
>>      established
>>              Matches TCP packets that have the RST or ACK bits set.
>>
>>  So, it is obvious that udp packet will not match and thus entire rule will not
>>  match.
> Yeah, it's just weird that it lets you write a rule that will never match.

It's not. I don't want a compiler standing in my way.

> I'll have to fire up FreeBSD 4.11 (and possibly earlier with just
> ipfw1) in a VM and check things there.  I'm sure back in the 4.x days
> that ipfw would error out if you wrote a UDP rule with TCP options at
> the end, as that is what got me in the habit of writing separate UDP
> and TCP rules.
> Now that I found the { udp or tcp } syntax, I was rewriting some rules
> on a test firewall and noticed that it would accept TCP option even if
> udp was listed.

In 4.11 days and ipfw1 you were limited in what you could check at once, so
that check/complain was ok. New ipfw2 syntax allows to write perfectly
valid rules with tcp/udp mixed in:

ipfw add allow { proto udp or established } out

That's an optimized short-catcher in the beginning of ruleset. Machine is
hard to teach to properly recognize whether that rule is valid mix or not,
so it just must not comlain. Of course, then it is user responsibilty to check.
As always, Unix assumes you know what you do - if you rm a file, you can't
undelete it.

-- 
WBR, Vadim Goncharov. ICQ#166852181       mailto:vadim_nuclight at mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]