IPF block ACK packets

fernandel · May 3, 2025

Hi!

I cannot figure out settings for block ACK packets. In IPFW firewall I have"

Code:

deny log tcp from any to any established in via $pif

I did read in IPF examples about TCP Flags (established) which is:

Code:

block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA

I was not lucky because I didn't get anything in the log but on IPFW block me from email (port 993 in).
I put on IPF firewall:

Code:

block in log quick on $ipf proto tcp from port = imaps flags SA

and nothing. I use also port 993 but the same.

What I am doing wrong, please.

CeXP1917 · May 3, 2025

fernandel said:
block in log quick on $ipf proto tcp from port = imaps flags SA

Maybe not _from_ port imaps, but _to_ (and pass)?

fernandel · May 3, 2025

CeXP1917 said:
Maybe not _from_ port imaps, but _to_ (and pass)?

Thanks.It doesn't work.
I start to use ipmon -a and looks like I will figure out.

johnjohn · May 3, 2025

fernandel said:
block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA

hmm. That can't be right because i think that it means SA is set, then it states /SA and SA not set. I do not use ipf but i think that it means set and not set, which doesn't make sense.

you are trying to block S to and SA from port 993 (imap ssl)?
you will receive S, then send out SA. so shouldn't it be something like this?

Code:

block in quick proto tcp from any to any port = 993 flags S/SAFR
block out quick proto tcp from any port = 993 to any flags SA

isn't that port used for email? Why would you want to block this traffic?

fernandel · May 3, 2025

johnjohn said:
hmm. That can't be right because i think that it means SA is set, then it states /SA and SA not set. I do not use ipf but i think that it means set and not set, which doesn't make sense.

you are trying to block S to and SA from port 993 (imap ssl)?
you will receive S, then send out SA. so shouldn't it be something like this?

Code:

block in quick proto tcp from any to any port = 993 flags S/SAFR block out quick proto tcp from any port = 993 to any flags SA

isn't that port used for email? Why would you want to block this traffic?

If you read my first post you can see settings in ipfw firewall and firewall block all the time when I turn of my mailer ip and port is 993.
Because that I try to setup something in IPF firewall.
IMO it is no big problem but I like to have "Deny ACK packets that did not match the dynamic rule table"