From owner-freebsd-questions@FreeBSD.ORG Wed Jul 27 00:50:56 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4486816A41F for ; Wed, 27 Jul 2005 00:50:56 +0000 (GMT) (envelope-from garys@opusnet.com) Received: from opusnet.com (mail.opusnet.com [209.210.200.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2FE843D4C for ; Wed, 27 Jul 2005 00:50:55 +0000 (GMT) (envelope-from garys@opusnet.com) Received: from localhost.localhost [70.98.246.232] by opusnet.com with ESMTP (SMTPD32-8.05) id AA6B84D10106; Tue, 26 Jul 2005 17:50:51 -0700 Received: from localhost.localhost (localhost.localhost [127.0.0.1]) by localhost.localhost (8.13.3/8.13.3) with ESMTP id j6R0pdM2030888 for ; Tue, 26 Jul 2005 17:51:39 -0700 (PDT) (envelope-from garys@opusnet.com) Received: (from jojo@localhost) by localhost.localhost (8.13.3/8.13.3/Submit) id j6R0pYXL030887; Tue, 26 Jul 2005 17:51:34 -0700 (PDT) (envelope-from garys@opusnet.com) To: freebsd-questions@freebsd.org From: garys@opusnet.com (Gary W. Swearingen) Date: Tue, 26 Jul 2005 17:51:34 -0700 Message-ID: <3tll3tystl.l3t@mail.opusnet.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Can someone clarify ipfw's in/out/recv/xmit/via concepts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 00:50:56 -0000 I see in another msg that I'm not the only one scratching my head over the ipfw manpage's explanation of in/out/recv/xmit/via concepts. I've spent many hours reading that manpage and working on my rc.firewall (and it seems to work OK, based on the logging), but I can't figure out what it's trying to tell me, even with that nice ASCII art. (I hope your replies will help me get some clarifications into the manpage.) ^ to upper layers v | | +----------->-----------+ ^ v [ip_input] [ip_output] net.inet.ip.fw.enable=1 | | ^ v [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 | | +-->--[bdg_forward]-->--+ net.link.ether.bridge_ipfw=1 ^ v | to devices | + + FROM BOTH TO BOTH NICS? NICS? Here's a pic of my firewall: +------------------------------+ | +-------------------------+ | | | KERNEL | | | +-------------------------+ | | | | | | | | v ^ v ^ | | | | | | | | +-----+ +-----+ | | | NIC | FW | NIC | | | +-----+ +-----+ | | | | | | | +------------------------------+ | | | | v ^ v ^ | | | | WAN LAN The manpage says we have incoming and outgoing packets. In and out of what? NIC or kernel or ipfw or computer? The manpage describes: recv | xmit | via {ifX | if* | ipno | any} Is my "de0" an "ifX" or an "if*"? ("exact name" or "device name") What would be an example of the other? Does "ipno" mean an numerical Internet address? (It's not mentioned elsewhere in the manpage.) Does each of my NICs have both of the manpage's xmit and recv interfaces, or is one an xmit and one a recv for any one packet rule? If an incoming packet can be associated with an xmit interface, why can't an outgoing packet be associated with a recv interface? P.S. It seems that some people do their blocking of packets going from LAN to WAN "on" (so to speak) the LAN interface, some on the WAN interface, and some on both. It doesn't seem to make much difference on a pure firewall, except for rule-writing convenience. Right? I suppose it would be best to put blocks everywhere possible or at least "where" the packets enter the computer. Right? Help!!