Date: Tue, 26 Jul 2005 17:51:34 -0700 From: garys@opusnet.com (Gary W. Swearingen) To: freebsd-questions@freebsd.org Subject: Can someone clarify ipfw's in/out/recv/xmit/via concepts? Message-ID: <3tll3tystl.l3t@mail.opusnet.com>
next in thread | raw e-mail | index | archive | help
I see in another msg that I'm not the only one scratching my head over
the ipfw manpage's explanation of in/out/recv/xmit/via concepts. I've
spent many hours reading that manpage and working on my rc.firewall
(and it seems to work OK, based on the logging), but I can't figure
out what it's trying to tell me, even with that nice ASCII art.
(I hope your replies will help me get some clarifications into the
manpage.)
^ to upper layers v
| |
+----------->-----------+
^ v
[ip_input] [ip_output] net.inet.ip.fw.enable=1
| |
^ v
[ether_demux] [ether_output_frame] net.link.ether.ipfw=1
| |
+-->--[bdg_forward]-->--+ net.link.ether.bridge_ipfw=1
^ v
| to devices |
+ +
FROM BOTH TO BOTH
NICS? NICS?
Here's a pic of my firewall:
+------------------------------+
| +-------------------------+ |
| | KERNEL | |
| +-------------------------+ |
| | | | | |
| v ^ v ^ |
| | | | | |
| +-----+ +-----+ |
| | NIC | FW | NIC | |
| +-----+ +-----+ |
| | | | | |
+------------------------------+
| | | |
v ^ v ^
| | | |
WAN LAN
The manpage says we have incoming and outgoing packets.
In and out of what? NIC or kernel or ipfw or computer?
The manpage describes:
recv | xmit | via {ifX | if* | ipno | any}
Is my "de0" an "ifX" or an "if*"?
("exact name" or "device name")
What would be an example of the other?
Does "ipno" mean an numerical Internet address?
(It's not mentioned elsewhere in the manpage.)
Does each of my NICs have both of the manpage's xmit and recv
interfaces, or is one an xmit and one a recv for any one packet rule?
If an incoming packet can be associated with an xmit interface, why
can't an outgoing packet be associated with a recv interface?
P.S.
It seems that some people do their blocking of packets
going from LAN to WAN "on" (so to speak) the LAN interface, some on
the WAN interface, and some on both. It doesn't seem to make much
difference on a pure firewall, except for rule-writing convenience.
Right?
I suppose it would be best to put blocks everywhere possible
or at least "where" the packets enter the computer. Right?
Help!!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3tll3tystl.l3t>