Date: Tue, 26 Jul 2005 21:17:39 -0400 From: Chuck Swiger <cswiger@mac.com> To: "Gary W. Swearingen" <garys@opusnet.com> Cc: freebsd-questions@freebsd.org Subject: Re: Can someone clarify ipfw's in/out/recv/xmit/via concepts? Message-ID: <42E6E0B3.20409@mac.com> In-Reply-To: <3tll3tystl.l3t@mail.opusnet.com> References: <3tll3tystl.l3t@mail.opusnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Gary W. Swearingen wrote:
[ ... ]
> The manpage says we have incoming and outgoing packets.
> In and out of what?
Into and out of the system.
> NIC or kernel or ipfw or computer?
Yes, all of those.
> The manpage describes:
> recv | xmit | via {ifX | if* | ipno | any}
>
> Is my "de0" an "ifX" or an "if*"?
> ("exact name" or "device name")
"de0" is an "ifX".
> What would be an example of the other?
"de*"?
> Does "ipno" mean an numerical Internet address?
> (It's not mentioned elsewhere in the manpage.)
I think so.
> Does each of my NICs have both of the manpage's xmit and recv
> interfaces, or is one an xmit and one a recv for any one packet rule?
Each of your NICs is logically a full-duplex device, which can both xmit and recv.
> If an incoming packet can be associated with an xmit interface, why
> can't an outgoing packet be associated with a recv interface?
A packet which was created on the machine does not have an interface which it
was received on. Packets which are being forwarded from other machines would
have a recv interface.
> It seems that some people do their blocking of packets
> going from LAN to WAN "on" (so to speak) the LAN interface, some on
> the WAN interface, and some on both. It doesn't seem to make much
> difference on a pure firewall, except for rule-writing convenience.
> Right?
That depends entirely upon the rules, it's not useful to make a generalization
like that without a more specific context.
Normally, people should use the "xmit via ifX" syntax for pipe/queue rules to
avoid counting traffic twice as the packets pass through, but they can also be
used to ensure that, say, traffic to 127.0.0.1 only goes through lo0, and not
through some external connection by someone trying to source-route in as localhost.
> I suppose it would be best to put blocks everywhere possible
> or at least "where" the packets enter the computer. Right?
If you are creating a firewall, you need to create a network topology which
permits you to control network access, which means restricting traffic which
flows over well-defined choke points (ie, your external internet links).
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42E6E0B3.20409>