From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 16 04:01:26 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4D44A498 for ; Thu, 16 Apr 2015 04:01:26 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 017B7605 for ; Thu, 16 Apr 2015 04:01:25 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-252-236.lns20.per4.internode.on.net [121.45.252.236]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t3G3fx8o087827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 15 Apr 2015 20:42:04 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <552F2F82.1060506@freebsd.org> Date: Thu, 16 Apr 2015 11:41:54 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: hiren panchasara , freebsd-ipfw@freebsd.org CC: nitroboost@gmail.com Subject: Re: ipfw on just inbound and not outbound References: <20150414210901.GA10620@strugglingcoder.info> In-Reply-To: <20150414210901.GA10620@strugglingcoder.info> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Apr 2015 04:01:26 -0000 On 4/15/15 5:09 AM, hiren panchasara wrote: > Apologies if this is something silly but I want to completely eliminate > ipfw from outgoing traffic perspective. I just want to have it on > incoming. I can always add "allow ip from any to any out" as the first > rule but that is still ipfw doing something. > > Is there a way to tell ipfw to not look at outbound traffic at all? no > > OR, the rule I mentioned is the best that can be done here? yes this touches on something I've been thinking of for a while.. per interface/direction rule sets. but that doesn't exist yet. you could write a kernel module that would disconnect the outgoing packet filter hooks but "hack" comes to mind as a description there. actually.... you could use the ipfw netgraph hook and only hook it up for incoming packets, but it would probably be not much more efficient than just having the rule, and more complicated to set up. > > cheers, > Hiren > > ps: Please keep me cc'd as I am not subscribed.