From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 16 12:27:50 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5D0516A41F for ; Fri, 16 Sep 2005 12:27:50 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AF4843D45 for ; Fri, 16 Sep 2005 12:27:50 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp2-g19.free.fr (Postfix) with ESMTP id 89D9D250F5; Fri, 16 Sep 2005 14:27:48 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 1D450405A; Fri, 16 Sep 2005 14:27:52 +0200 (CEST) Date: Fri, 16 Sep 2005 14:27:51 +0200 From: Jeremie Le Hen To: freebsd-ipfw@FreeBSD.ORG, vladone Message-ID: <20050916122751.GC51142@obiwan.tataz.chchile.org> References: <1126236392.20050901000512@spaingsm.com> <200509151332.j8FDWoqd035125@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200509151332.j8FDWoqd035125@lurza.secnetix.de> User-Agent: Mutt/1.5.9i Cc: Subject: Re: in via or in recv X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2005 12:27:50 -0000 Hi, > vladone wrote: > > What is difference between: > > 1. in via - in recv > > No difference. When checking incoming packets (which "in" > means), only the receiving interface is known, but not yet > the transmitting interface, so "via" and "recv" do the same > thing in that case. > > > 2. out via - out xmit > > When checking outgoing packets ("out"), both the receiving > and the transmitting interface are known, so "via" compares > with both, while "xmit" only compares with the transmitting > interface. That's why "xmit" can only be used with "out", > not with "in", while "recv" can be used with both "out" and > "in". > > All of that is explained in detail in the ipfw(8) manpage. > > > When need to use an variant or another? > > That depends on what you want to do. In my experience > there is rarely a need for "via". Usually you only need > "recv" and "xmit" (optionally combined with "in" and "out" > as appropriate for your rules). Given that this question is regurlarly asked, I've just written a webpage explaining the difference among "via", "xmit" and "recv", based on what has been said here in the past and my own understanding of ipfw code. http://tataz.chchile.org/~tataz/ipfw_via_recv_xmit.html This is quite short to read, and I would like some feedback on it. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >