Date: Tue, 25 Jul 2000 12:04:26 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: Dan O'Connor <dan@mostgraveconcern.com> Cc: cjclark@alum.mit.edu, Stephen Montgomery-Smith <stephen@math.missouri.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <Pine.BSF.4.21.0007251154470.27676-100000@snafu.adept.org> In-Reply-To: <015601bff607$1c48cbc0$029b140a@danco>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jul 2000, Dan O'Connor wrote:
> I'm confused as to how ipfw treats packets with forwarding turned on, but
> without NAT. Packets that aren't natted supposedly only make one trip
> through the rules, so does ipfw check the packet as if it exists on both
> interfaces (in on one, out on the other) at the same time?
Well... Using only ipfw(8) as reference,
The via keyword causes the interface to always be checked. If
recv or xmit is used instead of via, then the only receive or
transmit interface (respectively) is checked. By specifying
both, it is possible to match packets based on both receive
and transmit interface...
And from 'CHECKLIST',
o Remember that you filter both packets going in and out. Most connec
-tions need packets going in both directions.
Elsewhere...
Remember in fact that ipfw rules are checked both on incoming and outgo-
ing packets.
So it seems default behavior is to check all rules for packets on all
interfaces... For that reason, the via and recv/xmit keywords give
flexibility to 'modify' that behavior.
-mrh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007251154470.27676-100000>