From owner-freebsd-security  Tue Jul 25 12: 4:54 2000
Delivered-To: freebsd-security@freebsd.org
Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44])
	by hub.freebsd.org (Postfix) with ESMTP id ABE9237B993
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 12:04:50 -0700 (PDT)
	(envelope-from mike@adept.org)
Received: by snafu.adept.org (Postfix, from userid 1000)
	id 8510B9EE01; Tue, 25 Jul 2000 12:04:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by snafu.adept.org (Postfix) with ESMTP
	id 819DE9B001; Tue, 25 Jul 2000 12:04:26 -0700 (PDT)
Date: Tue, 25 Jul 2000 12:04:26 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: Dan O'Connor <dan@mostgraveconcern.com>
Cc: cjclark@alum.mit.edu,
	Stephen Montgomery-Smith <stephen@math.missouri.edu>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Problems with natd and simple firewall
In-Reply-To: <015601bff607$1c48cbc0$029b140a@danco>
Message-ID: <Pine.BSF.4.21.0007251154470.27676-100000@snafu.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 25 Jul 2000, Dan O'Connor wrote:

> I'm confused as to how ipfw treats packets with forwarding turned on, but
> without NAT. Packets that aren't natted supposedly only make one trip
> through the rules, so does ipfw check the packet as if it exists on both
> interfaces (in on one, out on the other) at the same time?

Well...  Using only ipfw(8) as reference,

  The via keyword causes the interface to always be checked.  If
  recv or xmit is used instead of via, then the only receive or
  transmit interface (respectively) is checked.  By specifying
  both, it is possible to match packets based on both receive 
  and transmit interface...

And from 'CHECKLIST',

  o   Remember that you filter both packets going in and out. Most connec
      -tions need packets going in both directions.

Elsewhere...

  Remember in fact that ipfw rules are checked both on incoming and outgo-
  ing packets.

So it seems default behavior is to check all rules for packets on all
interfaces...  For that reason, the via and recv/xmit keywords give 
flexibility to 'modify' that behavior.

-mrh



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message