From owner-freebsd-ipfw  Tue Oct 10 19:50:25 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 719A237B66C
	for <freebsd-ipfw@freebsd.org>; Tue, 10 Oct 2000 19:50:23 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Tue, 10 Oct 2000 19:49:05 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9B2oC201077;
	Tue, 10 Oct 2000 19:50:12 -0700 (PDT)
	(envelope-from cjc)
Date: Tue, 10 Oct 2000 19:50:12 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: achilov@granch.ru
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: To be continued...
Message-ID: <20001010195012.F25121@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <39E2ED57.A51C7F0E@sentry.granch.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <39E2ED57.A51C7F0E@sentry.granch.ru>; from shelton@sentry.granch.ru on Tue, Oct 10, 2000 at 05:20:07PM +0700
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, Oct 10, 2000 at 05:20:07PM +0700, Rashid N. Achilov wrote:
> part of `ipfw list | less` output:
> 
> 01225 fwd 212.109.195.137 log logamount 100 ip from 212.109.197.55 to
> any out xmit sbni1
> 01226 allow log logamount 100 tcp from 212.109.197.55 to any 80
> 
> part of kernel log:
> 
> rnel: ipfw: 1226 Accept TCP 212.109.197.55:3710 216.136.204.21:80 in via
> fxp0 
> rnel: ipfw: 1225 Forward to 212.109.195.137 TCP 212.109.197.55:3710
> 216.136.204.21:80 out via sbni1
> rnel: ipfw: 1226 Accept TCP 212.109.197.55:3710 216.136.204.21:80 in via
> fxp0 
> rnel: ipfw: 1225 Forward to 212.109.195.137 TCP 212.109.197.55:3710
> 216.136.204.21:80 out via sbni1
> 
> Legend: 212.109.197.55 - my box FreeBSD 4.1-RELEASE
> 	212.109.195.137 - first ISP leased line channel other side (our
> 212.109.195.138)
> 	sbni1 - iface name of second ISP leased line channel
> 	(assumed FreeBSD router box 3.4-RELEASE)
> 
> Why 1226 rule in log BEFORE 1225? It means that 1226 scan before 1225?
> Or vice versa? And why, if 1225 succesfull, scans 1226 rule? I'm totally
> lost :-(

man ipfw

             fwd ipaddr[,port]
                                              ...If the IP is not a local ad-
                     dress then the port number (if specified) is ignored and
                     the rule only applies to packets leaving the system.
                     ^^^ ^^^^ ^^^^ ^^^^^^^ ^^ ^^^^^^^ ^^^^^^^ ^^^ ^^^^^^
The first time it hits the rule is when it is entering the system on
the inner interface. The fwd rule is skipped for the incoming
packet, so it passes the next rule which it happens to match. The
packet is again processed as it is leaving. At this point it hits the
fwd rule and is accepted.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message