From owner-freebsd-questions Thu Feb 21 12:44:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smnolde.com (att-98-60-141.atl.mediaone.net [24.98.60.141]) by hub.freebsd.org (Postfix) with ESMTP id 6BFD037B41B for ; Thu, 21 Feb 2002 12:44:02 -0800 (PST) Received: from bsd ([192.168.10.7] helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.30 #1) id 16e04H-000G0p-00; Thu, 21 Feb 2002 15:43:53 -0500 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 16e04G-000E7q-00; Thu, 21 Feb 2002 15:43:52 -0500 Date: Thu, 21 Feb 2002 15:43:52 -0500 From: "Scott M. Nolde" To: Florian Nigsch Cc: freebsd-questions@freebsd.org Subject: Re: IPFW rules Message-ID: <20020221154352.C53679@smnolde.com> References: <20020221192954.A50541@nigsch.com> <20020221133942.B53679@smnolde.com> <20020221211612.A51456@nigsch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020221211612.A51456@nigsch.com>; from flo@nigsch.com on Thu, Feb 21, 2002 at 09:16:12PM +0100 X-Disclaimer: If you can read this you're looking for too much Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Florian Nigsch(flo@nigsch.com)@2002.02.21 21:16:12 +0000: > That's totally clear to me. But I wanted to know what happens > if I send out a packet from the machine with IP 192.168.1.2 > which first goes to 192.168.1.1 (ed1) which is at the same time > 1.2.3.4 (ed0) and is then sent out to the internet over ed0. > Is the packet catched by > > 1) count ip from 192.168.1.0/24 to any out via ed0 "All internal traffic from LAN to inet" > 2) count ip from 192.168.1.0/24 to any "All internal LAN traffic routed through this computer" > 3) count ip from any to any out via ed0 "All traffic leaving LAN" > 4) count ip from 1.2.3.4 to any out via ed0 "All traffic from 1.2.3.4 to inet" > > ? > I think it is catched by rules 1 to 3. > --> Is it also catched by rule 4 because of natd? I don't think so because of the src address. > > Rule 2 counts also the internal traffic. Only the traffic seen by the router, but not traffic going between other computers on a switched or hub network. > Rule 3 - in my opinion - catches everything originating on > the inside net AND also the packets originating on the outside > IP number, whereas rule 4 ONLY catches the packets originating > on the outside IP. > Consclusions: (just to be sure) > rule2 minus rule1 = internal traffic > rule3 minus rule1 = outgoing traffic from offical ip > which should be the same as the counter for rule 4 > > I'm I right? Looks ok to me. Set up such a ruleset and see what you catch. > > On Thu, Feb 21, 2002 at 01:39:42PM -0500, Scott M. Nolde wrote: > > I use the skipto function of ipfw: > > # ipfw show | head > > 00010 894628 264432483 skipto 50 ip from any to any in recv dc0 > > 00020 1021767 135654843 skipto 50 ip from any to any out xmit dc0 > > > > then rule 50 is the first rule of my normal ipfw ruleset. > > --- > Florian Nigsch > http://flo.nigsch.com/ > PGP key: http://flo.nigsch.com/fnigsch.asc > -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message