Date: Thu, 10 Apr 2003 09:07:34 -0700 From: "Earl A. Killian" <earl@killian.com> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: self-generated packet question Message-ID: <16021.38598.528499.677743@sax.killian.com> In-Reply-To: <3E959094.5040504@tenebras.com> References: <16021.30535.469091.657659@sax.killian.com> <3E959094.5040504@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Sierchio writes: > Date: Thu, 10 Apr 2003 08:41:08 -0700 > From: Michael Sierchio <kudzu@tenebras.com> > > They aren't received on any interface, no. They can be filtered > on output (from me to any, etc.) Thank you. Background: I'm writing a tool to generate an input to ipfw from a description of the interfaces/nets on a gateway. Since it has to be general enough to handle some unusual things about my own gateway, the existing firewalls in /etc/rc.firewall are not quite sufficient. > (presumably you already have an allow rule like allow ip from any to any via lo0). /etc/rc.firewall has such a rule, except when firewall_type is a filename. Since I'm using the latter, I need to generate something like that. One purpose of my question was to understand where such a rule had to go. I hope to have my generator generate both ipfw firewalls and ipchains firewalls. As such, the first statement was add skipto <OUTPUTRULE> all from any to any out to mimic ipchains having separate input and output chains. So, from what you said, it appears that the "via lo0" is only required in the output rules.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16021.38598.528499.677743>