From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 15 13:32:53 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0639416A41F for ; Thu, 15 Sep 2005 13:32:53 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FA5343D46 for ; Thu, 15 Sep 2005 13:32:52 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (ajchob@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8FDWoVP035126; Thu, 15 Sep 2005 15:32:50 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8FDWoqd035125; Thu, 15 Sep 2005 15:32:50 +0200 (CEST) (envelope-from olli) Date: Thu, 15 Sep 2005 15:32:50 +0200 (CEST) Message-Id: <200509151332.j8FDWoqd035125@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG, vladone In-Reply-To: <1126236392.20050901000512@spaingsm.com> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: in via or in recv X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG, vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 13:32:53 -0000 The question is already a few days old, but I thought I might throw in my answer nevertheless. :-) vladone wrote: > What is difference between: > 1. in via - in recv No difference. When checking incoming packets (which "in" means), only the receiving interface is known, but not yet the transmitting interface, so "via" and "recv" do the same thing in that case. > 2. out via - out xmit When checking outgoing packets ("out"), both the receiving and the transmitting interface are known, so "via" compares with both, while "xmit" only compares with the transmitting interface. That's why "xmit" can only be used with "out", not with "in", while "recv" can be used with both "out" and "in". All of that is explained in detail in the ipfw(8) manpage. > When need to use an variant or another? That depends on what you want to do. In my experience there is rarely a need for "via". Usually you only need "recv" and "xmit" (optionally combined with "in" and "out" as appropriate for your rules). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. I suggested holding a "Python Object Oriented Programming Seminar", but the acronym was unpopular. -- Joseph Strout