Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Feb 2002 19:41:53 -0800
From:      "Crist J. Clark" <cjc@FreeBSD.ORG>
To:        Bing Li <calibing@yahoo.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Difference between "src to dst" and "dst to src"
Message-ID:  <20020218194153.U48401@blossom.cjclark.org>
In-Reply-To: <20020219031018.39579.qmail@web21410.mail.yahoo.com>; from calibing@yahoo.com on Mon, Feb 18, 2002 at 07:10:18PM -0800
References:  <20020219031018.39579.qmail@web21410.mail.yahoo.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, Feb 18, 2002 at 07:10:18PM -0800, Bing Li wrote:
> Hi,
> 
> Is there any difference between the two as follows:
> 
> add 100 allow tcp from src to dst 22
> add 101 allow tcp from dst 22 to src

Uh, well, let's use hostname examples,

  add 100 allow tcp from client to server 22
  add 101 allow tcp from server 22 to client

The first rule passes packets TCP with a source address of "client,"
and destination address of "server" and destination port 22. The
second rule passes TCP packets with a source address of "server" and
source port of 22, and destination address of "client."

> I was confused with the output of "ipfw show":
> 
> 00100    1532    112460 allow tcp from src to dst 22
> 00101    1101    275166 allow tcp from dst 22 to src
> 
> Why are the values of second columes different?
> So are the values of third columes. The traffic was
> generated only by ssh from src to dst.

A TCP connection is a duplex connection. Traffic must flow in both
directions.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20020218194153.U48401>