From owner-freebsd-questions@FreeBSD.ORG Fri Jul 29 01:32:32 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01D2D16A428 for ; Fri, 29 Jul 2005 01:32:31 +0000 (GMT) (envelope-from garys@opusnet.com) Received: from opusnet.com (mail.opusnet.com [209.210.200.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 618C043D45 for ; Fri, 29 Jul 2005 01:32:31 +0000 (GMT) (envelope-from garys@opusnet.com) Received: from localhost.localhost [70.98.246.232] by opusnet.com with ESMTP (SMTPD32-8.05) id A72A2E7300C4; Thu, 28 Jul 2005 18:32:26 -0700 Received: from localhost.localhost (localhost.localhost [127.0.0.1]) by localhost.localhost (8.13.3/8.13.3) with ESMTP id j6T1XREa079826; Thu, 28 Jul 2005 18:33:27 -0700 (PDT) (envelope-from garys@opusnet.com) Received: (from jojo@localhost) by localhost.localhost (8.13.3/8.13.3/Submit) id j6T1XL3w079825; Thu, 28 Jul 2005 18:33:21 -0700 (PDT) (envelope-from garys@opusnet.com) To: Dave McCammon , Ian Smith , Chuck Swiger References: <20050728204032.71440.qmail@web32812.mail.mud.yahoo.com> From: garys@opusnet.com (Gary W. Swearingen) Date: Thu, 28 Jul 2005 18:33:21 -0700 In-Reply-To: <20050728204032.71440.qmail@web32812.mail.mud.yahoo.com> (Dave McCammon's message of "Thu, 28 Jul 2005 13:40:32 -0700 (PDT)") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Fri, 29 Jul 2005 13:07:58 +0000 Cc: freebsd-questions@freebsd.org Subject: Re: Can someone clarify ipfw's in/out/recv/xmit/via concepts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 01:32:32 -0000 Dave McCammon writes: > Here is a link to a thread that help me to understand > the in/out/recv/xmit stuff. Thanks guys. I think I've "got" most of it now. Incoming packets are those entering the OS kernel implementing the ipfw firewall, but not necessarily those entering the ipfw firewall each time the kernel uses it. Outgoing packets are those leaving. Depending upon firewall config, the firewall can test packets one or two times as they enter the kernel, considering them as incoming, and one or two times as they exit the kernel, considering them as outgoing. (See ipfw diagram.) An exception is that when bridging, it tests packets only once, considering them as incoming only. (The latter based on my tests.) When it tests an incoming packet it doesn't try to predict which interface it will be transmitted on (not sure why, if NAT isn't on), so "in" rules don't match against an "xmit" interface. When it tests an outgoing packet, it knows which interface it was received on and which interface it will be transmitted on so "out" rules may match against both "recv" and "xmit" interfaces. Using "via if0" is like using three rules: "in recv if0", "out xmit if0", and "out recv if0". Using "out via if0" is like using two rules: "out xmit if0" and "out recv if0". Using "in via if0" is like using "in recv if0". I'm not claiming that the above is any better than the manpage; I'm just trying to quickly hang some simple "facts" out there to be shot down if untrue. (Maybe someday I'll set up a routing firewall to test more of them than I have yet.)