Date: Thu, 21 Feb 2002 15:43:52 -0500 From: "Scott M. Nolde" <scott@smnolde.com> To: Florian Nigsch <flo@nigsch.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW rules Message-ID: <20020221154352.C53679@smnolde.com> In-Reply-To: <20020221211612.A51456@nigsch.com>; from flo@nigsch.com on Thu, Feb 21, 2002 at 09:16:12PM %2B0100 References: <20020221192954.A50541@nigsch.com> <20020221133942.B53679@smnolde.com> <20020221211612.A51456@nigsch.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Florian Nigsch(flo@nigsch.com)@2002.02.21 21:16:12 +0000:
> That's totally clear to me. But I wanted to know what happens
> if I send out a packet from the machine with IP 192.168.1.2
> which first goes to 192.168.1.1 (ed1) which is at the same time
> 1.2.3.4 (ed0) and is then sent out to the internet over ed0.
> Is the packet catched by
>
> 1) count ip from 192.168.1.0/24 to any out via ed0
"All internal traffic from LAN to inet"
> 2) count ip from 192.168.1.0/24 to any
"All internal LAN traffic routed through this computer"
> 3) count ip from any to any out via ed0
"All traffic leaving LAN"
> 4) count ip from 1.2.3.4 to any out via ed0
"All traffic from 1.2.3.4 to inet"
>
> ?
> I think it is catched by rules 1 to 3.
> --> Is it also catched by rule 4 because of natd?
I don't think so because of the src address.
>
> Rule 2 counts also the internal traffic.
Only the traffic seen by the router, but not traffic going between other
computers on a switched or hub network.
> Rule 3 - in my opinion - catches everything originating on
> the inside net AND also the packets originating on the outside
> IP number, whereas rule 4 ONLY catches the packets originating
> on the outside IP.
> Consclusions: (just to be sure)
> rule2 minus rule1 = internal traffic
> rule3 minus rule1 = outgoing traffic from offical ip
> which should be the same as the counter for rule 4
>
> I'm I right?
Looks ok to me. Set up such a ruleset and see what you catch.
>
> On Thu, Feb 21, 2002 at 01:39:42PM -0500, Scott M. Nolde wrote:
> > I use the skipto function of ipfw:
> > # ipfw show | head
> > 00010 894628 264432483 skipto 50 ip from any to any in recv dc0
> > 00020 1021767 135654843 skipto 50 ip from any to any out xmit dc0
> >
> > then rule 50 is the first rule of my normal ipfw ruleset.
>
> ---
> Florian Nigsch <flo@nigsch.com>
> http://flo.nigsch.com/
> PGP key: http://flo.nigsch.com/fnigsch.asc
>
--
Scott Nolde
GPG Key 0xD869AB48
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020221154352.C53679>