From owner-freebsd-questions  Mon Sep 22 13:50:08 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id NAA18712
          for questions-outgoing; Mon, 22 Sep 1997 13:50:08 -0700 (PDT)
Received: from proxy-bsb.gns.com.br (Bqi9ubcZESwPZZLkml2CVog5D1cQ3027@srv1-bsb.GNS.com.br [200.239.56.1])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id NAA18676
          for <freebsd-questions@freebsd.org>; Mon, 22 Sep 1997 13:49:52 -0700 (PDT)
Received: (qmail 28713 invoked from network); 22 Sep 1997 20:48:28 -0000
Received: from unknown (HELO srv1-bsb.gns.com.br) (unknown)
  by unknown with SMTP; 22 Sep 1997 20:48:28 -0000
Received: (from mail@localhost)
	by srv1-bsb.gns.com.br (8.8.7/8.8.7) id RAA28707;
	Mon, 22 Sep 1997 17:48:28 -0300 (EST)
Message-Id: <199709222048.RAA28707@srv1-bsb.gns.com.br>
Received: from dl0237-bsb.gns.com.br(200.239.56.237) by srv1-bsb.gns.com.br via smap (V2.0)
	id xmaa28700; Mon, 22 Sep 97 17:48:07 -0300
From: "Mario Sergio Fujikawa Ferreira" <lioux@gns.com.br>
To: <freebsd-questions@freebsd.org>
Cc: "Raul Xavier" <raulxn@linf.unb.br>, "Carlos Tada" <tada@linf.unb.br>
Subject: IPFW recv and xmit
Date: Mon, 22 Sep 1997 17:51:48 -0300
X-MSMail-Priority: Normal
X-Priority: 3
X-Mailer: Microsoft Internet Mail 4.70.1161
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

	I would like some clarification on ipfw. I am used to writing normal
rules.
	However, I am trying to write rules that use both recv and xmit.
	I know how ipfw builds the rules priority: from 1 to 65535, in order.
However, I would like to know how it handles packets. Here is an
hypothetical example.

Internet <-vx0 (164.40.40.26)->Firewall<-vx1 (164.40.41.1)-> Net
(164.40.41.0/25)

	How does it handle a packet from 164.40.38.1 to 164.40.41.6?
	Does it check it when it goes in vx0? Another when out vx0? In vx1? Out
vx1?
	Or not? All the above?

	Let's say I want a machine 164.40.41.2 to only accept smtp connections
from the internet, just for example. Are these correct? I am having trouble
to understand the semantics when writing rules with recv and xmit.

	ipfw add reject tcp from 164.40.41.0/24 to any in recv vx0
	(later - 1)
	ipfw add allow tcp from any 1024-65535 to 164.40.41.2/32 25 out recv vx1
xmit vx0 setup
	ipfw add allow tcp from any 1024-65535 to 164.40.41.2/32 25 out recv vx1
xmit vx0 setup
	ipfw add allow tcp from 164.40.41.2/32 25 to any 1024-65535 out recv vx0
xmit vx1 established

	I know these are not working. Should I add these rules on the (later -1)
label?

	ipfw add allow from any to 164.40.41.0/24 in recv vx0
	ipfw add allow from 164.40.41.0/24 to any in recv vx1

	I would like to keep the recv/xmit rules. Which mistakes am I making?

	Regards,
		Mario Ferreira

ps: Please cc answers to me in private.