From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 10 09:07:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8502537B404 for ; Thu, 10 Apr 2003 09:07:45 -0700 (PDT) Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8207A43FB1 for ; Thu, 10 Apr 2003 09:07:44 -0700 (PDT) (envelope-from earl@killian.com) Received: (from smmsp@localhost) by gate.killian.com (8.12.6/8.12.6) id h3AG7i3H054596; Thu, 10 Apr 2003 09:07:44 -0700 (PDT) (envelope-from earl@killian.com) Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpduHCev7; Thu Apr 10 09:07:35 2003 From: "Earl A. Killian" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16021.38598.528499.677743@sax.killian.com> Date: Thu, 10 Apr 2003 09:07:34 -0700 To: Michael Sierchio In-Reply-To: <3E959094.5040504@tenebras.com> References: <16021.30535.469091.657659@sax.killian.com> <3E959094.5040504@tenebras.com> X-Mailer: VM 7.07 under 21.4 (patch 6) "Common Lisp" XEmacs Lucid cc: freebsd-ipfw@freebsd.org Subject: Re: self-generated packet question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 16:07:45 -0000 Michael Sierchio writes: > Date: Thu, 10 Apr 2003 08:41:08 -0700 > From: Michael Sierchio > > They aren't received on any interface, no. They can be filtered > on output (from me to any, etc.) Thank you. Background: I'm writing a tool to generate an input to ipfw from a description of the interfaces/nets on a gateway. Since it has to be general enough to handle some unusual things about my own gateway, the existing firewalls in /etc/rc.firewall are not quite sufficient. > (presumably you already have an allow rule like allow ip from any to any via lo0). /etc/rc.firewall has such a rule, except when firewall_type is a filename. Since I'm using the latter, I need to generate something like that. One purpose of my question was to understand where such a rule had to go. I hope to have my generator generate both ipfw firewalls and ipchains firewalls. As such, the first statement was add skipto all from any to any out to mimic ipchains having separate input and output chains. So, from what you said, it appears that the "via lo0" is only required in the output rules.