Date: Sun, 31 Jul 2005 03:15:34 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "Gary W. Swearingen" <garys@opusnet.com> Cc: freebsd-questions@freebsd.org Subject: Re: Can someone clarify ipfw's in/out/recv/xmit/via concepts? Message-ID: <Pine.BSF.3.96.1050731025425.22492B-100000@gaia.nimnet.asn.au> In-Reply-To: <ae4qaecs66.qae@mail.opusnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Jul 2005, Gary W. Swearingen wrote:
> Thanks guys. I think I've "got" most of it now.
[..]
> When it tests an incoming packet it doesn't try to predict which
> interface it will be transmitted on (not sure why, if NAT isn't on),
> so "in" rules don't match against an "xmit" interface.
IPFW doesn't try to 'predict' anything, it would be pointless anyway;
it has no notion of what the kernel and especially the routing may do.
It simply keeps trying to match this (incoming or outgoing) packet
against every rule in sequence until it's either accepted or dropped.
> When it tests an outgoing packet, it knows which interface it was
> received on and which interface it will be transmitted on so "out"
> rules may match against both "recv" and "xmit" interfaces.
Yes. By then, the incoming interface is tagged along with the packet.
> Using "via if0" is like using three rules: "in recv if0",
> "out xmit if0", and "out recv if0".
Except that via, used without in or out, matches on both passes (and
counts the packets/bytes twice), assuming it's not dropped on input.
> Using "out via if0" is like using two rules: "out xmit if0"
> and "out recv if0".
>
> Using "in via if0" is like using "in recv if0".
Hmm, yes, but I don't know that you can really put it much better than:
The via keyword causes the interface to always be checked. If
recv or xmit is used instead of via, then only the receive or
transmit interface (respectively) is checked. By specifying
both, it is possible to match packets based on both receive and
transmit interface, e.g.:
ipfw add 100 deny ip from any to any out recv ed0 xmit ed1
The recv interface can be tested on either incoming or outgoing
packets, while the xmit interface can only be tested on outgoing
packets. So out is required (and in is invalid) whenever xmit is
used. Specifying via together with xmit or recv is invalid.
A packet may not have a receive or transmit interface: packets
originating from the local host have no receive interface, while
packets destined for the local host have no transmit interface.
> I'm not claiming that the above is any better than the manpage; I'm
> just trying to quickly hang some simple "facts" out there to be shot
> down if untrue. (Maybe someday I'll set up a routing firewall to test
> more of them than I have yet.)
Yep; test first, study results, write up findings if different from man :)
Cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1050731025425.22492B-100000>