Date: Thu, 28 Jul 2005 18:33:21 -0700 From: garys@opusnet.com (Gary W. Swearingen) To: Dave McCammon <davemac11@yahoo.com>, Ian Smith <smithi@nimnet.asn.au>, Chuck Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: Can someone clarify ipfw's in/out/recv/xmit/via concepts? Message-ID: <ae4qaecs66.qae@mail.opusnet.com> In-Reply-To: <20050728204032.71440.qmail@web32812.mail.mud.yahoo.com> (Dave McCammon's message of "Thu, 28 Jul 2005 13:40:32 -0700 (PDT)") References: <20050728204032.71440.qmail@web32812.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave McCammon <davemac11@yahoo.com> writes: > Here is a link to a thread that help me to understand > the in/out/recv/xmit stuff. Thanks guys. I think I've "got" most of it now. Incoming packets are those entering the OS kernel implementing the ipfw firewall, but not necessarily those entering the ipfw firewall each time the kernel uses it. Outgoing packets are those leaving. Depending upon firewall config, the firewall can test packets one or two times as they enter the kernel, considering them as incoming, and one or two times as they exit the kernel, considering them as outgoing. (See ipfw diagram.) An exception is that when bridging, it tests packets only once, considering them as incoming only. (The latter based on my tests.) When it tests an incoming packet it doesn't try to predict which interface it will be transmitted on (not sure why, if NAT isn't on), so "in" rules don't match against an "xmit" interface. When it tests an outgoing packet, it knows which interface it was received on and which interface it will be transmitted on so "out" rules may match against both "recv" and "xmit" interfaces. Using "via if0" is like using three rules: "in recv if0", "out xmit if0", and "out recv if0". Using "out via if0" is like using two rules: "out xmit if0" and "out recv if0". Using "in via if0" is like using "in recv if0". I'm not claiming that the above is any better than the manpage; I'm just trying to quickly hang some simple "facts" out there to be shot down if untrue. (Maybe someday I'll set up a routing firewall to test more of them than I have yet.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ae4qaecs66.qae>