From owner-freebsd-ipfw  Mon Feb 18 19:41:58 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88])
	by hub.freebsd.org (Postfix) with ESMTP id C658237B402
	for <freebsd-ipfw@FreeBSD.ORG>; Mon, 18 Feb 2002 19:41:54 -0800 (PST)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020219034153.RIEO1147.rwcrmhc52.attbi.com@blossom.cjclark.org>;
          Tue, 19 Feb 2002 03:41:53 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g1J3frx38341;
	Mon, 18 Feb 2002 19:41:53 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 18 Feb 2002 19:41:53 -0800
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Bing Li <calibing@yahoo.com>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Difference between "src to dst" and "dst to src"
Message-ID: <20020218194153.U48401@blossom.cjclark.org>
References: <20020219031018.39579.qmail@web21410.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020219031018.39579.qmail@web21410.mail.yahoo.com>; from calibing@yahoo.com on Mon, Feb 18, 2002 at 07:10:18PM -0800
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

On Mon, Feb 18, 2002 at 07:10:18PM -0800, Bing Li wrote:
> Hi,
> 
> Is there any difference between the two as follows:
> 
> add 100 allow tcp from src to dst 22
> add 101 allow tcp from dst 22 to src

Uh, well, let's use hostname examples,

  add 100 allow tcp from client to server 22
  add 101 allow tcp from server 22 to client

The first rule passes packets TCP with a source address of "client,"
and destination address of "server" and destination port 22. The
second rule passes TCP packets with a source address of "server" and
source port of 22, and destination address of "client."

> I was confused with the output of "ipfw show":
> 
> 00100    1532    112460 allow tcp from src to dst 22
> 00101    1101    275166 allow tcp from dst 22 to src
> 
> Why are the values of second columes different?
> So are the values of third columes. The traffic was
> generated only by ssh from src to dst.

A TCP connection is a duplex connection. Traffic must flow in both
directions.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message