Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Jul 2011 12:05:32 -0700
From:      Chuck Swiger <cswiger@mac.com>
To:        David van Rensburg - PC Network <david@pcnetwork.co.za>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw and nat problem
Message-ID:  <02D2E336-48EE-498E-87AA-8A307EC2EF74@mac.com>
In-Reply-To: <CA4A4D68.F6D4%david@pcnetwork.co.za>
References:  <CA4A4D68.F6D4%david@pcnetwork.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Jul 18, 2011, at 11:53 AM, David van Rensburg - PC Network wrote:
> Yes sorry - I suppose I was assuming that goes without saying.

Well, you can't design working firewall rulesets with unstated =
requirements.

> Will open 443 for https and close 80 and do a transparent squid proxy
> which I got to wkr.

You need to permit *both* 80 and 443, either directly or via the Squid =
proxy.

> I just cant seem to understand in and out.
> Does in mean INTO the BOX or into the specific interface what happens =
if
> you don=B9t specify an interface when u say in or out?
> OR does in mean into the internal network from outside or just into =
the
> box?
>=20
> Please just elaborate on that for me ?

In refers to incoming traffic to the box running IPFW (and also NAT'ed =
traffic which gets re-written by natd to your internal clients); out =
refers to traffic generated from the box (and/or from NAT traffic from =
internal machines via natd).  If that doesn't make sense, consider using =
"recv", "xmit", and "via ifX" instead:

     recv | xmit | via {ifX | if* | ipno | any}
             Matches packets received, transmitted or going through, =
respec-
             tively, the interface specified by exact name (ifX), by =
device
             name (if*), by IP address, or through some interface.

             The via keyword causes the interface to always be checked.  =
If
             recv or xmit is used instead of via, then only the receive =
or
             transmit interface (respectively) is checked.  By =
specifying
             both, it is possible to match packets based on both receive =
and
             transmit interface, e.g.:

                   ipfw add deny ip from any to any out recv ed0 xmit =
ed1

             The recv interface can be tested on either incoming or =
outgoing
             packets, while the xmit interface can only be tested on =
outgoing
             packets.  So out is required (and in is invalid) whenever =
xmit is
             used.

             A packet may not have a receive or transmit interface: =
packets
             originating from the local host have no receive interface, =
while
             packets destined for the local host have no transmit =
interface.

Regards,
--=20
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02D2E336-48EE-498E-87AA-8A307EC2EF74>