Date: Mon, 18 Jul 2011 12:05:32 -0700 From: Chuck Swiger <cswiger@mac.com> To: David van Rensburg - PC Network <david@pcnetwork.co.za> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and nat problem Message-ID: <02D2E336-48EE-498E-87AA-8A307EC2EF74@mac.com> In-Reply-To: <CA4A4D68.F6D4%david@pcnetwork.co.za> References: <CA4A4D68.F6D4%david@pcnetwork.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 18, 2011, at 11:53 AM, David van Rensburg - PC Network wrote: > Yes sorry - I suppose I was assuming that goes without saying. Well, you can't design working firewall rulesets with unstated = requirements. > Will open 443 for https and close 80 and do a transparent squid proxy > which I got to wkr. You need to permit *both* 80 and 443, either directly or via the Squid = proxy. > I just cant seem to understand in and out. > Does in mean INTO the BOX or into the specific interface what happens = if > you don=B9t specify an interface when u say in or out? > OR does in mean into the internal network from outside or just into = the > box? >=20 > Please just elaborate on that for me ? In refers to incoming traffic to the box running IPFW (and also NAT'ed = traffic which gets re-written by natd to your internal clients); out = refers to traffic generated from the box (and/or from NAT traffic from = internal machines via natd). If that doesn't make sense, consider using = "recv", "xmit", and "via ifX" instead: recv | xmit | via {ifX | if* | ipno | any} Matches packets received, transmitted or going through, = respec- tively, the interface specified by exact name (ifX), by = device name (if*), by IP address, or through some interface. The via keyword causes the interface to always be checked. = If recv or xmit is used instead of via, then only the receive = or transmit interface (respectively) is checked. By = specifying both, it is possible to match packets based on both receive = and transmit interface, e.g.: ipfw add deny ip from any to any out recv ed0 xmit = ed1 The recv interface can be tested on either incoming or = outgoing packets, while the xmit interface can only be tested on = outgoing packets. So out is required (and in is invalid) whenever = xmit is used. A packet may not have a receive or transmit interface: = packets originating from the local host have no receive interface, = while packets destined for the local host have no transmit = interface. Regards, --=20 -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02D2E336-48EE-498E-87AA-8A307EC2EF74>