Date: Mon, 18 Feb 2002 19:41:53 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Bing Li <calibing@yahoo.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Difference between "src to dst" and "dst to src" Message-ID: <20020218194153.U48401@blossom.cjclark.org> In-Reply-To: <20020219031018.39579.qmail@web21410.mail.yahoo.com>; from calibing@yahoo.com on Mon, Feb 18, 2002 at 07:10:18PM -0800 References: <20020219031018.39579.qmail@web21410.mail.yahoo.com>
index | next in thread | previous in thread | raw e-mail
On Mon, Feb 18, 2002 at 07:10:18PM -0800, Bing Li wrote:
> Hi,
>
> Is there any difference between the two as follows:
>
> add 100 allow tcp from src to dst 22
> add 101 allow tcp from dst 22 to src
Uh, well, let's use hostname examples,
add 100 allow tcp from client to server 22
add 101 allow tcp from server 22 to client
The first rule passes packets TCP with a source address of "client,"
and destination address of "server" and destination port 22. The
second rule passes TCP packets with a source address of "server" and
source port of 22, and destination address of "client."
> I was confused with the output of "ipfw show":
>
> 00100 1532 112460 allow tcp from src to dst 22
> 00101 1101 275166 allow tcp from dst 22 to src
>
> Why are the values of second columes different?
> So are the values of third columes. The traffic was
> generated only by ssh from src to dst.
A TCP connection is a duplex connection. Traffic must flow in both
directions.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020218194153.U48401>